Assembler
| This entry needs a lot of work. Please contribute if you can. Check this page to see if there are some suggestions for adding to Assembler. |
To describe:
- Flags
- Segments
- CPL/DPL
- IDT/GDT(/LDT)
Segments
Segment registers: cs,es,ds,ss,fs,gs
Bits 0,1 describe the RPL , request privilege level
Bit 2 describes if the LDT is used or not
Bits 3 to 15 contain the offset into the GDT or LDT table (when shifted left by 3)
example:
CS of 8 = 1000b = 1 0 00 : RPL=0, LDT=0, so GDT is used, offset in GDT table is (1 << 3) = 8
CS of 0x23 = 100011b = 100 0 11 : RPL=3, LDT=0 (GDT), offset in GDT table is 100b=4, (4 << 3) = 32
Note that even though 64-bit mode is used, bits 3 to 15 still only need to be shifted by 3 to point to the proper offset
GDT
The gdt is a table of descriptors that describe what should happen when entering a specific segment and setting it's rights. (What access rights, the limits, if it's data or code, etc...)
IDT
The IDT is a table of descriptors that describe what should happen when an interrupt occurs. It contains the used code segment, and the EIP/RIP address to call, but also information like the DPL of the interrupt and if it's a callgate, taskgate or interrupt gate
Useful interrupts in regards of game hacking: Interrupt 1(Single step), 3(breakpoint),13(General protection fault) and 14 (Page fault)
Flags
There are 32 bits available for the 17 EFlags. Missing bits in this list are not a mistake, some flags temporarily use their neighbours.
ID, VIP, VIF, AC, VM, RF, NT, IOPL, OF, DF, IF, TF, SF, ZF, AF, PF, CF
| Bit | Flag | Description |
|---|---|---|
| 00 | CF Carry Flag | Becomes one if an addition, multiplication, AND, OR, etc results in a value larger than the register meant for the result. |
| 02 | PF Parity Flag | Becomes 1 if the lower 8-bits of an operation contains an even number of 1 bits. |
| 04 | AF Auxiliary Flag | Set on a carry or borrow to the value of the lower order 4 bits. |
| 06 | ZF Zero Flag | Becomes 1 if an operation results in a 0 writeback, or 0 register. |
| 07 | SF Sign Flag | Is 1 if the value saved is negative, 0 for positive. |
| 08 | TF Trap Flag | Allows for the stopping of code within a segment (allows for single stepping/debugging in programming). |
| 09 | IF Interrupt Flag | When this flag is set, the processor begins 'listening' for external interrupts. |
| 10 | DF Direction Flag | Determines the direction to move through the code (specific to repeat instructions). |
| 11 | OF Overflow Flag | Becomes 1 if the operation is larger than available space to write (eg: addition which results in a number >32-bits). |
| 12-13 | IOPL I/O Privilege Level | 2-bit register specifying which privilege level is required to access the IO ports |
| 14 | NT Nested Task | Becomes 1 when calls within a program are made. |
| 16 | RF Resume Flag | Stays 1 upon a break, and stays that way until a given 'release' or resume operation/command occurs. |
| 17 | VM Virtual Machine 8086 | Becomes a 1 if the processor is to simulate the 8086 processor (16-bit). |
| 18 | AC Alignment Check | Checks that a file or command is not breaking its privilege level. |
| 19 | VIF Virtual Interrupt Flag | Almost always set in protected mode, listening for internal and assembling interrupts. |
| 20 | VIP Virtual Interrupt Pending | 1 if a virtual interrupt is yet to occur. |
| 21 | ID ID Flag | Is set if a CPU identification check is pending (used in some cases to ensure valid hardware). |
Opcodes
Most commonly used opcodes:
- PUSH operand
- PUSHes (saves) data onto the stack.
- POP operand
- POPs (clears) data from the stack.
- PUSHF
- PUSHes (saves) the FLAGS register onto the stack.
- POPF
- POPs (clears) the FLAGS register from the stack.
- PUSHA
- PUSHes (saves) all general purpose registers onto stack.
- POPA
- POPs (clears) all general purpose registers from stack.
- JMP operand
- Jumps to the given operand (address).
- CALL operand
- Calls the given operand (address or function).
- A RET must be hit for a CALL to work properly, best to use JMPs if unsure.
- RET operand
- Returns from a CALL optionaly removing, operand number of, bytes from the stack.
- This is used for POPing values passed, to the CALL, from the stack.
- MOV destination, source
- Sets the destination to the source.
- INC operand
- Increases the operand by one.
operand = operand + 1
- DEC operand
- Decreases the operand by one.
operand = operand - 1
- ADD destination, source
- Adds the source to the destination.
destination = destination + source
- SUB destination, source
- Subtracts the source from the destination.
destination = destination - source
- MUL operand
- Multiplies the operand by the data register
- Placing the high value in the data register and the low value in the accumulator register.
AH:AL = AL * operand : byteDX:AX = AX * operand : WORDEDX:EAX = EAX * operand : DWORD
- DIV operand
- Divids the data register (high) and the accumulator register (low) by the operand.
- Placing the quotient in the accumulator register and the remainder in the data register.
AL AH = AH:AL/operand : byte AH:AL = AXAX DX = DX:AX/operand : WORDEAX EDX = EDX:EAX/operand : DWORD
- NOP
- No Operation.
- Usually used when removing original code.
- OR destination, source
- The OR instruction is used for supporting logical expression by performing bitwise OR operation.
- The bitwise OR operator returns 1, if the matching bits from either or both operands are one.
- It returns 0, if both the bits are zero.
- Example:
destination: 0101
source: 0011
----------------------------
After OR -> destination: 0111
- XOR destination, source
- The XOR instruction implements the bitwise XOR operation.
- The XOR operation sets the resultant bit to 1, if and only if the bits from the operands are different.
- If the bits from the operands are same (both 0 or both 1), the resultant bit is cleared to 0.
- Example:
destination: 0101
source: 0011
----------------------------
After XOR -> destination: 0110
- AND destination, source
- The AND instruction is used for supporting logical expressions by performing bitwise AND operation.
- The bitwise AND operation returns 1, if the matching bits from both the operands are 1, otherwise it returns 0.
- Example:
destination: 0101
source: 0011
----------------------------
After AND -> destination: 0001
- TEST destination, source
- The TEST instruction works same as the AND operation, but unlike AND instruction, it does not change the first operand.
- NOT operand
- The NOT instruction implements the bitwise NOT operation.
- NOT operation reverses the bits in an operand.
- The operand could be either in a register or in the memory.
- Example:
operand: 0101 0011 After NOT -> operand: 1010 1100
- LOOP operand
- The LOOP instruction assumes that the ECX register contains the loop count.
- When the loop instruction is executed, the ECX register is decremented and the control jumps to the target label,
- until the ECX register value, i.e., the counter reaches the value zero.
- Used for Loop control.
label(loop_start) MOV ECX,10 loop_start: // loop body LOOP loop_start
