Tuesday, 21 July 2015

The Complete guide of Assembly Registers!

A register is a location where memory can be stored temporarily. It can be considered to be a sort of basic  variable, which can hold any value that the processor stores in it.Processor operations mostly involve processing data. This data can be stored in memory and accessed from thereon. However, reading data from and storing data into memory slows down the processor, as it involves complicated processes of sending the data request across the control bus and into the memory storage unit and getting the data through the same channel. To speed up the processor operations, the processor includes some internal memory storage locations, called registers.

The 80x86 (Intel family) CPUs provide several registers for application use:
EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP.

The “E” prefix on each name stands for extended. This prefix differentiates the 32-bit registers from the eight 16-bit registers that have the following names:
AX, BX, CX, DX
For the EAX, EBX, ECX, and EDX registers, subsections may be used. For example, the least significant 2 bytes of EAX can be treated as a 16-bit register called AX. The least significant byte of AX can be used as a single 8-bit register called AL, while the most significant byte of AX can be used as a single 8-bit register called AH.

                                                        



Finally, the 80x86 CPUs provide eight 8-bit registers that have the following names:
AL, AH, BL, BH, CL, CH, DL, and DH
Modern (i.e 386 and beyond) x86 processors have eight 32-bit general purpose registers.

Basically The Intel CPU registers can be broken down into following categories:
1. general purpose registers
2. segment registers
3. special purpose registers.

Gernal purpose registers: The 80x86 (Intel family) CPUs provide several general purpose registers:
EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP
The first four registers i.e. EAX, EBX, ECX, EDX are also known as Data Registers. The data registers are used to perform a range of common mathematical operations.They can be used to store data and addresses, offset addresses, perform counting functions, and many other things.

EAX(The Accumulator Register):It is used  to store the return value of a function and as a special register for certain calculations. It is technically a volatile register, since the value isn't preserved. Instead, its value is set to the return value of a function before a function returns.
EAX used to be called the accumulator since it holds results of arithmetic operations and function return values.
EAX has been given preferential status by assigning it more efficient, one-byte opcodes.  Such efficiency can be important when it comes to writing exploit shellcode for a limited available buffer space (more on that in future tutorials!). Since most calculations occur in the accumulator, the x86 architecture contains many optimized instructions for moving data in and out of this register.

EBX(The Base Register):EBX, acts as a general-purpose pointer. It is Used to store the base address of the program.
In 16-bit t is the only general-purpose register that can appear in a square-bracket memory access (For example, MOV [BX], AX). In the 32-bit world, any register may serve as a memory offset, so the base register is no longer special. Also In 16-bit mode, the base register is useful as a pointer.
EBX doesn’t really have a special purpose so just think of it as a catch-all for available storage.

ECX(The Count Register): As its name implies, the counter (or count) register is frequently used as a loop and function repetition counter, though it can also be used to store any data. It is used to hold a value representing the number of times a process is to be repeated.
Every counting-related instruction in the x86 like LOOP, LOOPZ, LOOPNZ, JCXZ etc. uses ECX register.
In most situations,calculations occur in a loop. In these situations, ECX is the logical choice for the loop counter. ecx is a volatile general-purpose register that is occasionally used as a function parameter or as a loop counter. 

EDX(The Data Register): edx is a volatile general-purpose register that  It is also commonly used for storing function variables.
The data register is most useful for storing data related to the accumulator's calculation. The data register also plays a part in I/O instructions.

The two general purpose regsiters ESP and EBP are also known as Pointer Registers.The pointer registers are 32-bit ESP and EBP registers and corresponding 16-bit right portions : SP and BP. These two registers are the heart of the x86 function-call mechanism.

ESP(Stack Pointer register) : ESP is used to track the top of the stack. It is used to reference local variables. The stack pointer is a register that contains the location of the top of the stack. Every time a push instruction is used to add data to the top of the stack, the number of bytes added is subtracted from esp so that it points to the new top of the stack. Similarly, esp increments when data is popped from the stack. 

EBP(Base Pointer register) : EBP is used to keep track of the base/bottom of the stack.  It is often used to reference variables located on the stack by using an offset to the current value of EBP.The base pointer is generally used to find local variables and parameters on the stack. It is often used during function calls to "save" the position that esp pointed to when the function was called, so that additional space can be used on the stack without losing it's place.

The other two general purpose registers ESI and EDI are also known as Index Registers.The 32-bit index registers ESI and EDI and their 16-bit rightmost portions SI and DI are used for indexed addressing and sometimes used in addition and subtraction.

EDI(The Destination Index): We know that Every loop that generates data must store the result in memory, and doing so requires a moving pointer and EDI play role of that pointer. edi is a non-volatile general-purpose register that is often used as a pointer. Though it  is used for general data storage, EDI was primarily designed to store the storage pointers of functions, such as the write address of a string operation. Pointer to data (or destination) in the segment pointed to by the ES register. Used as an offset address in string and array operations. It holds the implied write address of all string operations.

ESI(The Source Index): The ESI has the same property as the EDI but only difference is that source index is for reading instead of writing. This is more use full when where your code does not read any sort of data.
esi is a non-volatile general-purpose register that is often used as a pointer. ESI is often used to store the pointer to a read location or in simple words, It holds the address from where to read data.
For example, if a function is designed to read a string, ESI would hold the pointer to the location of that string. esi often stores data that is used throughout a function because it doesn't change.

Special purpose registers:
EIP(Instruction pointer register):- This is dream girl of every exploit writer because when we developing exploit, we need to overwrite EIP( Extended Instruction pointer) to change the flow of execution of program.
In all of these registers, we have to concentrate on EIP (Enhanced Instruction Pointer). This register contains the pointer to the instruction ready for the processing. Thus if by any means we can control this pointer in EIP register, we will have the control over the CPU of victim machine.
By modifying the EIP, if we fill it with the address of buffer, which is controlled by us and is filled with
machine code, then the processor will ultimately be derailed from its normal execution and will execute the
code supplied by us. This is the way buffer overflow attack works.

Segment registers : There are four segment registers in the 8086/8088 processor:-
CS(Code Segment register): The CS register is used when fetching instructions.
DS(Data Segment register): The DS register is used when accessing data.
SS(Stack Segment register): The  SS register is  used when accessing the stack.
ES(Extra Segment register):The ES register is used during certain string type instructions.

 If you like this post or have any question, please feel free to comment!

No comments:

Post a Comment

Blogger Widget