Examples
Let’s have a quick look at a few short snippets of assembly language, just to
make sure that you understand the basic concepts. Here is the first example:cmp ebx,0xf020
jnz 10026509The first instruction is CMP, which compares the two operands specified. In
this case CMPis comparing the current value of register EBXwith a constant:
0xf020(the “0x” prefix indicates a hexadecimal number), or 61,472 in deci-
mal. As you already know, CMPis going to set certain flags to reflect the out-
come of the comparison. The instruction that follows is JNZ. JNZis a version of
the Jcc(conditional branch) group of instructions described earlier. The spe-
cific version used here will branch if the zero flag (ZF) is not set, which is why
the instruction is called JNZ(jump if not zero). Essentially what this means is
that the instruction will jump to the specified code address if the operands com-
pared earlier by CMPare not equal. That is why JNZis also called JNE(jump if
not equal). JNEand JNZare two different mnemonics for the same instruc-
tion—they actually share the same opcode in the machine language.
Let’s proceed to another example that demonstrates the moving of data and
some arithmetic.mov edi,[ecx+0x5b0]
mov ebx,[ecx+0x5b4]
imul edi,ebxThis sequence starts with an MOVinstruction that reads an address from
memory into register EDI. The brackets indicate that this is a memory access,
and the specific address to be read is specified inside the brackets. In this case,
MOVwill take the value of ECX, add 0x5b0(1456 in decimal), and use the result
as a memory address. The instruction will read 4 bytes from that address and
write them into EDI. You know that 4 bytes are going to be read because of the
register specified as the destination operand. If the instruction were to refer-
ence DIinstead of EDI, you would know that only 2 bytes were going to be
read. EDIis a full 32-bit register (see Figure 2.3 for an illustration of IA-32 reg-
isters and their sizes).
The following instruction reads another memory address, this time from
ECXplus 0x5b4into register EBX. You can easily deduce that ECXpoints to
some kind of data structure. 0x5b0and 0x5b4are offsets to some members
within that data structure. If this were a real program, you would probably
want to try and figure out more information regarding this data structure that
is pointed to by ECX. You might do that by tracing back in the code to see
where ECXis loaded with its current value. That would tell you where this52 Chapter 2