Assembly

Wiki instruction by Félix Cloutier	x86 and amd64 instruction reference

Registers & Function Call

x86 Registers (32-bit)

With the x86 elf architecture, arguments are passed on the stack.

Byte 0-3	Bytes 0-1	Byte 0	Typical usage
eax	ax	al	Accumulator (arithmetic results) Return Value
ebx	bx	bl	Base register (addresses, general use)
ecx	cx	cl	Counter (loops, shifts)
edx	dx	dl	Data, multiplication/division
esi	si	/	Source index (strings, arrays)
edi	di	/	Destination index (strings, arrays)
esp	sp	/	Stack pointer (top of the stack)
ebp	bp	/	Base/frame pointer (stack frames)
eip	/	/	Extended Instruction Pointer (next instruction)

x64 Registers (64-bit)

In x64 linux arguments to a function are passed via registers.

Byte 0-7	Bytes 0-3	Bytes 0-1	Byte 0	Typical usage
rax	eax	ax	al	Accumulator (arithmetic results) Return Value
rbx	ebx	bx	bl	Base register (addresses, general use)
rcx	ecx	cx	cl	Counter (loops, shifts) 4. Fourth Argument
rdx	edx	dx	dl	Data, multiplication/division 3. Third Argument
rsi	esi	si	sil	Source index (strings, arrays) 2. Second Argument
rdi	edi	di	dil	Destination index (strings, arrays) 1. First Argument
rsp	esp	sp	spl	Stack pointer (top of the stack)
rbp	ebp	bp	bpl	Base/frame pointer (stack frames)
r8	r8d	r8w	r8b	General-purpose 5. Fifth Argument
r9	r9d	r9w	r9b	General-purpose 6. Sixth Argument
r10	r10d	r10w	r10b	General-purpose
r11	r11d	r11w	r11b	General-purpose
r12	r12d	r12w	r12b	General-purpose
r13	r13d	r13w	r13b	General-purpose
r14	r14d	r14w	r14b	General-purpose
r15	r15d	r15w	r15b	General-purpose
rip	eip	/	/	Register Instruction Pointer (next instruction)

Function Call

     +-----------------+ 0x00000000
     |       ...       |
  +- +-----------------+ <- ESP
  |  |     Old EIP     |
F |  +-----------------+
R |  |       ...       |
A |  |       ...       |
M |  | Local Variable  | 
E |  +-----------------+ <-- EBP = Old ESP
  |  |     Old EBP     |
  +- +-----------------+
     |     Old EIP     | <-- Return Address
     +-----------------+
     |       ...       |
     +-----------------+ 0xffffffff

---

call function ; push eip
              ; jmp function

Prologue

push ebp     ; save the old base pointer
mov ebp, esp ; save esp in ebp
sub esp, x   ; allocate space for local variables

Epilogue

leave  ; mov esp, ebp  ; restore esp
       ; pop ebp       ; restore ebp
ret    ; pop eip       ; restore execution

Words

word 2 bytes of data.

dword 4 bytes of data.

qword 8 bytes of data.

Instructions & Note

Practice

from pwn import asm, context
from unicorn import Uc, UC_ARCH_X86, UC_MODE_32
from unicorn.x86_const import *

# pip install pwntools unicorn

context.arch = "i386"   # 32 bit Intel

ADDRESS = 0x1000
mu = Uc(UC_ARCH_X86, UC_MODE_32)
mu.mem_map(ADDRESS, 0x1000)

CODE = """
    mov eax, 0x1000
    mov ebx, 0x1000+0x2
    lea ecx, [eax]
"""

code_bytes = asm(CODE)
mu.mem_write(ADDRESS, code_bytes)

# clear registers 
for reg in (UC_X86_REG_EAX, UC_X86_REG_EBX, UC_X86_REG_ECX, UC_X86_REG_EDX):
    mu.reg_write(reg, 0)

# run
mu.emu_start(ADDRESS, ADDRESS + len(code_bytes))

# read
eax = mu.reg_read(UC_X86_REG_EAX); print("EAX =", eax)
ebx = mu.reg_read(UC_X86_REG_EBX); print("EBX =", ebx)
ecx = mu.reg_read(UC_X86_REG_ECX); print("ECX =", ecx)

MOV

mov ebp, 0x1000
mov eax, ebp
; move the value 0x1000 in eax

Dereferencing []

mov eax, [ebp]
; if ebp = 0x1000, move the value in memory 0x1000 in eax
mov eax, [ebp-0x8]
; if ebp = 0x1000, move the value in memory 0x0FF8 (0x1000 - 0x8) in eax

LEA

lea eax, [ebp-0x8]
; if ebp = 0x1000, move the value 0x0FF8 (0x1000 - 0x8) in eax
; get a pointer to a memory region

ADD

add eax, ebx
; add ebx in eax (eax = eax + ebx)

SUB

sub eax, ebx
; sub ebx from eax (eax = eax - ebx)

PUSH

push eax
; add eax on the stack (decrease esp)

POP

pop eax
; remove top element from the stack and store it in eax (increase esp)

CMP

cmp eax, ebx
; sub ebx from eax and set FLAGs accordingly

JMP

label:
    jmp 0x1000
    jmp eax
    jmp [eax]
    jmp label
; set next instruction to address eax

JE/JNE/JG/JL/JZ/JNZ

je label
; if equals

jne label
; if not equals

jg label
; if greater

jl label
; if less

jz label
; if zero

jnz label
; if not zero

XOR/AND/OR

xor eax, ebx
; eax = eax XOR ebx

and eax, ebx
; eax = eax AND ebx

or eax, ebx
; eax = eax OR ebx