This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ry.
Adds a 32‐bit value to the top of the stack. Decrements ESP by 4. <value>
may be a register, segment register, memory or immediate value.
Bitwise Rotate Left the value in <dest> by <count> bits. <dest> may be a
register or memory address. <count> may be immediate or CL register.
Bitwise Rotate Right the value in <dest> by <count> bits. <dest> may be a Empty Local Variables <‐ESP points here register or memory address. <count> may be immediate or CL register. SHL <dest>, <count> Bitwise Shift Left the value in <dest> by <count> bits. Zero bits added to Low Addresses the least significant bits. <dest> may be reg. or mem. <count> is imm. or CL. SHR <dest>, <count> Bitwise Shift Left the value in <dest> by <count> bits. Zero bits added to ↑ EBP‐x ↓ EBP+x High Addresses Saved EBP Return Pointer Parameters Parent function's data Grand‐parent function's data <‐EBP points here Assembly Language Instruction listings contain at least a mnemonic, which is the operation to be performed. Many instructions will take operands. Instructions with multiple operands list the destination operand first and the source operand second (<dest>, <source>). Assembler directives may also be listed which appear similar to instructions. the least significant bits. <dest> may be reg. or mem. <count> is imm. or CL. SUB <dest>, <source> TEST <dest>, <source> XCHG <dest, <source> XOR <dest>, <source> Subtract <source> from <dest>. <source> may be immediate, memory or a
register. <dest> may be memory or a register. (source = dest)‐>ZF=1, (source > dest)‐>CF=1, (source < dest)‐>CF=0 and ZF=0
Performs a logical OR operation but does not modify the value in the <dest>
operand. (source = dest)‐>ZF=1, (source <> dest)‐>ZF=0.
Exchange the contents of <source> and <dest>. Operands may be register
or memory. Both operands may not be memory. Bitwise XOR the value in <source> with the value in <dest>, storing the result
in <dest>. <dest> may be reg or mem and <source> may be reg, mem or imm. Terminology and Formulas Pointer to Raw Data
Offset of section data within the executable file. Size of Raw Data
Amount of section data within the executable file. RVA Relative Virtual Address. Memory offset from the beginning of the executable.
Virtual Address (VA)
Absolute Memory Address (RVA + Base). The PE Header fields named VirtualAddress actually contain Relative Virtual Addresses.
Amount of section data in memory. Base Address
Offset in memory that the executable module is loaded.
Base Address requested in the PE header of a module.
ASSEMBLER DIRECTIVES DB <byte> Define Byte. Reserves an explicit Module
An PE formatted file loaded into memory. Typically EXE or DLL.
A memory address
byte of memory at the current Pointer
location. Initialized to <byte> value. Entry Point
The address of the first instruction to be executed when the module is loaded.
DW <word> Define Word. 2‐Bytes Import
DLL functions required for use by an executable module.
DD <dword> Define DWord. 4‐Bytes Export
Functions provided by a DLL which may be Imported by another module.
Raw = (RVA ‐ SectionStartRVA) + (SectionStartRVA ‐ SectionStartPtrToRaw)
OPERAND TYPES Immediate A numeric operand, hard coded RVA‐>VA Conversion
VA = RVA + BaseAddress
Register A general purpose register VA‐>RVA Conversion
RVA = VA ‐ BaseAddress
Memory Memory address w/ brackets [ ] Raw‐>VA Conversion
VA = (Raw ‐ SectionStartPtrToRaw) + (SectionStartRVA + ImageBase)
Copyright © 2009 Nick Harbour www.rnicrosoft.net...
View Full Document
- Winter '11