WEBVTT 00:00.480 --> 00:01.080 So. 00:01.080 --> 00:01.880 Hello everyone. 00:02.240 --> 00:03.560 I'm Tiffany here again. 00:04.440 --> 00:11.480 Now, in our previous lecture you have learned about the general purpose registers like accumulator, 00:11.520 --> 00:15.080 base register, counter register and so on and so forth. 00:15.520 --> 00:18.040 Also you learned about the stack pointers. 00:18.520 --> 00:27.360 And um, we also touched a little bit about the instruction pointers which we will be covered that topic 00:27.360 --> 00:28.800 in next lecture. 00:29.400 --> 00:35.880 So instruction pointers remember it is a general special purpose register always contains the address 00:35.880 --> 00:38.800 of the next instructions to be executed. 00:39.000 --> 00:42.440 And the CPU reads from this address every cycle. 00:42.440 --> 00:46.200 And it also has modes like 16 bit mode. 00:46.480 --> 00:51.800 It has we call it with IP in a 32 bit mode. 00:52.920 --> 00:55.920 We call it using E, I p. 00:55.960 --> 01:00.680 It doesn't have uh, it doesn't have any connection by the internet protocol. 01:00.720 --> 01:01.360 By the way. 01:02.200 --> 01:03.200 don't mistaken. 01:04.240 --> 01:15.560 And in the 64 bit we have R.I.P., which will be covered in greater detail for the next lectures here 01:16.360 --> 01:16.920 and now. 01:16.920 --> 01:19.680 You don't typically write to this directly. 01:19.680 --> 01:31.560 Instead, control flow instructions like call or G or interrupts modify it. 01:33.640 --> 01:40.200 Now, uh, what we, as you remember from the introduction of the previous lecture, we divided the 01:40.240 --> 01:42.840 registers into four categories. 01:43.080 --> 01:46.760 And one of them, um, was E flags. 01:46.960 --> 01:49.080 Uh, the flag register. 01:50.880 --> 01:51.360 Yes. 01:51.440 --> 02:02.200 Uh, now this is a 32 bit flag register level right here, which is called E flags. 02:02.200 --> 02:02.280 Lacks. 02:04.880 --> 02:05.960 This influx. 02:06.000 --> 02:15.080 This is a 32 bit register that tracks the result of operation using specific bits. 02:15.360 --> 02:23.080 So each bit represents a flag, which is a binary indicator that affects branching, conditional execution 02:23.080 --> 02:25.440 and processor status. 02:26.600 --> 02:27.760 Now what we will do here. 02:27.800 --> 02:35.240 Now I will go back and remove this again. 02:36.200 --> 02:38.120 We will have several flags here. 02:38.320 --> 02:39.360 And we will also. 02:41.800 --> 02:52.840 So in the and on the left here we will have a from 0 to 11. 02:53.560 --> 02:57.400 In total 12 flags. 02:59.320 --> 03:04.090 We will also write the bits the Abbreviation and all. 03:04.130 --> 03:07.330 And the description for these flags as well. 03:09.490 --> 03:16.850 So we will call it the offset abbreviation and description. 03:18.650 --> 03:22.770 Let's use a different color at offset zero. 03:22.930 --> 03:24.930 We have the. 03:25.930 --> 03:26.250 So. 03:29.050 --> 03:31.890 The description is this is a carry flag. 03:33.690 --> 03:40.290 So this flag is set when an addition operation requires a bit to be carried. 03:40.650 --> 03:46.090 It is also said when a bit needs to be borrowed in a subtraction operation. 03:46.210 --> 03:54.490 So you already know what the bit carrying and bit borrowing means. 03:54.530 --> 04:06.730 Uh, by the binary arithmetic lecture, the one here actually does not mean anything, so it is reserved 04:08.490 --> 04:10.130 in the offset. 04:10.170 --> 04:15.090 Two we have p f. 04:16.730 --> 04:18.210 This is a parity flag. 04:20.250 --> 04:29.010 So this flag indicates if the number of set bits is odd or even from the last instruction operation. 04:29.690 --> 04:39.770 So basically it indicates even or odd number of ones in the last result in the offset. 04:39.810 --> 04:49.450 Three we have also reserved offset for we have adjust flag a f. 04:51.330 --> 04:54.170 This is used in binary coded decimals. 04:54.530 --> 05:03.050 Which BCD this flag is set when a carry happens from the low to high nibble, or when a borrow happens 05:03.050 --> 05:09.330 from the high to low nibble of a byte offset six. 05:09.370 --> 05:12.410 We have the zero flag. 05:14.410 --> 05:19.210 This flag is set when the result of the last instruction operation is zero. 05:21.010 --> 05:22.170 Offset seven. 05:22.450 --> 05:28.330 We have the S.F., which is sin flag. 05:30.370 --> 05:38.290 This flag is set when the result of the last instruction operation is a negative number offset eight. 05:38.330 --> 05:40.690 We have the TF. 05:41.570 --> 05:43.530 This is a trap flag. 05:45.450 --> 05:47.090 This is used when debugging. 05:47.090 --> 05:50.970 This flag is set when breakpoints are encountered. 05:51.330 --> 05:58.610 Setting the trap flag can cause an exception on every instruction, enabling debugging tools to control 05:58.770 --> 06:01.530 step by step debugging. 06:01.850 --> 06:05.450 So basically the trap flag and a short description. 