How the CPU instructions work?

[fastman92]

When reverse engineering the application, it will be important to know how the CPU executes the instructions.

 

First of all, it's worth knowing that today CPUs made it possible to execute the different code simultaneously using different cores.

It's the task of operating system to properly schedule the execution time to the active threads.

 

Application which is running can have multiple threads running.

Each thread can have a different code executed at the time.

 

Each thread has its own stack and can have a set of local variables.

 

Stack - the memory used by the functions for their execution to store the local data of the function running.

 

The CPU instruction - the smallest operation that CPU can execute.

The instructions can manipulate the data stored in the CPU registers or RAM memory that belongs to the process.

The more powerful operations will require the use of system functions. however.

 

While reverse engineering it will be important to know what the specific instructions are doing.

 

Conditions in the CPU code work by using the branch instructions which allow to alter the execution depending on the flags registers.

That means some CPU instructions needs to set up the flags register and then the conditional jump instruction needs to be executed.

 

There are lots more CPU instructions that this post includes, who wants to reverse engineer will need to search for these on the Internet.

That's only a beginning.

 

x86

 

Examples:

sub - subtracts the value from the first operand given

add - adds the value to the first operand given

shr - shifts bits of the value right, often used to divide by the multiply of 2. For example the division of EAX by 32 would be written as "shr eax, 5"

shl - shifts bits of the value left, often used to multiply by the value being a power of 2. For example the multiplication of EAX by 32 would be written as "shl eax, 5"

xor - performs XOR operation. Often used to zero out the register - xoring the two equal values will give the result of 0. No bits set. "xor eax, eax" would set the value of EAX register to 0.

inc - decrements the value stored in the operand.

dec - decrements the value stored in the operand.

 

 

call - calls a function - subtracts 4 from ESP, puts an address of the next instruction following the "call" into memory address pointed by ESP, sets the EIP into the pointer of the target function.

retn - returns from a function - reads a return address which is stored on the memory as pointed by the ESP register. Sets the EIP to this return address . Adds 4 to ESP. The execution continues from return address.

 

push - pushes the value from the operand on stack, what really happens is ESP gets decreased by 4, then value from the operand is stored on memory address pointed by the ESP register.

pop - pops off the value from stack and sets the operand to that value. For example "pop ebx" means EBX will be set to the value read from the memory pointed by the ESP register. Then ESP register will be added 4.

 

 

Author: fastman92

Edited November 3, 2015 by fastman92