┌──────┐┌─────────────────────────────────────────────────────────────────────────────────────────────────────────┐┌──────┐ │┌─┐┌─┐││ idk_lol.exe _ □ x ││┌─┐┌─┐│ ││┌┘└┐│││┌───────── ▄███████ ── ▄███████ ▄█ ─ █▄ ─── ▄███████ ── ▄███████ ── ▄███████ ── ▄███████ ──────────────┐│││┌┘└┐││ ││└┐┌┘││││ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ││││└┐┌┘││ ││┌┘└┐││││ ███ ███ ███ █▀ ███ ███ ███ █▀ ███ ███ ███ █▀ ███ █▀ ││││┌┘└┐││ └┘└┐┌┘└┘││ ▄███▄▄▄██▀ ▄███▄▄ ███ ███ ▄███▄▄ ▄███▄▄▄██▀ ███ ▄███▄▄ ││└┘└┐┌┘└┘ ┌─┐││┌─┐││ ▀▀███▀▀▀▀ ▀▀███▀▀ ███ ███ ▀▀███▀▀ ▀▀███▀▀▀▀ ▀██████████ ▀▀███▀▀ ││┌─┐││┌─┐ └┐││││┌┘││ ▀██████████ ███ █▄ ███ ███ ███ █▄ ▀██████████ ███ ███ █▄ ││└┐││││┌┘ ┌┘││││└┐││ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▄█ ███ ███ ███ ││┌┘││││└┐ └┐││││┌┘││ ███ ███ █████████ ▀█████▀ █████████ ███ ███ ▄███████▀ █████████ ││└┐││││┌┘ ┌┘└┘└┘└┐││ ███ ███ ███ ███ │┌┘└┘└┘└┐ │┌─┐┌─┐││ ▄███████ ███▄▄▄ ▄█████▄ ▄█ ███▄▄▄ ▄███████ ▄███████ ▄███████ ▄█ ███▄▄▄ ▄█████▄ ──┐┌─┐│ ││┌┘└┐│││ ███ ███ ███▀▀██▄ ███ ███ ███ ███▀▀██▄ ███ ███ ███ ███ ███ ███ ███ ███▀▀██▄ ███ ███ ┌┘└┐││ ││└┐┌┘│││ ███ █▀ ███ ███ ███ █▀ ███▌ ███ ███ ███ █▀ ███ █▀ ███ ███ ███▌ ███ ███ ███ █▀ │└┐┌┘││ ││┌┘└┐││ ▄███▄▄ ███ ███ ▄███ ███▌ ███ ███ ▄███▄▄ ▄███▄▄ ▄███▄▄▄██▀ ███▌ ███ ███ ▄███ ││┌┘└┐││ └┘└┐┌┘└┘▀▀███▀▀ ███ ███ ▀▀███ ███▄ ███▌ ███ ███ ▀▀███▀▀ ▀▀███▀▀ ▀▀███▀▀▀▀ ███▌ ███ ███ ▀▀███ ███▄└┘└┐┌┘└┘ ┌─┐││┌─┐│ ███ █▄ ███ ███ ███ ███ ███ ███ ███ ███ █▄ ███ █▄ ▀██████████ ███ ███ ███ ███ ███ ┐││┌─┐ └┐││││┌┘│ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ││││┌┘ ┌┘││││└┐│ █████████ ▀█ █▀ ███████▀ █▀ ▀█ █▀ █████████ █████████ ███ ███ █▀ ▀█ █▀ ███████▀ ┘││││└┐ └┐││││┌┘│ ███ ███ │└┐││││┌┘ ┌┘└┘└┘└┐│ ▄███████ ▄█████▄ ▄███████ ███▄▄▄ ▄█████▄ ▄█████▄ ▀████████▄ ▄███████ ││┌┘└┘└┘└┐ │┌─┐┌─┐││ ███ ███ ███ ███ ███ ███ ███▀▀██▄ ███ ███ ███ ███ ███ ███ ███ ███ │││┌─┐┌─┐│ ││┌┘└┐│││ ███ █▀ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ █▀ ││││┌┘└┐││ ││└┐┌┘││ ▄███▄▄ ███ ███ ▄███▄▄▄██▀ ███ ███ ███ ███ ███ ███ ▄███▄▄██▀ ███ ││││└┐┌┘││ ││┌┘└┐││▀▀███▀▀ ███ ███ ▀▀███▀▀▀▀ ███ ███ ███ ███ ███ ███ ▀▀███▀▀██▄ ▀██████████ ││││┌┘└┐││ └┘└┐┌┘└┘│ ███ ███ ███ ▀██████████ ███ ███ ███ ███ ███ ███ ███ ██▄ ███ ││└┘└┐┌┘└┘ ┌─┐││┌─┐│ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▄█ ███ @0x6D6172636F││┌─┐││┌─┐ └┐││││┌┘│ ███ ────── ▀█████▀ ── ███ ─ ███ ─── ▀█ █▀ ─ ▀█████▀ ─ ▀█████▀ ▄████████▀ ─ ▄███████▀ ───────────────┘│└┐││││┌┘ ┌┘││││└┐└ ███ ───────────────── ███ ─ ███ ────────────────────────────────────────────────────────────────────────┘┌┘││││└┐ └┐││││┌┘ └┐││││┌┘ ┌┘└┘└┘└┐ >>Introduction<< ┌┘└┘└┘└┐ │┌─┐┌─┐│ At a high level, reverse engineering is learning how something works without knowledge of it. With │┌─┐┌─┐│ ││┌┘└┐││ software, our goal is to understand the source code of a binary which we do not have the source code ││┌┘└┐││ ││└┐┌┘││ to. As a question: "what does this do, and how does it do it?" Our desired outcomes come in varying ││└┐┌┘││ ││┌┘└┐││ degrees, from essentially re-creating software to just understanding what certain functions are ││┌┘└┐││ └┘└┐┌┘└┘ performing. A large amount of analysis can be done by simply running and observing software, however └┘└┐┌┘└┘ ┌─┐││┌─┐ this document is primarily about static analysis and examining the executable machine code. We gain ┌─┐││┌─┐ └┐││││┌┘ a detailed view of the binary because, simply put, we are looking at the exact instructions which are └┐││││┌┘ ┌┘││││└┐ running on a CPU. ┌┘││││└┐ └┐││││┌┘ >Why RE/Practical reasons └┐││││┌┘ ┌┘└┘└┘└┐ You might be thinking that this sounds like a tedious and daunting exercise. While not incorrect, ┌┘└┘└┘└┐ │┌─┐┌─┐│ there are a few practical reasons to do so anyways. You may have a malware sample found on a network │┌─┐┌─┐│ ││┌┘└┐││ which is sending encrypted outbound internet traffic and need to figure out what the traffic was. In ││┌┘└┐││ ││└┐┌┘││ this situation, dynamic analysis may not give you any insight into the payload data. Alternatively, ││└┐┌┘││ ││┌┘└┐││ de-compiling may not truly recreate the source code. While useful, de-compilers contain an element of ││┌┘└┐││ └┘└┐┌┘└┘ guesswork. Therefore, you may need to reverse engineer the binary. Additionally, you will see reverse └┘└┐┌┘└┘ ┌─┐││┌─┐ engineering used in context with game hacking, DRM removal, CTFs, etc. ┌─┐││┌─┐ └┐││││┌┘ >What is the goal of this document └┐││││┌┘ ┌┘││││└┐ In the short term, my goal is to introduce you to reverse engineering both conceptually and ┌┘││││└┐ └┐││││┌┘ practically. Due to the abstract and esoteric nature of RE as a field, most people are entirely └┐││││┌┘ ┌┘└┘└┘└┐ unaware of its existence, much less exposed to an entry point. Personally, the most difficult period ┌┘└┘└┘└┐ │┌─┐┌─┐│ I had was finding training, gaining a methodology, and learning where to start. While there are │┌─┐┌─┐│ ││┌┘└┐││ fantastic resources for doing so, finding them can be tough. Reversing is an extremely deep field due ││┌┘└┐││ ││└┐┌┘││ to its ability to be applied to just about anything electronic, so consider this effort to be a diving ││└┐┌┘││ ││┌┘└┐││ board. Furthermore, it is a fantastic introduction to low level computing in general, where you can ││┌┘└┐││ └┘└┐┌┘└┘ leverage your knowledge for things like binary golf, exploit development, modern assembly development, └┘└┐┌┘└┘ ┌─┐││┌─┐ virus development, and more. ┌─┐││┌─┐ └┐││││┌┘ In the long term, my goal is to introduce a mindset. Most of my RE experience at the time of writing └┐││││┌┘ ┌┘││││└┐ has been in CTFs. Often you are presented with bizarre problems you are unprepared for, with little ┌┘││││└┐ └┐││││┌┘ insight as to proceed. In order to solve these sorts of challenges, the following methodology └┐││││┌┘ ┌┘└┘└┘└┐ becomes critical: ┌┘└┘└┘└┐ │┌─┐┌─┐│ Failing attempts must be thought of iterative learning │┌─┐┌─┐│ ││┌┘└┐││ "I don't understand X" must become "How do I learn more about X" ││┌┘└┐││ ││└┐┌┘││ "Y is too complicated" must become "How do I break Y into smaller steps" ││└┐┌┘││ ││┌┘└┐││ ││┌┘└┐││ └┘└┐┌┘└┘ >>Technical Prerequisites<< └┘└┐┌┘└┘ ┌─┐││┌─┐ >Executables (aka Binaries) ┌─┐││┌─┐ └┐││││┌┘ At a high level, here is what is going on: └┐││││┌┘ ┌┘││││└┐ We have instructions for humans but need to make machine code that a computer can execute. ┌┘││││└┐ └┐││││┌┘ With a compiled language, higher level code such C is parsed and compiled into machine code. └┐││││┌┘ ┌┘└┘└┘└┐ >Compiling can be thought of in a few steps: ┌┘└┘└┘└┐ │┌─┐┌─┐│ A compiler takes the source code and converts it into machine language, such as an object file of │┌─┐┌─┐│ ││┌┘└┐││ your source code. ││┌┘└┐││ ││└┐┌┘││ A linker combines this object file with other pre-compiled object files so that your symbols ││└┐┌┘││ ││┌┘└┐││ (for example: identifiers for functions in libraries, global variables, etc) can be defined. When ││┌┘└┐││ └┘└┐┌┘└┘ writing code you will often use functions you did not actually define within your source code. └┘└┐┌┘└┘ ┌─┐││┌─┐ The linker takes your undefined symbols and adds the correct addresses to these instructions; ┌─┐││┌─┐ └┐││││┌┘ outputting your executable file. As an example, imagine that you have some source code calling an └┐││││┌┘ ┌┘││││└┐ exported DLL function. When that source code is compiled, the function call generates an external ┌┘││││└┐ └┐││││┌┘ function reference (since the DLL is not a part of your source code.) The linker then adds the └┐││││┌┘ ┌┘└┘└┘└┐ information necessary for the reference to actually find this DLL code when the process is started. ┌┘└┘└┘└┐ │┌─┐┌─┐│ │┌─┐┌─┐│ ││┌┘└┐││ ┌───────────────┐ ││┌┘└┐││ ││└┐┌┘││ │ source_code.c│ ││└┐┌┘││ ││┌┘└┐││ ┌───────────────────────────────┐ ││┌┘└┐││ └┘└┐┌┘└┘ │#include <stdio.h> │ └┘└┐┌┘└┘ ┌─┐││┌─┐ │int main() │ ┌─┐││┌─┐ └┐││││┌┘ │{ │ └┐││││┌┘ ┌┘││││└┐ │ printf( "hello world\n" ); │ ┌┘││││└┐ └┐││││┌┘ │ return 0; │ └┐││││┌┘ ┌┘└┘└┘└┐ │} │ ┌┘└┘└┘└┐ │┌─┐┌─┐│ └───────────────────────────────┘ │┌─┐┌─┐│ ││┌┘└┐││ │ ││┌┘└┐││ ││└┐┌┘││ ┌────────┴──────┐ ││└┐┌┘││ ││┌┘└┐││ │ Compiler│ ││┌┘└┐││ └┘└┐┌┘└┘ └───────────────┘ └┘└┐┌┘└┘ ┌─┐││┌─┐ │ ┌─┐││┌─┐ └┐││││┌┘ ┌────────┴──────┐ └┐││││┌┘ ┌┘││││└┐ │compiled_code.o│ ┌┘││││└┐ └┐││││┌┘ ┌───────────────────────────────┐ └┐││││┌┘ ┌┘└┘└┘└┐ │.file source_code.c │ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │.LC0: │ │┌─┐┌─┐│ ││┌┘└┐││ │ .string "hello world" │ ││┌┘└┐││ ││└┐┌┘││ │main: │ ││└┐┌┘││ ││┌┘└┐││ │ LEA ECX, [ESP+4] │ ││┌┘└┐││ └┘└┐┌┘└┘ │ AND ESP, -16 │ └┘└┐┌┘└┘ ┌─┐││┌─┐ │ PUSH DWORD PTR [ECX-4] │ ┌─┐││┌─┐ └┐││││┌┘ │ PUSH EBP │ └┐││││┌┘ ┌┘││││└┐ │ MOV EBP, ESP │ ┌┘││││└┐ └┐││││┌┘ │ PUSH ECX │ └┐││││┌┘ ┌┘└┘└┘└┐ │ SUB ESP, 4 │ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ SUB ESP, 12 │ │┌─┐┌─┐│ ││┌┘└┐││ │ PUSH OFFSET FLAT:.LC0 │ ││┌┘└┐││ ││└┐┌┘││ │ CALL PUTS │ ││└┐┌┘││ ││┌┘└┐││ │ ADD ESP, 16 │ ││┌┘└┐││ └┘└┐┌┘└┘ │ MOV EAX, LC0 │ └┘└┐┌┘└┘ ┌─┐││┌─┐ │ MOV ECX, DWORD PTR [EBP-4] │ ┌─┐││┌─┐ └┐││││┌┘ │ LEAVE │ └┐││││┌┘ ┌┘││││└┐ │ LEA ESP, [ECX-4] │ ┌┘││││└┐ └┐││││┌┘ │ RET │ └┐││││┌┘ ┌┘└┘└┘└┐ └───────────────────────────────┘ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ │┌─┐┌─┐│ ││┌┘└┐││ ┌────────┴──────┐ ┌───────────────┐ ││┌┘└┐││ ││└┐┌┘││ │ Linker├───│ External DLLs│ ││└┐┌┘││ ││┌┘└┐││ └───────────────┘ └───────────────┘ ││┌┘└┐││ └┘└┐┌┘└┘ │ └┘└┐┌┘└┘ ┌─┐││┌─┐ ┌────────┴──────┐ ┌─┐││┌─┐ └┐││││┌┘ │ executable.exe│ └┐││││┌┘ ┌┘││││└┐ ┌────────────────────────────────┐ ┌┘││││└┐ └┐││││┌┘ │4d 5a 90 00 03 00 00 00-04 00 00│ └┐││││┌┘ ┌┘└┘└┘└┐ │00 ff ff 00 00 b8 00 00 00 00 00│ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │00 00 00-40 00 00 00 00 00 00 00│ │┌─┐┌─┐│ ││┌┘└┐││ │... │ ││┌┘└┐││ ││└┐┌┘││ └────────────────────────────────┘ ││└┐┌┘││ ││┌┘└┐││ ││┌┘└┐││ └┘└┐┌┘└┘ The compiled executable looks like gibberish to us compared to the previous source code. However, └┘└┐┌┘└┘ ┌─┐││┌─┐ this won't stop us from our goals. ┌─┐││┌─┐ └┐││││┌┘ While we may describe the executable as "binary," typically we represent it in a shorter format, └┐││││┌┘ ┌┘││││└┐ hex. An example of hex: B8 05 00 00 00. ┌┘││││└┐ └┐││││┌┘ Assembly is just translating this directly to a more human readable format. "B8 05 00 00 00" directly └┐││││┌┘ ┌┘└┘└┘└┐ corresponds to "MOV EAX, 05" (move the value 05 into register EAX). B8 directly corresponds to the ┌┘└┘└┘└┐ │┌─┐┌─┐│ physical circuits for this instruction on the processor. This performs a MOV operation that loads a │┌─┐┌─┐│ ││┌┘└┐││ value into the physical 32-bit memory register on the processor that we are referring to as EAX. The ││┌┘└┐││ ││└┐┌┘││ latter half of the hex instruction for B8 is "05 00 00 00". There are 32 bits allocated for this ││└┐┌┘││ ││┌┘└┐││ value, but we only need a little of that to represent our value, hence the zeroes. ││┌┘└┐││ └┘└┐┌┘└┘ Also note, the 05 is stored on the far left vs the far right. This is due to something referred to └┘└┐┌┘└┘ ┌─┐││┌─┐ as "endianness," which you will want to learn more about later, but don't worry about that right now. ┌─┐││┌─┐ └┐││││┌┘ Just know that if the byte on the far left would represent the least significant bit it would be └┐││││┌┘ ┌┘││││└┐ referred to as little-endian, and if the byte on the far left represented the most significant bit, ┌┘││││└┐ └┐││││┌┘ it would be referred to as big-endian. Were we to represent this as a big-endian value, the └┐││││┌┘ ┌┘└┘└┘└┐ instruction in hex would be "00 00 00 05." PE (.exe) files will always be little-endian, but know ┌┘└┘└┘└┐ │┌─┐┌─┐│ that other formats such as ELF may not be. │┌─┐┌─┐│ ││┌┘└┐││ ││┌┘└┐││ ││└┐┌┘││ >What happens when a program is run? ││└┐┌┘││ ││┌┘└┐││ 1. The program is assigned RAM, and the code/data it manipulates are loaded into RAM from storage. ││┌┘└┐││ └┘└┐┌┘└┘ 2. An instruction is read from RAM by the CPU control unit. └┘└┐┌┘└┘ ┌─┐││┌─┐ 3. The instruction is executed by the CPU ALU using inputs from user or registers. ┌─┐││┌─┐ └┐││││┌┘ 4. The output is stored in registers or sent to a device. └┐││││┌┘ ┌┘││││└┐ Repeat these steps until the program is done. ┌┘││││└┐ └┐││││┌┘ └┐││││┌┘ ┌┘└┘└┘└┐ ┌─────────────┐ ┌────────────────┐ ┌┘└┘└┘└┐ │┌─┐┌─┐│ ┌─┤ Control Unit│───┤Arith Logic Unit│─┐ │┌─┐┌─┐│ ││┌┘└┐││ │ └─────────────┘ └────────────────┘ │ ││┌┘└┐││ ││└┐┌┘││ ┌────────────────────┐ │ │ ┌─────────────────────┐ ││└┐┌┘││ ││┌┘└┐││ │Inst fetch from RAM │ │ ┌──────────────────────────────────┐ │ │Result stored to RAM │ ││┌┘└┐││ └┘└┐┌┘└┘ └────────────────────┘ │ │RAM Instruction0│ Result0│ │ └─────────────────────┘ └┘└┐┌┘└┘ ┌─┐││┌─┐ └─│ Instruction1│ Result1├─┘ ┌─┐││┌─┐ └┐││││┌┘ │ Instruction2│ Result2│ └┐││││┌┘ ┌┘││││└┐ │ ...