stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/exploit/binaries/buffer_overflow/docs/amd64_instructions.html

288 lines
38 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
init
2022-09-02 09:05:59 +02:00
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
Added settings.toml
2022-09-09 15:41:05 +02:00
<title>The Real Hugo</title>
init
2022-09-02 09:05:59 +02:00
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
Added settings.toml
2022-09-09 15:41:05 +02:00
<a href="/" style="text-decoration:none">Husk</a>
init
2022-09-02 09:05:59 +02:00
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
Added settings.toml
2022-09-09 15:41:05 +02:00
<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
init
2022-09-02 09:05:59 +02:00
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#amd64-instructions">amd64 instructions</a><ul>
<li><a href="#values">Values</a></li>
<li><a href="#move">Move</a></li>
<li><a href="#arithmetic">Arithmetic</a></li>
<li><a href="#conditionals">Conditionals</a></li>
<li><a href="#address-handling">Address Handling</a></li>
<li><a href="#zero-handling-in-registers">Zero Handling in Registers</a></li>
<li><a href="#jumps">Jumps</a></li>
<li><a href="#flags">Flags</a><ul>
<li><a href="#status">Status</a></li>
</ul>
</li>
<li><a href="#calling-conventions">Calling Conventions</a></li>
<li><a href="#cdecl">cdecl</a></li>
<li><a href="#fastcall">fastcall</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="amd64-instructions">amd64 instructions</h1>
<ul>
<li><code>;</code> starts a comment</li>
</ul>
<h2 id="values">Values</h2>
<ul>
<li><strong>Immediate</strong>, numbers</li>
<li><strong>register</strong>, existing registers</li>
<li><strong>memory</strong>, memory addresses</li>
</ul>
<h2 id="move">Move</h2>
<ul>
<li><code>MOV</code>, from source to destination</li>
<li><code>LEA</code>, loads memory address and stores it in the destination. Address can have an offset. Does not dereference <code>[var]</code> or <code>[var+x]</code></li>
<li><code>PUSH</code> &amp; <code>POP</code>, put &amp; delete registers to/from stack.</li>
</ul>
<h2 id="arithmetic">Arithmetic</h2>
<ul>
<li><code>INC</code>, increment</li>
<li><code>DEC</code>, decrement</li>
<li><code>ADD</code></li>
<li><code>SUB</code>, substracts source from dest and stores in dest</li>
<li><code>MUL</code> &amp; <code>IMUL</code>, result may be stored in upper and lower halfs (rdx:rax)</li>
<li><code>DIV</code> &amp; <code>IDIV</code>, rax is divided by rbx and may be stored in two halfs as well</li>
</ul>
<h2 id="conditionals">Conditionals</h2>
<ul>
<li><code>RET</code>, return value to the caller</li>
<li><code>CMP</code>, compare two values and sets flag. Next instruction is a jump condition to a line number. Works as follows<ul>
<li><code>JE</code>, <code>JEZ</code>, <code>JLE</code> ... followed by linenumber</li>
</ul>
</li>
<li><code>NOP</code>, <code>\x90</code></li>
<li><code>CALL</code> a function</li>
</ul>
<h2 id="address-handling">Address Handling</h2>
<ul>
<li><code>[var]</code>, memory address of var.<ul>
<li>If var contains an address then after <code>mov [var], 42</code> var points to the value 42. <code>[</code> dereference.</li>
</ul>
</li>
</ul>
<h2 id="zero-handling-in-registers">Zero Handling in Registers</h2>
<ul>
<li>Move to <code>eax</code> will result in zeroing the upper 32 bit of an <code>rax</code> register, move to <code>ax</code>, <code>ah</code>, <code>al</code> will not.</li>
<li><code>MOVZX</code> zeros anything but the value moved to the register inside of it.</li>
</ul>
<h2 id="jumps">Jumps</h2>
<ul>
<li>
<p>For signed value comparison</p>
<ul>
<li><code>JL/JNGE</code> (SF &lt;&gt; OF) ; Jump if less/not greater or equal</li>
<li><code>JGE/JNL</code> (SF = OF) ; Jump if greater or equal/not less</li>
<li><code>JLE/JNG</code> (ZF = 1 or SF &lt;&gt; OF); Jump if less or equal/not greater</li>
<li><code>JG/JNLE</code> (ZF = 0 and SF = OF); Jump if greater/not less or equal</li>
</ul>
</li>
<li>
<p>For unsigned value comparison</p>
<ul>
<li><code>JB/JNAE</code> (CF = 1) ; Jump if below/not above or equal</li>
<li><code>JAE/JNB</code> (CF = 0) ; Jump if above or equal/not below</li>
<li><code>JBE/JNA</code> (CF = 1 or ZF = 1) ; Jump if below or equal/not above</li>
<li><code>JA/JNBE</code> (CF = 0 and ZF = 0); Jump if above/not below or equal</li>
</ul>
</li>
</ul>
<h2 id="flags">Flags</h2>
<ul>
<li><code>eflags</code> 32bit</li>
<li><code>rflags</code> 64bit</li>
</ul>
<h3 id="status">Status</h3>
<ul>
<li><strong>Zero Flag</strong> (ZF), 1 if the result of the comparison is equal.</li>
<li><strong>Carry Flag</strong> (CF), a 1 is stored if a carry is needed after a calculation.</li>
<li><strong>Overflow Flag</strong> (OF), register overflow is 1</li>
<li><strong>Sign Flag</strong> (SF), 1 if result is negative.</li>
<li><strong>Adjust/Auxiliary Flag</strong> (AF), carry flag for BCD.</li>
<li><strong>Parity Flag</strong> (PF), 1 if the last 8 bits are even.</li>
<li><strong>Trap Flag</strong> (TF)</li>
</ul>
<h2 id="calling-conventions">Calling Conventions</h2>
<h2 id="cdecl">cdecl</h2>
<h2 id="fastcall">fastcall</h2>
<ul>
<li>First four are passed <strong>left to right</strong></li>
<li>int -&gt; RCX, RDX, R8, R9</li>
<li>float -&gt; XMM0, XMM1, XMM2, XMM3</li>
<li>Rest is <strong>right to left</strong></li>
<li>Basepointer is saved by the caller</li>
<li>Return values is passes via <code>rax</code> or <code>xmm0</code></li>
<li>Caller allocates space for at least four values, so 32 bytes are reserved. <code>$rsp to $rsp+0x18</code></li>
<li>Volatile registers are <code>rax, rcx, r8, r9, r10, r11, xmm0, xmm1, xmm2, xmm3, xmm4, xmm5</code>. These are destroyed after function call.</li>
<li>Nonvolatile registers are <code>rbx, rbp, rdi, rsi, rsp, r12, r13, r14, r15, xmm6-15</code> ares saved and restored after function call.</li>
</ul>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
Added settings.toml
2022-09-09 15:41:05 +02:00
function linkClick(obj) {
init
2022-09-02 09:05:59 +02:00
if (obj.open) {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('open');
init
2022-09-02 09:05:59 +02:00
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
Added settings.toml
2022-09-09 15:41:05 +02:00
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
init
2022-09-02 09:05:59 +02:00
} else {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
init
2022-09-02 09:05:59 +02:00
Added settings.toml
2022-09-09 15:41:05 +02:00
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
init
2022-09-02 09:05:59 +02:00
</script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
init
2022-09-02 09:05:59 +02:00
<script type="text/x-mathjax-config">
Added settings.toml
2022-09-09 15:41:05 +02:00
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
init
2022-09-02 09:05:59 +02:00
</body>
</html>