GitHubTwitchLinkedInTryHackMe

X86

The C programming is a high level language interpreted by the compiler that converts code into machine instructions called assembly language. By using a disassembler tool we can get the assembly language of a compiled C program.

The Intel 8086 and 8088 were the first CPUs to have an instruction set that is now commonly referred to as x86. Intel Architecture 32-bit (IA-32) sometimes also called i386 is the 32-bit version of the x86 instruction set architecture.

The x86 architecture is little-endian, meaning that multi-byte values are written least significant byte first.

How we see it:

| A0 | A1 | A2 | A3 |

Stored as Little Endian

| A3 | A2 | A1 | A0 |

Opcodes and Instructions

Each Instruction represents opcodes (hex code) that tell the machine what to do next.

Three categories of instructions:

  • Data Movement/Access

  • Arithmetic / Logic

  • Control-Flow

Common Instructions

  • mov, lea (data movement, data access)

  • add, sub (arithmetic)

  • or, and, xor (Logic)

  • shr, shl (Logic)

  • ror, rol (Logic)

  • jmp, jne, jnz, jnb (Control Flow)

  • push, pop, call, leave, enter, ret (Control Flow)

Example below is moving value at 0xaaaaaaaa into ecx.

Instruction

mov ecx,[0xaaaaaaaa];

Opcode

8B 0D AA AA AA AA

Registers

General-Purpose Registers [1]

Register

Description

EAX

Accumulator Register

EBX

Base Register

ECX

Counter Register

EDX

Data Register

ESI

Source Index

EDI

Destination Index

EBP

Base Pointer

ESP

Stack Pointer

Instruction Pointer

The EIP register contains the address of the next instruction to be executed.

Segment Registers

Register

Description

SS

Stack Segment, Pointer to the stack

CS

Code Segment, Pointer to the code

DS

Data Segment, Pointer to the data

ES

Extra Segment, Pointer to extra data

FS

F Segment, Pointer to more extra data

GS

G Segment, Pointer to still more extra data

EFLAGS Registers

ID

Name

Description

CF

Carry Flag

Set if the last arithmetic operation carried (addition) or borrowed (subtraction) a bit beyond the size of the register. This is then checked when the operation is followed with an add-with-carry or subtract-with-borrow to deal with values too large for just one register to contain

PF

Parity Flag

Set if the number of set bits in the least significant byte is a multiple of 2

AF

Adjust Flag

Carry of Binary Code Decimal (BCD) numbers arithmetic operations

ZF

Zero Flag

Set if the result of an operation is Zero (0)

SF

Sign Flag

Set if the result of an operation is negative

TF

Trap Flag

Set if step by step debugging

IF

Interruption Flag

Set if interrupts are enabled

DF

Direction Flag

Stream direction. If set, string operations will decrement their pointer rather than incrementing it, reading memory backwards

OF

Overflow Flag

Set if signed arithmetic operations result in a value too large for the register to contain

IOPL

I/O Privilege Level field (2 bits)

I/O Privilege Level of the current process

NT

Nested Task flag

Controls chaining of interrupts. Set if the current process is linked to the next process

RF

Resume Flag

Response to debug exceptions

VM

Virtual-8086 Mode

Set if in 8086 compatibility mode

AC

Alignment Check

Set if alignment checking of memory references is done

VIF

Virtual Interrupt Flag

Virtual image of IF

VIP

Virtual Interrupt Pending flag

Set if an interrupt is pending

ID

Identification Flag

Support for CPUID instruction if can be set

PreviousWindows PENextTools

Last updated