added info

2023-08-23 23:23:45 +02:00 · 2023-08-23 23:23:45 +02:00 · c2637a001d
parent d0c0ad1ab6
commit c2637a001d
2 changed files with 94 additions and 40 deletions
--- a/Exploits/Binaries/amd64
+++ b/Exploits/Binaries/amd64
@ -1,71 +1,126 @@
 # amd64 instructions

+This pages lists and describes basic instructions used in amd64 and x86 assembly language.
+Please take a look at [the intel 64 instruction reference book](https://cdrdv2.intel.com/v1/dl/getContent/671110)the instruction set as well as the [registers supported](https://cdrdv2.intel.com/v1/dl/getContent/671098) is growing further with every CPU generation. The reference book is currently 2522 pages strong.
+
 * `;` starts a comment

-## Values
-* __Immediate__, numbers
-* __register__, existing registers
-* __memory__, memory addresses
+## Operands
+
+Three types of operands are used in amd64/x86 assembly
+
+* __Immediate__, numbers (e.g. `0xDEADBEEF`)
+* __register__, existing registers (e.g. `rbx`)
+* __memory__, memory addresses in brackets (e.g. `[0xFF]`)

 ## Move
-* `MOV`, from source to destination
-* `LEA`, loads memory address and stores it in the destination. Address can have an offset. Does not dereference `[var]` or `[var+x]`
-* `PUSH` & `POP`, put & delete registers to/from stack.
+
+Basic instructions to used to move values are the following
+
+* `MOV`, from source to destination, exception: no mem to mem movement allowed
+* `LEA`, loads memory address and stores it in the destination. Addresses can have an offset. Does not dereference `[var]` or `[var+x]`
+* `PUSH` & `POP`, put & retrieve registers to/from stack. `
+* PUSHA` puts all 16 bit general purpose registers, `PUSHAD` puts all 32 registers onto the stack
+* `POPA` retrieve all 16 bit general purpose registers, `POPAD` retrieve all 32 registers from the stack

 ## Arithmetic
-* `INC`, increment
-* `DEC`, decrement
-* `ADD`
-* `SUB`, substracts source from dest and stores in dest
-* `MUL` & `IMUL`, result may be stored in upper and lower halfs (rdx:rax)
-* `DIV` & `IDIV`, rax is divided by rbx and may be stored in two halfs as well

-## Conditionals
+Basic arithmetics are the following
+
+* `INC`, increment by 1
+* `DEC`, decrement by 1
+* `ADD`, result is stored in dest
+* `SUB`, substracts source from dest and stores in dest, ZF is set if result is zero, CF is set if result is lower than the substracted value
+* `MUL` & `IMUL`, result may be stored in upper and lower halfs (rdx:rax) because of resulting size of the product
+* `DIV` & `IDIV`, rax is divided by rbx and may be stored in two halfs as well
+* `SHR` & `SHL`, shifts bits from dest times the count `n` of source right or left, respectively (`2^n`). Uses carry flag (CF) for overflow.
+* `ROR` & `ROL`, shifts bits from dest times the count `n` of source right or left, respectively. Does not use CF but appends the value on the other end of the value, like a ring structure.
+
+## Boolean
+
+Boolean instructions on binary numbers
+
+* `AND`, stores result in dest
+* `OR`, stores result in dest
+* `NOT`, for example is used to flip ones and zeros of a value
+* `XOR`, for example is used to zero the value of a register by XORing it with itself
+
+## Frame Basics
+
 * `RET`, return value to the caller
 * `CMP`, compare two values and sets flag. Next instruction is a jump condition to a line number. Works as follows
    * `JE`, `JEZ`, `JLE` ... followed by linenumber
-* `NOP`, `\x90`
-* `CALL` a function
+* `NOP`, `\x90` operates nothing, but the duration is exactly a single instructions
+* `CALL` a function, prepare function prologue, save `EBP` and `ESP` of the frame in before hand

 ## Address Handling
-* `[var]`, memory address of var.
-    * If var contains an address then after `mov [var], 42` var points to the value 42. `[` dereference.
-  
+
+A value with brackets around it like `[var]` is a reference to memory address at `var`.
+If var contains an address then after `mov [var], 42` var points to the value 42. `[` dereference.
+
 ## Zero Handling in Registers
+
 * Move to `eax` will result in zeroing the upper 32 bit of an `rax` register, move to `ax`, `ah`, `al` will not.
 * `MOVZX` zeros anything but the value moved to the register inside of it.

