some additions

Exploits/Binaries/amd64.md

@@ -3,19 +3,55 @@
 * `rax` return value, caller saved.
 * `rbx` base register (used for mem basepointer)
 * `rcx` counter register
+* `rdx` data register, multiplication and division operations
 * `r10`, `r11` are caller saved.
 * `rbx`, `r12`, `r13`, `r14` are callee saved 
-* `rdx` data register
+* `rbp` is also callee saved, basepointer(can be optionally used as a frame pointer). Used to access parameters passed to the frame via offset.
-* `rbp` is also callee saved(and can be optionally used as a frame pointer)
+* `rsp` is callee saved, stack pointer. Only 64 or 32 bit callable, no 16 or 8 bit.
-* `rsp` is callee saved
 * `rip` next instruction pointer
+* `rsi` source index, used for string operations, used with data segment as offset.
+* `rdi` destination index, used for string operations, used with extra segment (ES) as an offset
 
-## Function argument registers
+Registers only available in 64 bit size are `r8 - r15`
-* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, called saved.
+
+## Function Argument Registers
+
+* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, caller saved.
 * Further function args are stored inside its stack frame.
 
+## Flag Register
+
+Status register consists of single bit flags for results of `rax`. It is called `EFLAGS` in 32 bit, in 64 bit it is called `RFLAGS`.
+Some of the flags are the following
+
+* *Zero Flag*, result of the last executed instruction evaluated to zero
+* *Carry Flag*, if a calculation in a register leads to a higher value than the register is capable to display, the CF would be set to 1
+* *Sign Flag*, an SF of 1 indicates a negative value, 0 a positive value
+* *Trap Flag*, 1 indicates debugging mode
+
+## Segment Registers
+
+16 bit register, references to memory
+
+* Code Segment (CS) points to code section
+* Data Segments (DS) points to data section
+* Stack Segment (SS) points to stack
+* Extra Segments (ES,FS,GS) divide program's memory into four data sections
+
+
+## Prologue and Epilogue
+
+Preparation begins on the stack, when a function is called.
+Arguments are pushed on the stack before the function is executed.
+The return address of the caller is pushed before the base pointer of the frame.
+The callers base pointer pointer is pushed and then the base pointer is to the stack pointer currents address.
+Afterwards the stack pointer moves with the pushed and pulled values of the function on the stack.
+
+When the functions finished the saved base pointer is popped into the bp register and the return address is popped of to rip. The stack is set to the top of the stack once again.
+
 
 ## Overwriting Variables and Padding
+
 * Overwrite an atomic variable behind a buffer
 ```C
 int main ( int argc, char ** argv ) {