│ ...│ ┌┘││││└┐ └┐││││┌┘ └──────────────────────────────────┘ └┐││││┌┘ ┌┘└┘└┘└┐ ┌┘└┘└┘└┐ │┌─┐┌─┐│ >x86 assembly overview (32 bit) │┌─┐┌─┐│ ││┌┘└┐││ Instructions in the Intel syntax follow the format of: ││┌┘└┐││ ││└┐┌┘││ instruction dest_operand, source_operand ;eg MOV EAX, 0x05 moves the value five into EAX ││└┐┌┘││ ││┌┘└┐││ If you see differently, you might be looking at AT&T syntax, which follow the format of: ││┌┘└┐││ └┘└┐┌┘└┘ instruction source_operand, dest_operand ;eg MOV 0x05, EAX moves the value five into EAX └┘└┐┌┘└┘ ┌─┐││┌─┐ There are many, many x86 instructions but don't panic. Most of the time you will be seeing common ┌─┐││┌─┐ └┐││││┌┘ instructions. For learning x86 in general, there are a few different strategies. Reading assembly, └┐││││┌┘ ┌┘││││└┐ writing assembly, writing higher level code and reading the compiled results, trying different ┌┘││││└┐ └┐││││┌┘ compilers, that sort of thing. Searches like "x86 mov" will be your friend as you try to learn how └┐││││┌┘ ┌┘└┘└┘└┐ each instruction behaves. Generally we see our instructions falling into certain categories for ┌┘└┘└┘└┐ │┌─┐┌─┐│ movement of data, logic, and control flow. │┌─┐┌─┐│ ││┌┘└┐││ A few common instructions: ││┌┘└┐││ ││└┐┌┘││ Movement of data ││└┐┌┘││ ││┌┘└┐││ MOV ││┌┘└┐││ └┘└┐┌┘└┘ LEA └┘└┐┌┘└┘ ┌─┐││┌─┐ Math/logic ┌─┐││┌─┐ └┐││││┌┘ ADD └┐││││┌┘ ┌┘││││└┐ SUB ┌┘││││└┐ └┐││││┌┘ OR └┐││││┌┘ ┌┘└┘└┘└┐ XOR ┌┘└┘└┘└┐ │┌─┐┌─┐│ AND │┌─┐┌─┐│ ││┌┘└┐││ Control flow ││┌┘└┐││ ││└┐┌┘││ CMP ││└┐┌┘││ ││┌┘└┐││ JMP ││┌┘└┐││ └┘└┐┌┘└┘ PUSH └┘└┐┌┘└┘ ┌─┐││┌─┐ POP ┌─┐││┌─┐ └┐││││┌┘ CALL └┐││││┌┘ ┌┘││││└┐ RET ┌┘││││└┐ └┐││││┌┘ └┐││││┌┘ ┌┘└┘└┘└┐ >General Registers ┌┘└┘└┘└┐ │┌─┐┌─┐│ Think of registers as variables within x86. This is not an exhaustive list of every register │┌─┐┌─┐│ ││┌┘└┐││ which can be used, however the vast majority of the time you will be seeing these registers. ││┌┘└┐││ ││└┐┌┘││ ││└┐┌┘││ ││┌┘└┐││ ┌───────────────┬───────┬───────┐ ││┌┘└┐││ └┘└┐┌┘└┘ │ 16 bits│ 8 bits│ 8 bits│ └┘└┐┌┘└┘ ┌─┐││┌─┐ ┌───────────────┬───────┬───────┐ ──┐ ┌─┐││┌─┐ └┐││││┌┘ EAX │ AX │ AH │ AL │ │ └┐││││┌┘ ┌┘││││└┐ ├───────────────┼───────┼───────┤ D │ ┌┘││││└┐ └┐││││┌┘ EBX │ BX │ BH │ BL │ A │ └┐││││┌┘ ┌┘└┘└┘└┐ ├───────────────┼───────┼───────┤ T │ ┌┘└┘└┘└┐ │┌─┐┌─┐│ ECX │ CX │ CH │ CL │ A │ │┌─┐┌─┐│ ││┌┘└┐││ ├───────────────┼───────┼───────┤ │ ││┌┘└┐││ ││└┐┌┘││ EDX │ DX │ DH │ DL │ │ ││└┐┌┘││ ││┌┘└┐││ ├───────────────┴───────┴───────┤ ─┤ ││┌┘└┐││ └┘└┐┌┘└┘ ESI │ │ I │ └┘└┐┌┘└┘ ┌─┐││┌─┐ ├───────────────────────────────┤ N │ ┌─┐││┌─┐ └┐││││┌┘ EDI │ │ D │ └┐││││┌┘ ┌┘││││└┐ ├───────────────────────────────┤ / │ ┌┘││││└┐ └┐││││┌┘ ESP │ │ P │ └┐││││┌┘ ┌┘└┘└┘└┐ ├───────────────────────────────┤ N │ ┌┘└┘└┘└┐ │┌─┐┌─┐│ EBP │ │ T │ │┌─┐┌─┐│ ││┌┘└┐││ └───────────────────────────────┘ ──┘ ││┌┘└┐││ ││└┐┌┘││ │ 32 Bits│ ││└┐┌┘││ ││┌┘└┐││ └───────────────────────────────┘ ││┌┘└┐││ └┘└┐┌┘└┘ └┘└┐┌┘└┘ ┌─┐││┌─┐ Data Registers ┌─┐││┌─┐ └┐││││┌┘ EAX: Accumulator, often for math and return values. └┐││││┌┘ ┌┘││││└┐ EBX: Base, often holds function params and indexed addresses. ┌┘││││└┐ └┐││││┌┘ ECX: Count, for loop counts (programmers: this is "i") and function params. └┐││││┌┘ ┌┘└┘└┘└┐ EDX: Data, general use and function params. ┌┘└┘└┘└┐ │┌─┐┌─┐│ Internally labeled boxes are subregisters which can be used. │┌─┐┌─┐│ ││┌┘└┐││ Index Registers ││┌┘└┐││ ││└┐┌┘││ ESI: Source Index, often stores constants or used as a pointer. ││└┐┌┘││ ││┌┘└┐││ EDI: Destination Index, often a destination for data or used as a pointer. ││┌┘└┐││ └┘└┐┌┘└┘ Pointers └┘└┐┌┘└┘ ┌─┐││┌─┐ Points to a