In today tutorial I'll discuss about registers in CPU. It's an important topic in computer science. First we have to know what is a register and for what we use them. You may heard that there are some common architectures like 32 bit , 64 bit or x64 , x86 etc. Do you know what they mean? In my previous examples I used a Intel 32bit processor. The size of a register in 32 bit architecture is 4 bytes (32 bits) . When we talk about 64 bit architecture their register size is 8 byte (64 bits). In computer science we call this as the word-size of architecture. Let's see a graphical look of a CPU register. So there are two main types of registers.
General purpose registersHear we learn four general purpose registers and we use them for various tasks. EAX EAX stands for extended accumulator register. When we use a syscall we put syscall number in this register. Also we use EAX for input and output some data. I'll explain more about this in our assembly tutorials. EBX EBX register can be used in indexed addressing mode. ECX ECX stands for extended counter register. Actually we use this register for some counting tasks. If we take an example when we use a loop the ECX register is used. EDX EDX also used for input/output data.
Special purpose registersESP I think the esp register is not a new thing to you. Because I have explained it in many places. When we talk about Linux exploit writing and stack tutorial we saw how ESP is working. Simply it points to the top of stack. If we push something on to stack ESP will get reduced. Because stack is growing to low memory address In above image we can see we pushed EBP into top of the stack so ESP got changed.(Actually decreased) . . As well as if we pop off something from stack ESP will be increased. EBP EBP is used as a reference for function arguments. We call memory space between EBP and ESP as a stack frame. In functions & stack frames tutorial we saw that we can access arguments like EBP+0x4 , EBP+0x8 etc. EIP This is an awesome register. Yes it's really important to learn about it. There are hundred of exploit writing tutorials explaining how to abuse EIP for doing what attacker want. Actually EIP points to the address of next instruction that waiting for execute by CPU. ESI It's Source Index register. EDI This id Destination Index register. Actually we rarely use last two registers in our assembly and exploit development tutorials. Also there are some other registers called eflags. They are used for comparing purposes and various other things. At this time we don't want to bother about these eflag registers.
Examine registersIn Immunity debugger there is a special panel for view registers. But in GDB we use either info registers or I r commands like following. To use these GDB commands binary file must be in running or paused state. The ideal way to do this is set a break point at the step you need and run the program. When it hits on the break point you may use or or info register to examine registers. If you only want to examine a single register or some set of registers , there is a handy way for that. You can use i r esp , i r esp esp etc custom commands.
OK guys it's all for this tutorial. see you soon on next post.
(gdb) i r eax 0xb7f9fdc8 -1208353336 ecx 0xbffff2c0 -1073745216 edx 0xbffff2e4 -1073745180 ebx 0x0 0 esp 0xbffff2a0 0xbffff2a0 ebp 0xbffff2a8 0xbffff2a8 esi 0xb7f9e000 -1208360960 edi 0xb7f9e000 -1208360960 eip 0x4011a8 0x4011a8 <main+15> eflags 0x282 [ SF IF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) i r esp esp 0xbffff2a0 0xbffff2a0 (gdb) i r esp ebp esp 0xbffff2a0 0xbffff2a0 ebp 0xbffff2a8 0xbffff2a8 (gdb) i r esp ebp eip esp 0xbffff2a0 0xbffff2a0 ebp 0xbffff2a8 0xbffff2a8 eip 0x4011a8 0x4011a8 <main+15> (gdb)