Windows: User Mode x32bit Exploit Understanding


─── Windows: User Mode x32bit Exploit Understanding ────────────\\──

::: Summary :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

1 - x86 Intel Assembly
1.1 - eFLAGS
1.2 - Data Size
1.3 - Instructions

###########################################################################
# --[ 1 - x86 Intel Assembly
###########################################################################

[+] When using gadgets to perform arithmetic with registers. Dereference pointer to here. = EAX / ECX / EDX
[+] Storage, Better for memory pointers, exp: mov eax, [esi]. = ESI | EDI 
[!] Reserved for stack management, dont use them for general storage, unless you know what you do. = EBP / ESP 

EAX = Extended Accumulator Register
AX (16-bit)
AH (8-bit High)
AL (8-bit Low)
- Primarily used for arithmetic operations. Often stores the return value of a function.

EBX = Extended Base Register
BX (16-bit)
BH (8-bit High)
BL (8-bit Low)
- Can be used as a pointer to data (especially with the use of the SIB byte, or for local variables in some cases).

ECX = Extended Counter Register
CX (16-bit)
CH (8-bit High)
CL (8-bit Low)
- Commonly used for loop counters in iterative operations.

EDX = Extended Data Register
DX (16-bit)
DH (8-bit High)
DL (8-bit Low)
- Used in arithmetic operations alongside EAX for multiplication and division, and can hold the overflow result.

ESI = Extended Source Index
SI (16-bit)
SIL (8-bit High)
N/A (8-bit Low)
- Commonly used as a pointer to the source in stream operations (e.g., string operations).

EDI = Extended Destination Index
DI (16-bit)
DIL (8-bit High)
N/A (8-bit Low)
- Commonly used as a pointer to the destination in stream operations (e.g., string operations).

EBP = Extended Base Pointer
BP (16-bit)
BPL (8-bit High)
N/A (8-bit Low)
- Used to point to the base of the stack, and often references local function variables and function call return addresses.

ESP = Extended Stack Pointer
SP (16-bit)
SPL (8-bit High)
N/A (8-bit Low)
- Points to the top of the stack and adjusts automatically as values are pushed to or popped from the stack.
- The stack is a memory location used by functions to store local variables.
- Stack grow in an oppiste way if we add data to the stack it grows by -4 and if we removed the data it will grow +4.

--[ 1.1 - eFLAGS

CF = Carry flag
PF = Parity flag
ZF = Zero flag
SF = Sign flag
OF = Overflow flag

--[ 1.2 - Data Size

byte = 1 byte
word = 2 byte
dword (double word) = 4 byte
qword (quad word) = 8 byte

--[ 1.3 - Instructions

# Copying Data
================

MOV = MOV EAX, 5
- Moves data between the source operand and the destination operand.
- Copies the value 5 into the EAX register.

MOV EBX, 0x33
- The value 0x33 is moved directly into the EBX register.

MOV DWORD [EAX], EBX
- This instruction moves the value in EBX to the memory address pointed to by EAX. 
The DWORD specifies that it’s a double word (32 bits) operation. The brackets [EAX] 
mean “the memory address contained in EAX”.

MOV ECX, DWORD [EAX]
- The value from the memory address pointed to by EAX is moved into the ECX register. 
Again, the use of DWORD specifies a 32-bit operation.
- move the 32-bit value located at the memory address contained in the EAX register into the ECX register.

LEA = LEA EAX, [EBX+8]
- Loads the effective address of the source operand into the destination register
- Computes the address EBX + 8 and stores it in EAX.

LEA ECX, [ECX + EDX]
- Destination (ECX): This is the register where we want to store the computed address.
- Source ([ECX + EDX]): This is the effective address we want to compute. The square brackets [] 
don’t mean we’re fetching data from memory here. Instead, they are used to indicate an address computation. 
The instruction calculates the sum of the values in the ECX and EDX registers.

# Working on the Stack
======================

PUSH = PUSH EAX
- Pushes the source operand onto the stack.
- Pushes the value in EAX onto the top of the stack.

POP = PUSH EAX
- Pops the top of the stack into the destination operand
- Pops the top value from the stack into EAX.