memory location, generally expressed in hex. Example: 0x40154b. ┌─┐││┌─┐ └┐││││┌┘ ESP: Stack pointer, stores a pointer to top of stack. └┐││││┌┘ ┌┘││││└┐ EBP: Base pointer, stores a pointer to base of current stack frame. ┌┘││││└┐ └┐││││┌┘ Flags └┐││││┌┘ ┌┘└┘└┘└┐ Certain instructions change flags, which are represented as simple 1 or 0 on a flag register. ┌┘└┘└┘└┐ │┌─┐┌─┐│ For example, if we perform an "add" between two numbers, we may have a few outcomes that we need │┌─┐┌─┐│ ││┌┘└┐││ to be aware of. Let's say we compare two values to see if they are equal with CMP EDX, EAX. The ││┌┘└┐││ ││└┐┌┘││ "zero flag" will either be set to 1 if they are equal, or 0 if they are not. An instruction ││└┐┌┘││ ││┌┘└┐││ like JZ 0x40154b that jumps to memory location 0x40154b if the comparison equaled to zero would ││┌┘└┐││ └┘└┐┌┘└┘ check this flag. Think of these as boolean variables. └┘└┐┌┘└┘ ┌─┐││┌─┐ ┌─┐││┌─┐ └┐││││┌┘ ┌───────────────────────────────────────────────────────────────────────────┐ └┐││││┌┘ ┌┘││││└┐ │ CMP EAX, EDX ; Changes zero flag (ZF) to 1 if EAX and EDX not equal │ ┌┘││││└┐ └┐││││┌┘ │ JNE 0x40154b ; If ZF set to 1, jump to 0x40154b │ └┐││││┌┘ ┌┘└┘└┘└┐ └───────────────────────────────────────────────────────────────────────────┘ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │┌─┐┌─┐│ ││┌┘└┐││ There are a handful of flags to learn, but a few to get you started are: ││┌┘└┐││ ││└┐┌┘││ ZF, "zero flag," set if result is 0. ││└┐┌┘││ ││┌┘└┐││ SF, "sign flag," set if a result is negative. ││┌┘└┐││ └┘└┐┌┘└┘ OF, "overflow flag," set if a result was larger than a register can hold. Let us say AL and DL └┘└┐┌┘└┘ ┌─┐││┌─┐ are set to 0xFF. ADD AL, DL would return a 9 bit character and therefore overflow the 8 bit ┌─┐││┌─┐ └┐││││┌┘ register. └┐││││┌┘ ┌┘││││└┐ Addressing modes ┌┘││││└┐ └┐││││┌┘ We have a few ways to address things. └┐││││┌┘ ┌┘└┘└┘└┐ Register addressing, aka using the direct register references. Example: EAX. ┌┘└┘└┘└┐ │┌─┐┌─┐│ Immediate addressing, where we give an immediate value. Example: 0x10 │┌─┐┌─┐│ ││┌┘└┐││ Memory addressing, where we use a memory address. ││┌┘└┐││ ││└┐┌┘││ Direct memory addressing is when we reference the effective address of a memory location ││└┐┌┘││ ││┌┘└┐││ directly, eg "JMP 0x401438" jumps directly to memory address 0x401438. ││┌┘└┐││ └┘└┐┌┘└┘ Indirect memory addressing, eg "JMP [EAX]" jumps directly to the memory address stored └┘└┐┌┘└┘ ┌─┐││┌─┐ in EAX. ┌─┐││┌─┐ └┐││││┌┘ Addressing examples: └┐││││┌┘ ┌┘││││└┐ Register to register (eg, MOV EDX, EAX copies data in EAX to EDX). ┌┘││││└┐ └┐││││┌┘ Register to memory (eg, MOV [EDX], EAX copies data in EAX to memory address in EDX). └┐││││┌┘ ┌┘└┘└┘└┐ Memory to register (eg, MOV EDX, [EAX] copies the data at memory address in EAX to EDX). ┌┘└┘└┘└┐ │┌─┐┌─┐│ Immediate to register (eg, MOV EDX, 0x05 copies hex value 5 to EDX). │┌─┐┌─┐│ ││┌┘└┐││ Immediate to memory (eg, MOV [EDX], 0x05 copies hex value 5 to memory address in EDX). ││┌┘└┐││ ││└┐┌┘││ Note there is no "to immediate." This is because you can store things at a memory location, or ││└┐┌┘││ ││┌┘└┐││ within a register, but you cannot store things at decimal value "10" for example. Spoken as a ││┌┘└┐││ └┘└┐┌┘└┘ analogy, you can store apples in a bucket, you can store apples at a street address for a bucket, └┘└┐┌┘└┘ ┌─┐││┌─┐ but you can't store apples in an apple. ┌─┐││┌─┐ └┐││││┌┘ └┐││││┌┘ ┌┘││││└┐ The Call Stack ┌┘││││└┐ └┐││││┌┘ The stack is a last in, first out data structure. Think of this like a deck of cards. If we start └┐││││┌┘ ┌┘└┘└┘└┐ stacking the cards, the card we draw will always be at the top of the stack. Whatever item we ┌┘└┘└┘└┐ │┌─┐┌─┐│ placed onto the stack last will be the next to be drawn. │┌─┐┌─┐│ ││┌┘└┐││ Every function has a stack frame which allows each subroutine to behave in an independent ││┌┘└┐││ ││└┐┌┘││ fashion. As a simple example, one common use of the stack would be function calls. We push our ││└┐┌┘││ ││┌┘└┐││ parameters on the stack in reverse order; last in, first