Redefining Registers
Slicing and dicing the old registers

It's time to learn about more registers. Yep, you didn't learn about all of them yet.

I'll give you the ones that you should know so far:
  • EAX, ECX, and EDX are registers that you (the ASM hacker) can use for practically any purpose.
  • ESP points to the top of the stack.
  • EBP points somewhere else inside the stack. You use it to access values in the middle of the stack, including function arguments.
  • ESI, EDI, and EBX are registers that we're not going to worry about now.
Each of these registers is 32-bits wide and therefore can hold a maximum of 8 hex digits each. They all start with the letter E, and they are all written using three letters.

Not all registers follow the 3-letter format. Here are some new ones:

Register NameSizeDescription
AX16 bitsLower half of EAX.
CX16 bitsLower half of ECX.
DX16 bitsLower half of EDX.
AH8 bitsUpper half of AX.
CH8 bitsUpper half of CX.
DH8 bitsUpper half of DX.
AL8 bitsLower half of AX.
CL8 bitsLower half of CX.
DL8 bitsLower half of DX.

Those are the common ones you'll be using. Now you know that 16-bit and 8-bit registers exist in addition to the regular 32-bit registers.

Here are some new uncommon registers that you probably won't use. I'll give them to you anyway.

Register NameSizeDescription
BX16 bitsLower half of EBX.
BH8 bitsUpper half of BX.
BL8 bitsLower half of BX.
SP16 bitsLower half of ESP.
BP16 bitsLower half of EBP.
SI16 bitsLower half of ESI.
DI16 bitsLower half of EDI.

What about the "upper half" and "lower half" stuff? Well, the 16-bit and 8-bit registers are not independent of the big 32-bit registers.
Instead, you can think of the small registers as being pieces (or slices) of the big ones.

Register Map

So let's begin some examples to make the idea of "register slices" more understandable.

The Small Registers
MOV EAX,11223344   ;Store hex number 11223344 to EAX.
MOV AX,0           ;Store 0 to AX, which changes EAX to 11220000.
MOV AL,5B          ;Store 5B to AL, which changes AX to 005B and EAX to 1122005B.
MOV AH,CC          ;Store CC to AH, which changes AX to CC5B and EAX to 1122CC5B.
EAX, AX, and AL operations

We see that AX is truly the "lower half" of EAX, meaning the lower 4 hex digits. AH and AL are the size of bytes, and they can only hold 2 hex digits. They each take up one-fourth the wideness of EAX, or one-half the wideness of AX.

Other registers work the same way. Here is an example using EDX:
MOV EDX,10000    ;Store 00010000 to EDX.
MOV DH,95        ;Store 95 to DH, which changes EDX to 00019500. DX holds 9500.
ADD DX,120       ;Adding 120 causes DX = 9620 and EDX = 00019620.
SUB DL,F         ;DL now holds 11, which means EDX = 00019611.
The reason I'm telling you about these small registers is because they are sometimes used in the original Cave Story code.
An example of this:
Address     Instruction
004799CD    MOV WORD [4BBB54],AX     ;Store contents of AX into WORD [4BBB54].
004799D3    MOV ECX,DWORD [EBP-9C]
004799D9    MOV EDX,DWORD [EBP-9C]
004799DF    MOV EAX,DWORD [EDX+40]
004799E2    MOV DWORD [ECX+20],EAX
Most of the time however, you will still be working with the traditional registers EAX, ECX, and EDX.

Special Registers
Special Registers

Here are some registers that I neglected to mention before. They are EIP, EFLAGS, IP, and FLAGS.

EIP is a 32-bit register (DWORD sized) that keeps track of which address the program is currently at.
EFLAGS is also 32-bit, and it keeps track of conditional ASM flags, which are modified by commands such as CMP and then used by commands such as JNE, JGE, and so on.

FLAGS is just the lower half of EFLAGS, and IP is the lower half of EIP.

OllyDbg will often abbreviate EFLAGS as EFL and FLAGS as FL.

Now, normally you never have to worry about these special registers, because they can't be used inside any regular commands, except for a few.
DEC EIP      ;OllyDbg doesn't accept this. EIP can't be used as a normal register.
MOV EFL,8    ;OllyDbg doesn't accept this. EFLAGS can't be used as a normal register.
Previous Lesson: NPC Hacking 3
Next Lesson: Redefining Memory
Table of Contents