# Arithmetic Operations
========================

INC = INC EAX
- Increments the operand by 1
- Adds 1 to the value in EAX.

DEC = DEC EAX
- Decrements the operand by 1
- Subtracts 1 from the value in EAX.

ADD = ADD EAX, EBX
- Adds the source operand to the destination operand
- Adds the value in EBX to the value in EAX and stores the result in EAX.

SUB = SUB EAX, EBX
- Subtracts the source operand from the destination operand
- Subtracts the value in EBX from EAX and stores the result in EAX.

MUL = MUL EBX
- Multiplies the source operand with the destination operand
- Multiplies EAX × EBX
- Multiplies EAX by EBX and stores the result in EAX (lower half) and EDX (upper half).

DIV = DIV EBX
- Divides the source operand by the destination operand
- Divides EDX:EAX by EBX
- Divides EAX by EBX, with the quotient in EAX and remainder in EDX.

# Logic Operations	
=====================

AND = AND EAX, EBX
- Logical AND operation between two operands
- Performs a bitwise AND between EAX and EBX and stores the result in EAX.

OR = OR EAX, EBX
- Logical OR operation between two operands
- Performs a bitwise OR between EAX and EBX and stores the result in EAX.
- This instruction keep me crashing in ROP. dam

XOR = XOR EAX, EBX
- Logical XOR operation between two operands
- Performs a bitwise XOR between EAX and EBX and stores the result in EAX.

NOT = NOT EAX
- Logical NOT operation on the operand
- Inverts all the bits in EAX.

# Basic Control Flow	
=====================

CALL = CALL procedureName
- Calls a procedure
- Jumps to the label procedureName and pushes the next instruction’s address onto the stack.

RET = RET
- Returns from a procedure
- Pops the top of the stack into the instruction pointer, resuming execution after the last CALL.

JMP = JMP label
- Unconditional jump to a label or address
- Jumps to the address or label specified without condition.

# Comparisons and Conditional Jumps	
=====================================

TEST = TEST EAX, EAX
- Logical AND operation between two operands without storing the result
- Performs a bitwise AND between EAX and EAX without saving the result, typically used to set flags.

CMP = CMP EAX, EBX
- Compares two operands by subtracting them and setting the flags
- Subtracts EBX from EAX without storing the result and updates the flags based on the result.

Jxx = JE label
- Conditional jump based on the set flags, where xx can be various conditions like JE, JNE, JG, JL, etc.
- Jumps to the label if the last comparison was equal.

# Instructions for Unsigned Comparison (Positive)
=================================================
JE/JZ	= Jump if Equal or Jump if Zero
JNE/JNZ	= Jump if not Equal / Jump if Not Zero
JA/JNBE	= Jump if Above / Jump if Not Below or Equal
JAE/JNB	= Jump if Above or Equal / Jump if Not Below
JB/JNAE	= Jump if Below / Jump if Not Above or Equal
JBE/JNA	= Jump if Below or Equal / Jump if Not Above

# Instructions for signed number comparisons (Negative-Positive)
===============================================================
JE/JZ	= Jump if Equal or Jump if Zero
JNE/JNZ	= Jump if not Equal / Jump if Not Zero
JG/JNLE	= Jump if Greater / Jump if Not Less or Equal
JGE/JNL	= Jump if Greater / Equal or Jump Not Less
JL/JNGE	= Jump if Less / Jump if Not Greater or Equal
JLE/JNG	= Jump if Less or Equal / Jump Not Greate

#########################################
# --[ 2 - Portable Executable File Format
#########################################

[+] Actually there is lot things to cover on this part, but i only take what necessasary for me to understand.

IAT = Import Address Table 
EAT = Export ADdress Table

--[ 2.1 - Standard SectionsPermalink

.text: = Contains executable code.
.data: = Contains initialized variables.
.bss: = Contains uninitialized variables.
.rdata: = Contains read-only constants.
.rsrc: = Contains resources like icons, bitmaps, etc.
.reloc: = Contains relocation data.
.edata: = Contains exported symbols.
.idata: = Contains imported symbols information.