out, remember? ││┌┘└┐││ └┘└┐┌┘└┘ └┘└┐┌┘└┘ ┌─┐││┌─┐ ┌─────────────────────────────────────────────────────────────────────────┐ ┌─┐││┌─┐ └┐││││┌┘ │ PUSH 0x22 ; Arg3 │ └┐││││┌┘ ┌┘││││└┐ │ PUSH 0x4058b4 ; Arg2 │ ┌┘││││└┐ └┐││││┌┘ │ PUSH EAX ; Arg1 │ └┐││││┌┘ ┌┘└┘└┘└┐ │ CALL DWORD [OpenServiceW] ; AKA OpenServiceW(EAX, 0x4058b4, 0x22) │ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ MOV ESI, EAX ; Stores result upon return │ │┌─┐┌─┐│ ││┌┘└┐││ └─────────────────────────────────────────────────────────────────────────┘ ││┌┘└┐││ ││└┐┌┘││ ││└┐┌┘││ ││┌┘└┐││ Stack frames are generally going to have 4 different parts: Parameters, a return address (to ││┌┘└┐││ └┘└┐┌┘└┘ wherever your function was called from), your saved EBP, and your local variables (any variables └┘└┐┌┘└┘ ┌─┐││┌─┐ you use within the function to manipulate data.) ┌─┐││┌─┐ └┐││││┌┘ Our ESP and EBP pointers mentioned before are crucial to stack operations. └┐││││┌┘ ┌┘││││└┐ EBP always points to the base of the stack frame. ┌┘││││└┐ └┐││││┌┘ ESP always points to top of stack. └┐││││┌┘ ┌┘└┘└┘└┐ ESP increases as values are popped off of the stack. ┌┘└┘└┘└┐ │┌─┐┌─┐│ ESP decreases as values are added to the stack. │┌─┐┌─┐│ ││┌┘└┐││ Simple Overview: ││┌┘└┐││ ││└┐┌┘││ 1. When a function is called, the current EBP is pushed onto the stack. ││└┐┌┘││ ││┌┘└┐││ 2. EBP is then assigned the value of ESP; EBP is now the base pointer to access vars and params. ││┌┘└┐││ └┘└┐┌┘└┘ 3. As function runs, ESP will change as needed, EBP remains static. └┘└┐┌┘└┘ ┌─┐││┌─┐ 4. As function terminates, ESP is set to EBP. ┌─┐││┌─┐ └┐││││┌┘ Stack pointer is now set to top of stack to equal the base pointer. This frees memory └┐││││┌┘ ┌┘││││└┐ allocated onthe stack for local vars. ┌┘││││└┐ └┐││││┌┘ 5. EBP is now popped from the stack (remember, first in last out,) and EBP can be used again as └┐││││┌┘ ┌┘└┘└┘└┐ base pointer. ┌┘└┘└┘└┐ │┌─┐┌─┐│ 6. In simpler terms, stack frames contain the EBP value of the functions caller (step 1.) │┌─┐┌─┐│ ││┌┘└┐││ Now we can use EBP register as this function's base pointer. ││┌┘└┐││ ││└┐┌┘││ ││└┐┌┘││ ││┌┘└┐││ How it works graphically and more in depth: ││┌┘└┐││ └┘└┐┌┘└┘ ┌───────────────┐ └┘└┐┌┘└┘ ┌─┐││┌─┐ │ source_code.c│ ┌─┐││┌─┐ └┐││││┌┘ ┌───────────────────────────────┐ └┐││││┌┘ ┌┘││││└┐ │#include <stdio.h> │ ┌┘││││└┐ └┐││││┌┘ │ │ └┐││││┌┘ ┌┘└┘└┘└┐ │int subtract( int a, int b){ │ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ int c; │ │┌─┐┌─┐│ ││┌┘└┐││ │ c = a - b; │ ││┌┘└┐││ ││└┐┌┘││ │ return c; │ ││└┐┌┘││ ││┌┘└┐││ │} │ ││┌┘└┐││ └┘└┐┌┘└┘ │ │ └┘└┐┌┘└┘ ┌─┐││┌─┐ │int main(){ │ ┌─┐││┌─┐ └┐││││┌┘ │ int a = 10; │ └┐││││┌┘ ┌┘││││└┐ │ int b = 5; │ ┌┘││││└┐ └┐││││┌┘ │ subtract( a, b); //my start │ └┐││││┌┘ ┌┘└┘└┘└┐ │ return 0; │ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │} │ │┌─┐┌─┐│ ││┌┘└┐││ └───────────────────────────────┘ ││┌┘└┐││ ││└┐┌┘││ Let's use some simple code to show a function we might see in assembly. All we are going to show ││└┐┌┘││ ││┌┘└┐││ is the subtract function being called and eventually returning a value. ││┌┘└┐││ └┘└┐┌┘└┘ └┘└┐┌┘└┘ ┌─┐││┌─┐ ┌───────────────┐ ┌──────────┐ ┌─┐││┌─┐ └┐││││┌┘ │ assembly│ 1 First Steps mem│call stack│ └┐││││┌┘ ┌┘││││└┐ ┌─────────────────────────────────────────────────────────────────────────┐ ┌──────────┐ ┌┘││││└┐ └┐││││┌┘ │ #function call │ 32│ 0x05│ └┐││││┌┘ ┌┘└┘└┘└┐ │ PUSH 0x05 ; int A │ ├──────────┤ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ PUSH 0x10 ; int B │ 28│ 0x10│ │┌─┐┌─┐│ ││┌┘└┐││ │ CALL subtract ; Pushes ret adr, jmps to function adr │ ├──────────┤ ││┌┘└┐││ ││└┐┌┘││ │ ... │ 24│ ret adr│ ││└┐┌┘││ ││┌┘└┐││ │ │ ├──────────┤ ││┌┘└┐││ └┘└┐┌┘└┘ │ #just after function call, set our EBP │ 20│ EBP├─ ESP └┘└┐┌┘└┘ ┌─┐││┌─┐ │ PUSH EBP ; Set EBP │ ├──────────┤ ┌─┐││┌─┐ └┐││││┌┘ │ MOV EBP, ESP ; Move ESP to EBP │ 16│ │ └┐││││┌┘ ┌┘││││└┐ │ ... │ ├──────────┤ ┌┘││││└┐ └┐││││┌┘ To set the scene in our view of assembly, lets talk about the stack on the right. I like to └┐││││┌┘ ┌┘└┘└┘└┐ envision my