Intel Assembly

Intel Assembly
Goal: to gain a knowledge of Intel 32-bit assembly instructions

References:
• M. Pietrek, “Under the Hood: Just Enough Assembly Language to Get
By”
• MSJ Article, February 1998 www.microsoft.com/msj
• Part II”, MSJ Article, June 1998 www.microsoft.com/msj

• IA-32 Intel® Architecture Software Developer’s Manual,

• Volume 1: Basic Architecture
www.intel.com/design/Pentium4/documentation.htm#manuals
• Volume 2A: Instruction Set Reference A-M
www.intel.com/design/pentium4/documentation.htm#manuals
• Volume 2B: Instruction Set Reference N-Z
www.intel.com/design/pentium4/documentation.htm#manuals
 Assembly Programming
• Machine Language
• binary
• hexadecimal
• machine code or object code

• Assembly Language
• mnemonics
• assembler

• High-Level Language
• Pascal, Basic, C
• compiler
Assembly Language Programming
 What Does It Mean to
Disassemble Code?
Preprocessing
& Compiling
Source Code Assembly Code

Assembly

Executable Code Object Code

Linking

DLLs
 What Does It Mean to
Disassemble Code?
Preprocessing
& Compiling
Source Code Assembly Code
LY
B
SEM
A S Assembly
I S
D

Executable Code Object Code

Linking

DLLs
 Why is Disassembly Useful in
Malware Analysis?
• It is not always desirable to execute malware:
disassembly provides a static analysis.

• Disassembly enables an analyst to investigate

all parts of the code, something that is not
always possible in dynamic analysis.

• Using a disassembler and a debugger in

combination creates synergy.
 32-bit Instructions
• Instructions are represented in memory by a series
of “opcode bytes.”
• A variance in instruction size means that
disassembly is position specific.
• Most instructions take zero, one, or two arguments:

instruction destination, source

For example: add eax, ebx

is equivalent to the expression eax = eax + ebx
Rule #3:
If a value less than FFH is moved into a 16-bit register, the rest of the
bits are assumed to be all zeros.
MOV BX, 5 BX =0005
BH = 00, BL = 05