-## Jumps
-* For signed value comparison
-    * `JL/JNGE` (SF <> OF) ; Jump if less/not greater or equal
-    * `JGE/JNL` (SF = OF) ; Jump if greater or equal/not less
-    * `JLE/JNG` (ZF = 1 or SF <> OF); Jump if less or equal/not greater
-    * `JG/JNLE` (ZF = 0 and SF = OF); Jump if greater/not less or equal
+## Conditionals

-* For unsigned value comparison
-    * `JB/JNAE` (CF = 1) ; Jump if below/not above or equal
-    * `JAE/JNB` (CF = 0) ; Jump if above or equal/not below
-    * `JBE/JNA` (CF = 1 or ZF = 1) ; Jump if below or equal/not above
-    * `JA/JNBE` (CF = 0 and ZF = 0); Jump if above/not below or equal
+Test uses just the flag register's ZF to store the status of the result, it executes an `ADD` on the values
+
+* `TEST` (ZF=0) if result is 0
+
+Compare instruction `CMP` is used to set the following flags, it executes a `SUB` on the values
+
+* `CMP` (ZF=1 and PF=1) if dest and source values are equal
+* `CMP` (CF=1 and SF=1) if source is greater than dest
+* `CMP` (ZF=0 and CF=0) if dest is greater than source
+
+For signed value comparison the following instructions are available
+
+* `JZ` (ZF=1)
+* `JNZ` (ZF=0)
+* `JE` and `JEZ` are used after `CMP`
+
+
+* `JL/JNGE` (SF <> OF) ; Jump if less/not greater or equal
+* `JGE/JNL` (SF = OF) ; Jump if greater or equal/not less
+* `JLE/JNG` (ZF = 1 or SF <> OF); Jump if less or equal/not greater
+* `JG/JNLE` (ZF = 0 and SF = OF); Jump if greater/not less or equal
+
+For unsigned value comparison the following instructions are available
+
+* `JB/JNAE` (CF = 1) ; Jump if below/not above or equal
+* `JAE/JNB` (CF = 0) ; Jump if above or equal/not below
+* `JBE/JNA` (CF = 1 or ZF = 1) ; Jump if below or equal/not above
+* `JA/JNBE` (CF = 0 and ZF = 0); Jump if above/not below or equal

 ## Flags
+
+Resulting status of other registers is stored in the flag register.
+
 * `eflags` 32bit
 * `rflags` 64bit

 ### Status
-* __Zero Flag__ (ZF), 1 if the result of the comparison is equal.
-* __Carry Flag__ (CF), a 1 is stored if a carry is needed after a calculation.
-* __Overflow Flag__ (OF), register overflow is 1
-* __Sign Flag__ (SF), 1 if result is negative.
-* __Adjust/Auxiliary Flag__ (AF), carry flag for BCD.
-* __Parity Flag__ (PF), 1 if the last 8 bits are even.
-* __Trap Flag__ (TF)

-## Calling Conventions 
+* __Zero Flag__ (ZF), 1 if the result of the comparison is equal
+* __Carry Flag__ (CF), a 1 is stored if a carry is needed after a calculation
+* __Overflow Flag__ (OF), a register overflow results in a 1
+* __Sign Flag__ (SF), 1 if result is negative
+* __Adjust/Auxiliary Flag__ (AF), carry flag for BCD
+* __Parity Flag__ (PF), 1 if the last 8 bits are even
+* __Trap Flag__ (TF)
+* __Direction__ (DF) A string is processed backwards if 1, forward if 0
+* __Interrupt Enable__ (IF), hardware interrupt is enabled if 1, disabled if 0
+
+## Calling Conventions

 ## cdecl

+`#TBD`
+
 ## fastcall
+
 * First four are passed __left to right__
 * int -> RCX, RDX, R8, R9
 * float -> XMM0, XMM1, XMM2, XMM3
--- a/Exploits/Binaries/amd64.md
+++ b/Exploits/Binaries/amd64.md
@ -16,7 +16,7 @@ Registers only available in 64 bit size are `r8 - r15`

 ## Function Argument Registers

-* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, caller saved.
+* `rdi`, `rsi`, `rdx`, `rcx`, `r8 `, `r9 `, caller saved.
 * Further function args are stored inside its stack frame.

 ## Flag Register
@ -38,7 +38,6 @@ Some of the flags are the following
 * Stack Segment (SS) points to stack
 * Extra Segments (ES,FS,GS) divide program's memory into four data sections

-
 ## Prologue and Epilogue

 Preparation begins on the stack, when a function is called.