Quote:
Originally Posted by Paul M
(which is mostly just moving data from memory to registers and back again).
|
mov (%ebx), %eax = Load 4 bytes from the memory address in EBX into EAX.
The ebx and eax type codes are registers and memory addresses.
If you are de-compiling malware you want to watch for the code jumping to memory locations (jmp) and if the commands are changing registers or data at the locations, via mov or push type codes. You can tell the type of register by the e** code. Very simplified and probably worded wrong :P