stacks as top down, from high memory to low memory. This is also nice because the ┌┘└┘└┘└┐ │┌─┐┌─┐│ order in which we read code, top to bottom, is also the order they are shown on the stack │┌─┐┌─┐│ ││┌┘└┐││ when we visualize them this way. Therefore, if we popped the "top" value off the stack, it would ││┌┘└┐││ ││└┐┌┘││ be our EBP. On the left side of the stack are some simple memory addresses to assist with our ││└┐┌┘││ ││┌┘└┐││ stack pointer math. These increment by 4 as our 32 bit addresses and registers are composed of ││┌┘└┐││ └┘└┐┌┘└┘ 4 bytes. In terms of the code itself, we see that our C function call does a couple things. The └┘└┐┌┘└┘ ┌─┐││┌─┐ two parameters are pushed to the stack in reverse order, and then we CALL subtract, which is a ┌─┐││┌─┐ └┐││││┌┘ symbol representing the memory address where the instructions for the "subtract" function reside. └┐││││┌┘ ┌┘││││└┐ If this binary was stripped of its symbols, it would look something like "CALL sub_401099," with ┌┘││││└┐ └┐││││┌┘ 0x401099 being the memory address. Not only does CALL jump to this address however, it also └┐││││┌┘ ┌┘└┘└┘└┐ pushes the return address (back to the function where this function was called) onto the stack. ┌┘└┘└┘└┐ │┌─┐┌─┐│ In simpler terms, call not only sends us to the function code, it also leaves a way back so that │┌─┐┌─┐│ ││┌┘└┐││ our function can return integer variable "c". Additional hint for when you are hunting for ││┌┘└┐││ ││└┐┌┘││ functions, you know a function has just been called when you see PUSH EBP followed by MOV EBP, ││└┐┌┘││ ││┌┘└┐││ ESP. ││┌┘└┐││ └┘└┐┌┘└┘ └┘└┐┌┘└┘ ┌─┐││┌─┐ ┌───────────────┐ ┌──────────┐ ┌─┐││┌─┐ └┐││││┌┘ │ assembly│ 2 Creating Local Variables mem│call stack│ └┐││││┌┘ ┌┘││││└┐ ┌─────────────────────────────────────────────────────────────────────────┐ ┌──────────┐ ┌┘││││└┐ └┐││││┌┘ │ #function call │ 32│ 0x05│ └┐││││┌┘ ┌┘└┘└┘└┐ │ PUSH 0x05 │ ├──────────┤ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ PUSH 0x10 │ 28│ 0x10│ │┌─┐┌─┐│ ││┌┘└┐││ │ CALL subtract │ ├──────────┤ ││┌┘└┐││ ││└┐┌┘││ │ ... │ 24│ ret adr│ ││└┐┌┘││ ││┌┘└┐││ │ │ ├──────────┤ ││┌┘└┐││ └┘└┐┌┘└┘ │ #just after function call, set our EBP │ 20│ EBP│ └┘└┐┌┘└┘ ┌─┐││┌─┐ │ PUSH EBP │ ├──────────┤ ┌─┐││┌─┐ └┐││││┌┘ │ MOV EBP, ESP │ 16│ EDX│ └┐││││┌┘ ┌┘││││└┐ │ PUSH EDX ; Add EDX for int B │ ├──────────┤ ┌┘││││└┐ └┐││││┌┘ │ PUSH ECX ; Add ECX for int A │ 12│ ECX│ └┐││││┌┘ ┌┘└┘└┘└┐ │ MOV EDX, [EBP+0xC] ; Load int B into EDX │ ├──────────┤ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ MOV ECX, [EBP+0x8] ; Load int A into ECX │ 8│ C├─ ESP │┌─┐┌─┐│ ││┌┘└┐││ │ SUB ESP, 0x4 ; Extend ESP 4 bytes for int C │ ├──────────┤ ││┌┘└┐││ ││└┐┌┘││ │ ... │ 4│ │ ││└┐┌┘││ ││┌┘└┐││ We now have our local variables accounted for on the stack. Pushing values not only adds them to ││┌┘└┐││ └┘└┐┌┘└┘ the stack, it also advances ESP by 4 bytes each time. We have done this 2 times as well as moved └┘└┐┌┘└┘ ┌─┐││┌─┐ ESP ourselves, so ESP is now at our memory location 8. Notice also how we are moving the values ┌─┐││┌─┐ └┐││││┌┘ from the parameters into our stack registers. EBP is our anchor and gives us a static reference └┐││││┌┘ ┌┘││││└┐ point for calculating the memory required to access the parameters. EG, [EBP + 0xC] is the memory ┌┘││││└┐ └┐││││┌┘ address of our parameter int b. Since EBP will not move we know int b will be 12 bytes higher in └┐││││┌┘ ┌┘└┘└┘└┐ memory. To show you another way we can make space, we also subtracted 4 bytes from ESP. Do note, ┌┘└┘└┘└┐ │┌─┐┌─┐│ this is only one way of expressing this in assembly. Since we typically are not in control of the │┌─┐┌─┐│ ││┌┘└┐││ compiling process for whatever we are reversing, we may not know what compiler is being used, nor ││┌┘└┐││ ││└┐┌┘││ how it behaves, and most compilers will probably behave differently from this intentionally ││└┐┌┘││ ││┌┘└┐││ simplified example. ││┌┘└┐││ └┘└┐┌┘└┘ └┘└┐┌┘└┘ ┌─┐││┌─┐ ┌───────────────┐ ┌──────────┐ ┌─┐││┌─┐ └┐││││┌┘ │ assembly│ 3 Performing the Function mem│call stack│ └┐││││┌┘ ┌┘││││└┐ ┌─────────────────────────────────────────────────────────────────────────┐ ┌──────────┐ ┌┘││││└┐ └┐││││┌┘ │ #function call │ 32│ 0x05│ └┐││││┌┘ ┌┘└┘└┘└┐ │ PUSH 0x05 │ ├──────────┤ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ PUSH 0x10 │ 28│ 0x10│ │┌─┐┌─┐│ ││┌┘└┐││ │ CALL subtract │ ├──────────┤ ││┌┘└┐││ ││└┐┌┘││ │ ... │ 24│ ret adr│ ││└┐┌┘││ ││┌┘└┐││ │ │ ├──────────┤ ││┌┘└┐││ └┘└┐┌┘└┘ │ #just after function call, set our EBP │ 20│ EBP│ └┘└┐┌┘└┘ ┌─┐││┌─┐ │ PUSH EBP │ ├──────────┤ ┌─┐││┌─┐ └┐││││┌┘ │ MOV EBP, ESP │ 16│ EDX│ └┐││││┌┘ ┌┘││││└┐ │ PUSH EDX │ ├──────────┤ ┌┘││││└┐ └┐││││┌┘ │ PUSH ECX │ 12│ ECX│ └┐││││┌┘ ┌┘└┘└┘└┐ │ MOV EDX, [EBP+0xC] │ ├──────────┤ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ MOV ECX, [EBP+0x8] │ 8│ C├─ ESP │┌─┐┌─┐│ ││┌┘└┐││ │ SUB ESP, 0x4 │ ├──────────┤ ││┌┘└┐││ ││└┐┌┘││ │ SUB ECX, EDX ; A - B, stores value in ECX │ 4│ │ ││└┐┌┘││ ││┌┘└┐││ │ MOV [EBP-0xC], ECX ; Move ECX value to int C location │ ├──────────┤ ││┌┘└┐││ └┘└┐┌┘└┘ │ MOV EAX, [EBP-0xC] ; Move int C to EAX for return │ 0│ │ └┘└┐┌┘└┘ ┌─┐││┌─┐ │ ... │ └──────────┘ ┌─┐││┌─┐ └┐││││┌┘ Here you can see our function being performed. Since we did not assign a register to C, merely a └┐││││┌┘ ┌┘││││└┐ memory location, we must reference that location when we move our output. Following that, move ┌┘││││└┐ └┐││││┌┘ the contents to EAX for return to the main function which originally called subtract( a, b). Nice └┐││││┌┘ ┌┘└┘└┘└┐ and simple, right? ┌┘└┘└┘└┐ │┌─┐┌─┐│ │┌─┐┌─┐│ ││┌┘└┐││ ┌───────────────┐ ┌──────────┐ ││┌┘└┐││ ││└┐┌┘││ │ assembly│ 4 Cleaning Up and Returning mem│call stack│ ││└┐┌┘││ ││┌┘└┐││ ┌─────────────────────────────────────────────────────────────────────────┐ ┌──────────┐ ││┌┘└┐││ └┘└┐┌┘└┘ │ #function call │ 32│ 0x05│ └┘└┐┌┘└┘ ┌─┐││┌─┐ │ PUSH 0x05 │ ├──────────┤ ┌─┐││┌─┐ └┐││││┌┘ │ PUSH 0x10 │ 28│ 0x10│ └┐││││┌┘ ┌┘││││└┐ │ CALL subtract │ ├──────────┤ ┌┘││││└┐ └┐││││┌┘ │ ... │ 24│ ret adr├─ ESP └┐││││┌┘ ┌┘└┘└┘└┐ │ │ ├──────────┤ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ #just after function call, set our EBP │ 20│ │ │┌─┐┌─┐│ ││┌┘└┐││ │ PUSH EBP │ ├──────────┤ ││┌┘└┐││ ││└┐┌┘││ │ MOV EBP, ESP │ 16│ │ ││└┐┌┘││ ││┌┘└┐││ │ PUSH EDX │ ├──────────┤ ││┌┘└┐││ └┘└┐┌┘└┘ │ PUSH ECX │ 12│ │ └┘└┐┌┘└┘ ┌─┐││┌─┐ │ MOV EDX, [EBP+0xC] │ ├──────────┤ ┌─┐││┌─┐ └┐││││┌┘ │ MOV ECX, [EBP+0x8] │ 8│ │ └┐││││┌┘ ┌┘││││└┐ │ SUB ESP, 0x4 │ ├──────────┤ ┌┘││││└┐ └┐││││┌┘ │ SUB ECX, EDX │ 4│ │ └┐││││┌┘ ┌┘└┘└┘└┐ │ MOV [EBP-0xC], ECX │ ├──────────┤ ┌┘└┘└┘└┐ │┌─┐┌─┐│ │ MOV EAX, [EBP-0xC] │ 0│ │ │┌─┐┌─┐│ ││┌┘└┐││ │ ADD ESP, 0x4 ; Removing C │ └──────────┘ ││┌┘└┐││ ││└┐┌┘││ │ POP ECX ; Removing A │ ││└┐┌┘││ ││┌┘└┐││ │ POP EDX ; Removing B │ ││┌┘└┐││ └┘└┐┌┘└┘ │ LEAVE ; Pops EBP │ └┘└┐┌┘└┘ ┌─┐││┌─┐ │ RET ; Ret to adr ESP is pointing to (main) │ ┌─┐││┌─┐ └┐││││┌┘ └─────────────────────────────────────────────────────────────────────────┘ └┐││││┌┘ ┌┘││││└┐ So now we have our return value in EAX and wish to return to the function which called this one. ┌┘││││└┐ └┐││││┌┘ That address is still in our stack (ret adr). To remove our memory allocated for int C on the └┐││││┌┘ ┌┘└┘└┘└┐ stack, we can simply add a 4 bytes to the value of ESP, moving it up a slot. We can then pop ECX ┌┘└┘└┘└┐ │┌─┐┌─┐│ and EDX, moving us an additional 8 bytes up (back on EBP). LEAVE pops EBP for us which drops ESP │┌─┐┌─┐│ ││┌┘└┐││ onto the return address, and return will jump us to the return address which ESP is currently ││┌┘└┐││ ││└┐┌┘││ pointing to. Do note, rather than pop the values and decrement manually we could have used LEAVE ││└┐┌┘││ ││┌┘└┐││ which firstly shifts ESP to EBP before popping EBP and decrementing ESP by 4 bytes. Just like in ││┌┘└┐││ └┘└┐┌┘└┘ higher level programming, there are many roads to the same destination. Upon our return, to └┘└┐┌┘└┘ ┌─┐││┌─┐ access the return value, we would simply reference EAX. ┌─┐││┌─┐ └┐││││┌┘ └┐││││┌┘ ┌┘││││└┐ Part 2: Portable Executable Files ┌┘││││└┐ └┐││││┌┘ └┐││││┌┘ ┌┘└┘└┘└┐ ┌┘└┘└┘└┐ └──────┘ └──────┘