X86_Win32_Reverse_Engineering_Cheat_Sheet

Thestackandstoreitindestespisincremented by4dest

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ry. Adds a 32‐bit value to the top of the stack. Decrements ESP by 4. <value> may be a register, segment register, memory or immediate value. Bitwise Rotate Left the value in <dest> by <count> bits. <dest> may be a register or memory address. <count> may be immediate or CL register. Bitwise Rotate Right the value in <dest> by <count> bits. <dest> may be a Empty Local Variables <‐ESP points here register or memory address. <count> may be immediate or CL register. SHL <dest>, <count> Bitwise Shift Left the value in <dest> by <count> bits. Zero bits added to Low Addresses the least significant bits. <dest> may be reg. or mem. <count> is imm. or CL. SHR <dest>, <count> Bitwise Shift Left the value in <dest> by <count> bits. Zero bits added to ↑ EBP‐x ↓ EBP+x High Addresses Saved EBP Return Pointer Parameters Parent function's data Grand‐parent function's data <‐EBP points here Assembly Language Instruction listings contain at least a mnemonic, which is the operation to be performed. Many instructions will take operands. Instructions with multiple operands list the destination operand first and the source operand second (<dest>, <source>). Assembler directives may also be listed which appear similar to instructions. the least significant bits. <dest> may be reg. or mem. <count> is imm. or CL. SUB <dest>, <source> TEST <dest>, <source> XCHG <dest, <source> XOR <dest>, <source> Subtract <source> from <dest>. <source> may be immediate, memory or a register. <dest> may be memory or a register. (source = dest)‐>ZF=1, (source > dest)‐>CF=1, (source < dest)‐>CF=0 and ZF=0 Performs a logical OR operation but does not modify the value in the <dest> operand. (source = dest)‐>ZF=1, (source <> dest)‐>ZF=0. Exchange the contents of <source> and <dest>. Operands may be register or memory. Both operands may not be memory. Bitwise XOR the value in <source> with the value in <dest>, storing the result in <dest>. <dest> may be reg or mem and <source> may be reg, mem or imm. Terminology and Formulas Pointer to Raw Data Offset of section data within the executable file. Size of Raw Data Amount of section data within the executable file. RVA Relative Virtual Address. Memory offset from the beginning of the executable. Virtual Address (VA) Absolute Memory Address (RVA + Base). The PE Header fields named VirtualAddress actually contain Relative Virtual Addresses. Virtual Size Amount of section data in memory. Base Address Offset in memory that the executable module is loaded. ImageBase Base Address requested in the PE header of a module. ASSEMBLER DIRECTIVES DB <byte> Define Byte. Reserves an explicit Module An PE formatted file loaded into memory. Typically EXE or DLL. A memory address byte of memory at the current Pointer location. Initialized to <byte> value. Entry Point The address of the first instruction to be executed when the module is loaded. DW <word> Define Word. 2‐Bytes Import DLL functions required for use by an executable module. DD <dword> Define DWord. 4‐Bytes Export Functions provided by a DLL which may be Imported by another module. RVA‐>Raw Conversion Raw = (RVA ‐ SectionStartRVA) + (SectionStartRVA ‐ SectionStartPtrToRaw) OPERAND TYPES Immediate A numeric operand, hard coded RVA‐>VA Conversion VA = RVA + BaseAddress Register A general purpose register VA‐>RVA Conversion RVA = VA ‐ BaseAddress Memory Memory address w/ brackets [ ] Raw‐>VA Conversion VA = (Raw ‐ SectionStartPtrToRaw) + (SectionStartRVA + ImageBase) Copyright © 2009 Nick Harbour www.rnicrosoft.net...
View Full Document

Ask a homework question - tutors are online