3.2 Registers#
For example, in the ADD instruction, two numbers in memory cannot be directly added together. The processor must transfer one of the numbers to a register and then add it to the number in another memory address.
There are 32-bit general-purpose registers: EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, and EIP.
- EAX (accumulator): EAX is commonly used for arithmetic operations and some formatting instructions.
- EBX (base index): EBX is commonly used to store the starting memory address.
- ECX (counter): ECX is used as a counter for various instructions. It also stores the memory data address offset. Instructions that use the counter include string instructions, offset instructions, shift instructions, and loops.
- EDX (data): EDX is usually used to store part of the product and the remainder of division. It can also store the starting memory address.
- EBP (base pointer): EBP points to a memory address and is mainly used as the base address for parameters and variables in a function.
- EDI (destination index): EDI is commonly used in string instructions and points to the destination string.
- ESI (source index): ESI is commonly used in string instructions and points to the source string.
- EIP: Stores the address of the next instruction to be executed.
- ESP: Stores the top address of the stack.
The mind map is as follows:
For EBX, there are BX, BH, and BL sub-registers. For ECX, there are CX, CH, and CL sub-registers. For EDX, there are DX, DH, and DL sub-registers. The 9-16 bits of other general-purpose registers are not named and cannot directly access their contents.
The most basic is that BYTE occupies 1 byte (8 bits) of memory, WORD occupies 2 bytes (16 bits) of memory, DWORD occupies 4 bytes (32 bits) of memory, and QWORD occupies 8 bytes (64 bits) of memory.
| 64-bit | 32-bit | 16-bit | 8-bit Low | 8-bit High | comment |
|---|---|---|---|---|---|
| RAX | EAX | AX | AL | AH | |
| RBX | EBX | BX | BL | BH | |
| RCX | ECX | CX | CL | CH | |
| RDX | EDX | DX | DL | DH | |
| RSI | ESI | SI | SIL | - | |
| RDI | EDI | DI | DIL | - | |
| RBP | EBP | BP | BPL | - | base pointer |
| RSP | ESP | SP | SPL | - | stack pointer |
| R8 | R8D | R8W | R8B | - | |
| R9 | R9D | R9W | R9B | - | |
| R10 | R10D | R10W | R10B | - | |
| R11 | R11D | R11W | R11B | - | |
| R12 | R12D | R12W | R12B | - | |
| R13 | R13D | R13W | R13B | - | |
| R14 | R14D | R14W | R14B | - | |
| R15 | R15D | R15W | R15B | - | |
| RIP | EIP | IP | - | - | |
| RFLAGS | EFLAGS | FLAGS | - | - |
Registers and Sub-registers
| Data Type | Size(Bits) | Typical Use |
|---|---|---|
| Byte | 8 | Characters, small integers |
| Word | 16 | Characters, integers |
| Doubleword | 32 | Integers, single-precision floating-point |
| Quadword | 64 | Integers, double-precision floating-point |
| Double Quadword | 128 | Packed integers, packed floating-point |
Basic Data Types and Memory Occupancy
3.3 MOV Instruction#
The MOV instruction is a data transfer instruction that copies the contents of the source operand (src) to the destination operand (dest).
MOV EAX, EDI
In most cases, we can transfer data directly between registers, but the EIP register cannot be directly assigned or read. For example, the instruction MOV EIP, EAX is illegal.
In IDA, when the word "OFFSET" is present before an address, it refers to the value of the address itself, and when the word "OFFSET" is not present, it refers to the content stored at that address.