whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Exploits/Binaries/amd64 Instructions.md

2.9 KiB
Raw Blame History

amd64 instructions

  • ; starts a comment

Values

  • Immediate, numbers
  • register, existing registers
  • memory, memory addresses

Move

  • MOV, from source to destination
  • LEA, loads memory address and stores it in the destination. Address can have an offset. Does not dereference [var] or [var+x]
  • PUSH & POP, put & delete registers to/from stack.

Arithmetic

  • INC, increment
  • DEC, decrement
  • ADD
  • SUB, substracts source from dest and stores in dest
  • MUL & IMUL, result may be stored in upper and lower halfs (rdx:rax)
  • DIV & IDIV, rax is divided by rbx and may be stored in two halfs as well

Conditionals

  • RET, return value to the caller
  • CMP, compare two values and sets flag. Next instruction is a jump condition to a line number. Works as follows
    • JE, JEZ, JLE ... followed by linenumber
  • NOP, \x90
  • CALL a function

Address Handling

  • [var], memory address of var.
    • If var contains an address then after mov [var], 42 var points to the value 42. [ dereference.

Zero Handling in Registers

  • Move to eax will result in zeroing the upper 32 bit of an rax register, move to ax, ah, al will not.
  • MOVZX zeros anything but the value moved to the register inside of it.

Jumps

  • For signed value comparison

    • JL/JNGE (SF <> OF) ; Jump if less/not greater or equal
    • JGE/JNL (SF = OF) ; Jump if greater or equal/not less
    • JLE/JNG (ZF = 1 or SF <> OF); Jump if less or equal/not greater
    • JG/JNLE (ZF = 0 and SF = OF); Jump if greater/not less or equal

  • For unsigned value comparison

    • JB/JNAE (CF = 1) ; Jump if below/not above or equal
    • JAE/JNB (CF = 0) ; Jump if above or equal/not below
    • JBE/JNA (CF = 1 or ZF = 1) ; Jump if below or equal/not above
    • JA/JNBE (CF = 0 and ZF = 0); Jump if above/not below or equal

Flags

  • eflags 32bit
  • rflags 64bit

Status

  • Zero Flag (ZF), 1 if the result of the comparison is equal.
  • Carry Flag (CF), a 1 is stored if a carry is needed after a calculation.
  • Overflow Flag (OF), register overflow is 1
  • Sign Flag (SF), 1 if result is negative.
  • Adjust/Auxiliary Flag (AF), carry flag for BCD.
  • Parity Flag (PF), 1 if the last 8 bits are even.
  • Trap Flag (TF)

Calling Conventions

cdecl

fastcall

  • First four are passed left to right
  • int -> RCX, RDX, R8, R9
  • float -> XMM0, XMM1, XMM2, XMM3
  • Rest is right to left
  • Basepointer is saved by the caller
  • Return values is passes via rax or xmm0
  • Caller allocates space for at least four values, so 32 bytes are reserved. $rsp to $rsp+0x18
  • Volatile registers are rax, rcx, r8, r9, r10, r11, xmm0, xmm1, xmm2, xmm3, xmm4, xmm5. These are destroyed after function call.
  • Nonvolatile registers are rbx, rbp, rdi, rsi, rsp, r12, r13, r14, r15, xmm6-15 ares saved and restored after function call.