06:05.690 --> 06:08.090 It enables single step debugging. 06:09.890 --> 06:12.130 In the offset nine we have. 06:12.170 --> 06:12.570 I. 06:14.450 --> 06:16.130 This is an interrupt flag. 06:18.090 --> 06:22.370 If this flag is set, the processor responds to interrupts. 06:22.370 --> 06:25.970 So interrupts are instances where errors. 06:26.010 --> 06:31.010 External events or exceptions are triggered from hardware or software. 06:32.010 --> 06:37.450 So basically in short if clear it disables hardware interrupts. 06:39.210 --> 06:45.050 In the offset ten we have the DF. 06:46.970 --> 06:56.410 DF is a direction flag, so when set data is read from memory backwards. 06:57.650 --> 07:01.690 Um, also it dictates the direction of string operations. 07:02.850 --> 07:05.210 And we also have the overflow flag. 07:07.060 --> 07:10.300 And now this overflow flag works. 07:11.980 --> 07:21.100 Uh, if it is set, if an arithmetic operation results in a value larger than what the register can 07:21.100 --> 07:21.700 contain. 07:22.980 --> 07:28.860 So basically, this is not all the, uh, flag registers we have here. 07:30.540 --> 07:41.620 Uh, but, uh, basically, it depends on the, uh, bits our CPU can carry in most cases, uh, like, 07:41.820 --> 07:50.420 it can either carry from, um, like 23 to 31. 07:50.820 --> 07:55.860 So from 23, from 11 to, uh, 23. 07:56.820 --> 07:59.180 Uh, we have another flags as well. 07:59.900 --> 08:01.700 Uh, like E0 pal. 08:01.820 --> 08:07.340 Uh, which is input output privilege level uh, which shows the ability of the program to access input 08:07.380 --> 08:08.300 output ports. 08:08.700 --> 08:09.020 It. 08:09.060 --> 08:14.980 We have the NT which is the nested task, and let's actually write it. 08:15.100 --> 08:21.900 Uh, so uh, in the as an interaction of this, uh, lectures, uh, so beginning sections, we will 08:21.900 --> 08:27.540 not talk about the rest of these flags here because we will not use them widely. 08:29.020 --> 08:40.340 So basically what we will do here from the 11, uh, we have uh, the yeah, after OIF we have IO. 08:42.380 --> 08:48.860 Like the anti uh, which nested task flag. 08:50.460 --> 08:55.380 Uh, this controls the chaining of interrupt tasks or processes. 08:55.380 --> 08:58.020 If set then it is linked to the chain. 08:58.540 --> 09:02.660 Uh, the 15 offset 15 is uh reserved as well. 09:03.500 --> 09:07.220 And uh offset 16 is our. 09:07.220 --> 09:07.740 r f. 09:08.500 --> 09:10.220 It is a resume flag. 09:10.260 --> 09:16.740 It temporarily disables debug exceptions so the next instruction being debugged can be interrupted without 09:17.060 --> 09:19.260 debug exception. 09:20.140 --> 09:26.580 We have the V flag at offset 17, by the way. 09:26.580 --> 09:27.220 Remember. 09:27.540 --> 09:39.180 Uh, so if you ask why you passed the flag 12 and 13, uh, because, uh, the iopl here uses two of 09:39.180 --> 09:43.740 these offsets, both 12 and 13, just to remind you. 09:44.340 --> 09:51.900 So VM basically here sets the program to run in compatibility with the 1886 processors. 09:53.100 --> 09:54.540 We have the AC. 09:55.340 --> 09:57.220 This is a alignment check. 09:57.260 --> 10:01.980 This flag is set when data is written on a memory reference, such as. 10:01.980 --> 10:09.220 The stack is a non-word for four byte boundaries, or non-double word for eight byte boundaries. 10:09.900 --> 10:16.500 However, this flag was more useful before the 486 architecture days. 10:18.180 --> 10:21.660 So as I said, these are secondary. 10:22.060 --> 10:34.660 In our course we will not use these flags much and we have the v I fee, not the VIP here, just the 10:34.660 --> 10:35.460 VIP. 10:36.020 --> 10:44.660 And now this is a virtual interrupt flag similar to the interrupt flag we have learned here. 10:44.700 --> 10:49.300 I uh, but it works when in virtual mode. 10:50.300 --> 10:53.780 And we also have the v I p. 10:54.780 --> 11:01.620 This is a virtual interruption pending flag indicates that triggered interrupts are waiting to be processed. 11:01.900 --> 11:04.940 This also works in a virtual mode. 11:06.140 --> 11:15.590 And lastly we have the ID, we can tell this identification flag at the offset 21. 11:16.310 --> 11:22.950 Uh, indicates if the cpuid instruction can be used, the CPU ID can determine the type of processor 11:22.950 --> 11:24.310 and other processor info. 11:26.030 --> 11:30.830 So basically 20, uh, offset 22 is reserved as well. 11:31.470 --> 11:38.550 But from the offset 23 to 2031, it is also reserved. 11:38.910 --> 11:49.670 And from the offset uh, 32 all the way to offset uh 63, it is also reserved as well. 11:51.830 --> 11:55.430 So these are all reserved flags. 11:57.310 --> 11:58.030 Uh, now. 11:58.550 --> 11:58.910 Yeah. 11:58.950 --> 12:05.950 Understanding this, uh, flags is crucial in reverse engineering because malware often manipulates 12:05.950 --> 12:09.830 them to control flow or hide intentions.