Disassembly 101
Introduction
This article briefly explores topics connected to assembly basics, registers, operands, instructions, arithmetic instructions, logical instructions, stack instructions, conditionals and jump instructions. We’ll conclude with a reason why assembly language is still relevant despite the evolution of high-level languages.
This article has been designed for professionals, students or self-learners who want to learn the key aspects of assembly programming. This article will help to give you enough understanding on assembly programming.
Become a certified reverse engineer!
Computer programming language
Computer programming language is any one of various languages used for expressing a set of detailed instructions for a digital computer. Programming languages are broadly classified into three categories: machine, assembly and high-level languages.
Machine language
Machine language is also known as machine code. It is a sequence of bit patterns that’s used for providing instructions to the processor of a computer. These sequences of binary digits are not human-readable.
Assembly language
Assembly language sends codes or instructions to the computer using simple mnemonic abbreviations. Since the codes in assembly language are not directly understood by the computer, a translator is required to convert the instructions into machine language.
The utility program that converts source code programs from assembly language into machine language, so the Central Processing Unit (CPU) can understand it, is known as an assembler. The reverse conversion of machine language into assembly language is executed by a translator called a disassembler.
High-level language
High-level languages send codes or instructions to the computer using simple English language words and mathematical symbols. These types of instructions are sometimes referred to as human languages because they are further from machine language. The translators which convert high-level language into machine language are called compilers and interpreters.
Assembly Basics
Structure of a computer system
The basic structure of a computer system is made up of the CPU, main memory and the input/output peripherals. The CPU is also made up of registers, control units and arithmetic and logic unit (ALU).
Registers
The CPU in a computer runs all of its tasks and operations. To effectively do this, it needs storage to process operations and temporarily hold the received instructions. This storage is called a register. A register may store codes or sets of instructions, a storage address of another location or any kind of data such as the binary of a character.
Instructions
Assembly language instructions come in two parts: the operational code (opcode) and the data to be operated on, the operand. A typical code in assembly language has two operands, the target operand and the source operand. The target operand is normally the address of a register, while the source operand represents a value.
Assembly code example
MOV AL, 4Dh ; load register AL with 77 decimal (4D hex)
Equivalent binary code
10110000 01001101
1011 a binary code (opcode) of instruction 'MOV'
0 specifies if data is byte (‘0’) or full size 16/32 bits
000 a binary identifier for a register 'AL'
01001101 is the binary representation of the decimal 77
Arithmetic instructions
Below are sample arithmetic instructions which assembly language performs.
- INC AL ; Increments the value in the low byte register of the primary accumulator AL register by 1
- DEC AL ; Decrements the value in the low byte register of the primary accumulator AL register by 1
- ADD AX, BX ; Add the values stored in primary accumulator AX and base register BX and then store the sum in accumulator AX
Logical instructions
Assembly language logical instructions operate on a bit-by-bit basis; therefore, no overflow or carry bit is generated. Typical logical operations include logical and (AND), logical or (OR),
logical complement (NOT) and logical exclusive or (XOR). The AND operation can be used for clearing one or more bits in a register.
Stack instructions
Assembly language stack are top-down structures in memory that store data in such a way that the last data stored is the first to be retrieved. The only access to add or remove data from the stack is through the top of the stack. The most common stack instructions are PUSH and POP. PUSH puts new data at the top of the stack while POP removes the next data from the top of the stack.
Conditionals
Assembly language conditional statements control the flow of the execution of the program. Conditional statements are in two parts: unconditional jump and conditional jump.
Unconditional jump is performed by the JMP instruction. The CMP instruction compares two operands and sets the appropriate flag, depending on the outcome. The conditional jump instructions takes input from the set flags based on the output of the CMP instruction.
Unconditional jump
- MOV AX, 10 ; Initializing AX to 2
- MOV BX, 11 ; Initializing BX to 3
- MOV CX, 00 ; Initializing CX to 0
- L17:
- ADD AX, 01 ; Increment AX
- ADD BX, AX ; Add AX to BX
- JMP L17 ; repeats the statements
- ADD BX, AX ; Add AX to BX (this line code will never run because of the unconditional jump instruction JMP L17)
Conditional jump
- CMP DX, 01 ; Compare the DX value with one
- JE L17 ; If yes, then jump to label L7 (this is a conditional jump which skips the next two instructions only if the value in register DX is one )
- ADD AX, 01 ; Increment AX
- ADD BX, AX ; Add AX to BX
- L17:
- ADD AX, 11 ; Increment AX
- ADD BX, AX ; Add AX to BX
Conclusion
The ability to read and write codes or sets of instructions in low-level assembly language is a great skill to have despite evolution of high-level languages. Assembly language codes are used in coding device drivers, real-time systems and low-level embedded systems. These codes also help in the reverse engineering processes used to establish the vulnerabilities or logical flows of computer programs in a real-world running environment.
Sources
- Computer programming language, Encyclopedia Britannica
- Difference between Machine Language and Assembly Language Comparison Chart, STechies
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Disassembly 101
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis