WEBVTT 00:00.440 --> 00:07.200 And now let's talk about one of the most fundamental instructions in assembly language, which is the 00:07.560 --> 00:09.800 MOV instruction. 00:10.200 --> 00:19.120 Uh, this single command allows us to move data from one place to another, either from a memory address 00:19.120 --> 00:26.160 to register, or from register to a memory address, or even from one register to another. 00:27.360 --> 00:32.760 So imagine, uh, the CPU as a very fast worker with a clipboard. 00:32.920 --> 00:40.880 Uh, so the clipboard is the register in this case, and the memory as the large archive cabinet full 00:40.880 --> 00:44.800 of boxes, which we can call the memory addresses. 00:45.200 --> 00:53.400 The MOV instruction is like telling the worker, go to the cabinet, pick, uh, for example, this 00:53.400 --> 01:01.100 box and bring it here, or take the note on your clipboard and store it in that cabinet box. 01:01.660 --> 01:04.420 That's let's actually do another example. 01:05.060 --> 01:07.700 Let's move a constant value into a register. 01:09.460 --> 01:16.420 So move x and yeah 01:17.140 --> 01:22.700 0XAABBCC 01:23.060 --> 01:24.180 and d d. 01:25.500 --> 01:38.140 And here we are placing this hexadecimal number a a b b c c d d directly into x register. 01:38.140 --> 01:43.780 So think of x as a special notepad on the CPU's desk. 01:44.540 --> 01:52.580 Now this command simply says that hey, write this number down into your notepad. 01:53.460 --> 02:02.400 And now from there we will have ax hold the value of this right. 02:04.040 --> 02:05.800 And let's do another example. 02:06.480 --> 02:10.320 Let's move the data between registers. 02:10.320 --> 02:11.400 How we can do that. 02:11.400 --> 02:19.840 Again same move x register and E register. 02:20.400 --> 02:28.760 And this one copies whether in the id into an x register. 02:28.760 --> 02:31.880 It's like saying copy what's on the notepad. 02:32.280 --> 02:42.360 Uh, the uh let's call it notepad B into a notepad A in this case E x register. 02:44.000 --> 02:47.600 And now let's get into memory access. 02:48.720 --> 02:51.920 Now let's write this memory dump here. 02:52.120 --> 03:02.820 Uh, let's write hypothetical memory address here 0000 60 again zero 03:04.540 --> 03:07.820 78 zero. 03:09.580 --> 03:11.420 Now these are the addresses right? 03:13.060 --> 03:21.180 And at the right we will have bytes in bytes let's say. 03:23.340 --> 03:28.300 And yes, instead of writing it one by one I just wrote it here. 03:28.300 --> 03:33.380 And let's now analyze this one here so we can understand it better. 03:34.700 --> 03:35.300 Yes. 03:35.500 --> 03:41.940 Uh, here, uh, let's look at this, uh, memory dump, uh, hypothetical here we have six zeros as 03:41.980 --> 03:43.500 seven zero and eight zero. 03:44.260 --> 03:45.060 Uh, yes. 03:45.220 --> 03:52.540 Now, each line shows a sequence of bytes stored in a memory starting from, uh, this particular address. 03:54.300 --> 03:56.360 Now, let's read from the memory. 03:56.840 --> 03:57.320 Right. 03:59.080 --> 04:02.400 Now let's delete the old examples here. 04:02.800 --> 04:05.120 Put our memory dump here. 04:06.880 --> 04:16.680 And yes, now we will use directives like byte, word or Dword. 04:16.840 --> 04:17.320 Peter. 04:17.360 --> 04:17.680 Peter. 04:17.720 --> 04:23.880 Here is means a pointer to tell the assembler what size of data we are dealing with. 04:24.520 --> 04:27.960 Now in this case, let's get started writing here. 04:28.200 --> 04:31.760 So don't worry, we will get more practical as we learn more deeply. 04:31.760 --> 04:38.800 But this is just a this might be more painful compared to just writing a code in a Visual Studio notepad 04:38.840 --> 04:40.000 for assembly code. 04:40.240 --> 04:42.360 But this is a must. 04:42.680 --> 04:45.160 So let's write this down. 04:46.960 --> 04:50.960 Now the next three lines will be read from the memory. 04:51.480 --> 05:04.500 So first move a all, uh, bite and tr and here we will enter. 05:04.500 --> 05:04.940 What? 05:06.260 --> 05:19.220 000007100000071. 05:19.580 --> 05:22.140 And you will understand why we wrote the seven one here. 05:23.060 --> 05:28.780 So we are reading the bar one byte, one byte. 05:29.100 --> 05:36.300 In this case a L which equals to zero x 71. 05:38.020 --> 05:43.180 And in the second line we will use move c x. 05:44.420 --> 05:45.100 And again. 05:45.100 --> 05:48.660 Now instead of using byte we will use word. 05:52.960 --> 05:53.520 Again. 05:53.560 --> 05:54.040 Same. 05:55.800 --> 05:56.720 71. 05:58.400 --> 06:08.200 And with this word we are reading two byte and c x, which in this case it's going to be. 06:08.200 --> 06:13.480 Since we are reading two bytes 7271 06:15.080 --> 06:18.240 here 7271. 06:19.960 --> 06:23.320 And now let's use the another. 06:23.320 --> 06:24.880 In this case we will use E. 06:28.120 --> 06:29.800 Since we will use Dword. 06:31.240 --> 06:34.200 So we will need a much bigger space. 06:35.800 --> 06:36.440 Peter. 06:36.680 --> 06:39.080 Now we will read the same memory address as well. 06:40.800 --> 06:45.880 I will write just more smaller since we will read four byte. 06:47.360 --> 06:50.820 And it's going to be what the x. 06:52.740 --> 06:53.380 X. 06:53.420 --> 06:57.100 And here we will read four bytes from here. 06:57.260 --> 06:57.700 So 06:58.180 --> 07:07.420 74737271737271. 07:08.860 --> 07:14.380 Now let's now make the markings on this memory dump. 07:15.780 --> 07:21.900 At this a l here instruction we read one byte. 07:21.900 --> 07:22.580 Which was this. 07:22.580 --> 07:23.020 Right. 07:23.620 --> 07:26.900 This is what a l. 07:28.620 --> 07:31.740 And then let's use a different color. 07:32.500 --> 07:38.500 Then we use the key to get the two bytes 7271. 07:40.300 --> 07:43.020 So here two bytes. 07:43.420 --> 07:44.740 Let's actually use the ctx. 07:46.820 --> 07:53.030 And then We had here the four bytes with the D word. 07:53.070 --> 07:53.510 Right. 07:54.550 --> 07:54.950 So. 07:57.870 --> 08:04.150 Here here we have the four bytes 74737271. 08:05.470 --> 08:10.910 And this was what it was the ed also called D word. 08:12.470 --> 08:18.670 Now notice how a reading a word or d word pulls more than one byte. 08:18.950 --> 08:26.350 Now the CPU grabs the bytes starting at the address and then combines them according to little endian 08:26.350 --> 08:26.830 format. 08:26.870 --> 08:32.550 You remember that from the little endian and bigger Indian from the previous lectures. 08:34.230 --> 08:36.870 At least significant byte and most significant byte. 08:37.190 --> 08:38.990 If you forgot. 08:40.510 --> 08:40.990 Yeah. 08:41.270 --> 08:44.590 Now in here we was reading. 08:46.310 --> 08:49.130 Reading from the memory right now. 08:49.130 --> 08:53.890 What we need to do here is let's write it right now for the writing. 08:53.890 --> 08:57.610 We will have, uh, we will need, uh, for instructions. 08:57.610 --> 09:03.930 Let's write some, uh, values, uh, back into the memory here again. 09:04.090 --> 09:06.530 Uh, let's use a different color for the writing. 09:07.490 --> 09:08.890 Uh, we will use the move. 09:10.450 --> 09:12.330 Let's use more lighter color. 09:14.050 --> 09:19.130 Move e x move right. 09:19.170 --> 09:24.250 Hexadecimal 01120112. 09:25.250 --> 09:25.650 Yeah 09:25.970 --> 09:33.090 011223344H. 09:34.610 --> 09:45.410 And now we will also move the byte tr move byte pit. 09:45.490 --> 09:49.630 Notice how we use how how we are using pointers to write into memory. 09:51.190 --> 09:53.630 Again here it's going to be, uh. 09:53.630 --> 09:54.030 What? 09:55.030 --> 09:55.670 Uh, yeah. 09:55.710 --> 09:55.830 Yeah. 09:55.830 --> 09:56.990 Let's use this, uh. 09:59.750 --> 10:01.470 Address that ends with eight zero. 10:03.030 --> 10:07.110 So, yeah, 000000 10:08.910 --> 10:12.270 and 880. 10:13.670 --> 10:21.430 Notice we will use 80 and we will increment, uh, by one again here. 10:21.470 --> 10:32.070 L and now we will store 44 at address 0X80. 10:33.750 --> 10:34.270 It will be. 10:34.310 --> 10:39.190 Maybe it will make more sense when we complete our code. 10:39.750 --> 10:44.070 And as I as always I will explain it. 10:45.130 --> 10:48.850 00000081. 10:50.530 --> 10:52.730 Here we will use a X. 10:54.770 --> 10:58.130 And here we will store 23. 10:59.850 --> 11:00.210 Uh. 11:00.330 --> 11:02.610 So here we will store the. 11:04.610 --> 11:15.650 Let's actually instead of saying like store, let's just write writes the value in A to the address. 11:17.490 --> 11:19.410 This one, uh, does the same. 11:19.450 --> 11:23.570 Writes the A to the address. 11:25.330 --> 11:35.970 Now last line is going to be address by the address here is uh ends with eight zero and here eight one. 11:37.690 --> 11:39.930 And now, uh, as the last line. 11:43.070 --> 11:48.670 Move the world again. 11:48.990 --> 11:49.350 TR. 11:51.390 --> 11:55.230 000083. 11:56.670 --> 11:58.710 Here we will use X. 12:00.510 --> 12:09.070 And again this basically writes value in x into a memory address at here. 12:10.830 --> 12:14.990 And afterwards what the memory will look like is. 12:14.990 --> 12:28.590 Since in the x we had stored this, the memory will like look like in the eight zero, the 70, the 12:28.630 --> 12:29.190 80. 12:29.710 --> 12:33.030 In the address 80, the we will delete it. 12:33.070 --> 12:39.150 It will transition to 4440 444. 12:40.910 --> 12:44.730 Since this is little endian, we will use the least significant byte. 12:45.570 --> 12:54.250 (444) 433-4422 12:55.130 --> 12:58.650 and one one. 13:00.410 --> 13:01.770 And yes. 13:03.130 --> 13:11.450 And after that, uh 87, we will not touch it, because the way our registers and instructions, uh, 13:12.210 --> 13:20.970 manipulates the memory, and you can see how values got injected into memory at exact addresses using 13:20.970 --> 13:22.730 the right directive. 13:24.370 --> 13:27.730 And yeah, this is the heart of the reverse engineering. 13:27.770 --> 13:34.650 Uh, if you can understand how memory is accessed and manipulated, uh, you can uncover how a program 13:34.650 --> 13:39.810 works, intercept what they store, or change how they behave just by shifting around the bytes and 13:39.810 --> 13:40.330 values.