Introduction to Cracking (1) —– Common Registers

Category:

1 CPU composition

The CPU can be roughly divided into the following three parts

(1) ALU (arithmetic logic unit), used for arithmetic and logical operations

(2) Control logic.

(3) Working register, each register is equivalent to a storage unit in the arithmetic unit, but its access speed is fast. It is used to store various information needed or obtained in the process of operation, including operand address, operand and intermediate result of operation.

 

2 Data storage method in computer

In a computer, a binary number occupies one bit, and eight bits are a byte.

In computer memory, information is stored in bytes. The computer assigns a unique memory address to each byte unit, called a physical address. When you need to access the corresponding memory data, it is through this address.

A binary system can express all ASCII, that is, a memory unit can store an English character or number, etc. The Chinese should be represented by Unicode, which means that two byte units are required to hold a Chinese character.

Sixteen bits are two bytes to hold a Chinese character. Thirty-two characters that can hold two Chinese characters are called double characters. Sixty-four characters can hold four Chinese characters called four characters.

 

3 Basic registers

3.1 General Register (32-bit)
There are eight general registers: EAX, EBX, ECX, EDX, ESP, EBP, EDI, ESI

Among them, EAX, EBX, ECX, EDX are called data registers, which are used to store operands, results or other information used in the calculation process. In addition to direct access, the high sixteen bits and low sixteen bits can be separately accessed. Their low sixteen bits are the E before them, that is, the low sixteen bits of EAX are AX. And their low sixteen bits can be accessed separately for eight bits, that is, AX can be decomposed again, that is, AX can also be divided into AH (high eight bits) and AL (low eight bits).

High 16 bits

EAX high 8 bits (AH)

Low 16 bits (AX)

Lower 8 bits (AL)

It is available when operating with 32 digits: MOV EAX

It is available when operating with 16 digits: MOV AX

It is available when operating 8 digits: MOV AH / MOV AL

Remarks: Since 386, all registers can be used to store memory addresses. Have you seen a form like [EBX] when you cracked it? This means that what is loaded in the EBX at this time is a memory address, and what really needs to be accessed is the value stored in that memory unit.

The main purpose of the four registers of ESP, EBP, EDI, and ESI is to provide offset addresses during memory addressing. Therefore, they can be called pointers or index registers.

ESP is called the stack pointer register. The stack is a storage area that works in a “last in, first out” manner. It must exist in the stack segment, so its segment address is stored in the SS register. It has only one entry and exit, so there is only one stack pointer register. The content of ESP points to the top of the current stack at any time.

When data is pushed into the stack, ESP will move upward, using the PUSH instruction, ESP changes to: ESP-data bits.

When the data is pushed into the stack, the ESP will move down, using the POP instruction, the ESP changes to: ESP + data bits

EBP, it is called the base address pointer register, they can be used in conjunction with the stack segment register SS to determine the address of a memory cell in the stack, ESP is used to indicate the offset address of the top of the segment, and EBP can be used as the stack area A base address in order to access the information in the stack.

ESI (source index register) and EDI (destination index register) are generally used in conjunction with the data segment register DS to determine the address of a memory cell in the data segment. These two index registers have the functions of automatic increment and decrement, which can be easily used for indexing. In serial processing instructions, when ESI and EDI are used as implicit source index and destination index registers, ESI and DS are combined, EDI and additional segment ES are combined to achieve the purpose of addressing in the data segment and the additional segment, respectively .

 

3.2 Special Register

There are two special registers, one is EIP and the other is FLAGS.

EIP is the most important of all registers. It means the instruction pointer register, which is used to store the offset address in the code segment. When the program is running, it always points to the first address of the next instruction. It is used in conjunction with the segment register CS to determine the physical address of the next instruction. When this address is sent to the memory, the controller can obtain the next instruction to be executed, and once the controller obtains this instruction, it will immediately modify the content of the EIP so that it always points to the first address of the next instruction. It can be seen that the computer uses the EIP register to control the execution flow of the instruction sequence. Those jump instructions achieve the corresponding purpose by modifying the value of EIP.

FLAGS, flag register, also known as PSW (program status word), is the program status register. This one is the register that stores the condition flag code, control flag and system flag.

Here is an example
Cmp EAX,EBX; Subtract EAX and EBX
JNZ 00470395 ;If not equal, skip to here;
These two instructions are very simple, that is, subtract the number in the EBX register from the number in the EAX register. To compare whether these two numbers are equal, when the Cmp instruction is executed, the corresponding value will be set on the ZF (zero flag) of FLAGS. If the result is 0, that is, if the two of them are equal, ZF is set to 1. , Otherwise set to 0. There are also OF (overflow flag) SF (symbol flag) CF (carry flag) AF (auxiliary carry flag) PF (parity flag) and so on.

3.3 Segment register
There are six segment registers, which are CS code segment, DS data segment, ES additional segment, SS stack segment, and FS and GS are additional segments.

Reviews

There are no reviews yet.

Be the first to review “Introduction to Cracking (1) —– Common Registers”

Your email address will not be published. Required fields are marked *