1.1 KiB

Raw Blame History

amd64

rax return value, caller saved.
r10, r11 are caller saved.
rbx, r12, r13, r14 are callee saved
rbp is also callee saved(and can be optionally used as a frame pointer)
rsp is callee saved

Function argument registers

rdi,rsi,rdx,rcx,r8 ,r9 , called saved.
Further function args are stored inside its stack frame.

Overwriting Variables and Padding

Overwrite an atomic variable behind a buffer

int main ( int argc, char ** argv ) {
    int var = 0 
    char buffer[12];
    
    gets(buffer);
    [...]
}

Stack layout

Bottom 
+------------------+
| Saved regsisters |
+------------------+
| int var          |
+------------------+
| char buffer [11] |
| ...              |
| ...              |
| ...              |
| char buffer [0]  |
+------------------+
| char ** argv     |
+------------------+
| char argc        |
+------------------+
Top

Watch out! I.e., a 12 byte array is padded to system memory allocation size.

+-------------+----+
|12 byte array| 4b |
+-------------+----+
0            12   16 byte