From 9b31906c44db3a606126b79424f42e873a9eacb1 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Mon, 8 Nov 2021 21:24:23 +0100
Subject: [PATCH] some amd64

---
 exploit/buffer_overflow/docs/amd64.md         |  6 +-
 .../docs/amd64_instructions.md                | 77 +++++++++++++++++++
 post_exploitation/bc_security/Empire          |  2 +-
 3 files changed, 83 insertions(+), 2 deletions(-)
 create mode 100644 exploit/buffer_overflow/docs/amd64_instructions.md

diff --git a/exploit/buffer_overflow/docs/amd64.md b/exploit/buffer_overflow/docs/amd64.md
index 82f4add..de18ef8 100644
--- a/exploit/buffer_overflow/docs/amd64.md
+++ b/exploit/buffer_overflow/docs/amd64.md
@@ -1,10 +1,14 @@
 # amd64
 
 * `rax` return value, caller saved.
+* `rbx` base register (used for mem basepointer)
+* `rcx` counter register
 * `r10`, `r11` are caller saved.
 * `rbx`, `r12`, `r13`, `r14` are callee saved 
+* `rdx` data register
 * `rbp` is also callee saved(and can be optionally used as a frame pointer)
 * `rsp` is callee saved
+* `rip` next instruction pointer
 
 ## Function argument registers
 * `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, called saved.
@@ -26,7 +30,7 @@ int main ( int argc, char ** argv ) {
 ```
 Bottom 
 +------------------+
-| Saved regsisters |
+| Saved registers  |
 +------------------+
 | int var          |
 +------------------+
diff --git a/exploit/buffer_overflow/docs/amd64_instructions.md b/exploit/buffer_overflow/docs/amd64_instructions.md
new file mode 100644
index 0000000..9b37210
--- /dev/null
+++ b/exploit/buffer_overflow/docs/amd64_instructions.md
@@ -0,0 +1,77 @@
+# amd64 instructions
+
+* `;` starts a comment
+
+## Values
+* __Immediate__, numbers
+* __register__, existing registers
+* __memory__, memory addresses
+
+## Move
+* `MOV`, from source to destination
+* `LEA`, loads memory address and stores it in the destination. Address can have an offset. Does not dereference `[var]` or `[var+x]`
+* `PUSH` & `POP`, put & delete registers to/from stack.
+
+## Arithmetic
+* `INC`, increment
+* `DEC`, decrement
+* `ADD`
+* `SUB`, substracts source from dest and stores in dest
+* `MUL` & `IMUL`, result may be stored in upper and lower halfs (rdx:rax)
+* `DIV` & `IDIV`, rax is divided by rbx and may be stored in two halfs as well
+
+## Conditionals
+* `RET`, return value to the caller
+* `CMP`, compare two values and sets flag. Next instruction is a jump condition to a line number. Works as follows
+    * `JE`, `JEZ`, `JLE` ... followed by linenumber
+* `NOP`, `\x90`
+* `CALL` a function
+
+## Address Handling
+* `[var]`, memory address of var.
+    * If var contains an address then after `mov [var], 42` var points to the value 42. `[` dereference.
+  
+## Zero Handling in Registers
+* Move to `eax` will result in zeroing the upper 32 bit of an `rax` register, move to `ax`, `ah`, `al` will not.
+* `MOVZX` zeros anything but the value moved to the register inside of it.
+
+## Jumps
+* For signed value comparison
+    * `JL/JNGE` (SF <> OF) ; Jump if less/not greater or equal
+    * `JGE/JNL` (SF = OF) ; Jump if greater or equal/not less
+    * `JLE/JNG` (ZF = 1 or SF <> OF); Jump if less or equal/not greater
+    * `JG/JNLE` (ZF = 0 and SF = OF); Jump if greater/not less or equal
+
+* For unsigned value comparison
+    * `JB/JNAE` (CF = 1) ; Jump if below/not above or equal
+    * `JAE/JNB` (CF = 0) ; Jump if above or equal/not below
+    * `JBE/JNA` (CF = 1 or ZF = 1) ; Jump if below or equal/not above
+    * `JA/JNBE` (CF = 0 and ZF = 0); Jump if above/not below or equal
+
+## Flags
+* `eflags` 32bit
+* `rflags` 64bit
+
+### Status
+* __Zero Flag__ (ZF), 1 if the result of the comparison is equal.
+* __Carry Flag__ (CF), a 1 is stored if a carry is needed after a calculation.
+* __Overflow Flag__ (OF), register overflow is 1
+* __Sign Flag__ (SF), 1 if result is negative.
+* __Adjust/Auxiliary Flag__ (AF), carry flag for BCD.
+* __Parity Flag__ (PF), 1 if the last 8 bits are even.
+* __Trap Flag__ (TF)
+
+## Calling Conventions 
+
+## cdecl
+
+## fastcall
+* First four are passed __left to right__
+* int -> RCX, RDX, R8, R9
+* float -> XMM0, XMM1, XMM2, XMM3
+* Rest is __right to left__
+* Basepointer is saved by the caller
+* Return values is passes via `rax` or `xmm0`
+* Caller allocates space for at least four values, so 32 bytes are reserved. `$rsp to $rsp+0x18`
+* Volatile registers are `rax, rcx, r8, r9, r10, r11, xmm0, xmm1, xmm2, xmm3, xmm4, xmm5`. These are destroyed after function call.
+* Nonvolatile registers are `rbx, rbp, rdi, rsi, rsp, r12, r13, r14, r15, xmm6-15` ares saved and restored after function call.
diff --git a/post_exploitation/bc_security/Empire b/post_exploitation/bc_security/Empire
index ce332b5..ec3377c 160000
--- a/post_exploitation/bc_security/Empire
+++ b/post_exploitation/bc_security/Empire
@@ -1 +1 @@
-Subproject commit ce332b5b08d7249c21e121697b7b48d6414c2a18
+Subproject commit ec3377c5a4bedce31983828af93b584a0c6e8907