Register Name
64 Bit
32 Bit
16 Bit
8 Bit
R0
RAX
EAX
AX
AH/AL
R1
RCX
ECX
CX
CH/CL
R2
RDX
EDX
DX
DH/DL
R3
RBX
EBX
BX
BH/BL
R4
RSP
ESP
SP
R5
RBP
EBP
BP
R6
RSI
ESI
SI
R7
RDI
EDI
DI
#x86_64: Registers
•
RIP: Instruction pointer
•
Points to the next instruction to be executed
•
64 bits in width
•
RFLAGS: Stores flags used for processor flow control
•
FPR0-FPR7: Floating point status and control registers
•
RBP/RSP: Stack manipulation and usage
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
24
#x86_64 Instructions
•
These define the operations being performed by the CPU
•
For this course will be using the Intel syntax
•
instruction dest, source
•
Instructions can have multiple operands
•
These define the arguments for the specified operation
•
x86_64 has a large amount of available instructions
•
We will focus on commonly used ones to start
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
25
#x86_64 Instructions: mov
•
Moves data from one register to another
mov rax, rbx
•
Moves the value stored in RBX to RAX
mov rax, [rcx]
•
Moves the value
pointed
to by RCX into RAX
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
26
#x86_64 Instructions: add/sub
•
Add: Adds the two values together, storing the result in the first
argument
•
add rax, rbx
•
Adds
rbx
to
rax
, the result is stored in
rax
•
rax += rbx
•
Sub: Subtracts the second operand from the first one, storing the
result in the first operand
•
sub rax, rbx
•
Subtracts
rbx
from
rax
, stores the result in
rax
•
rax -= rbx
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
27
#x86_64 Instructions: and/xor
•
AND
: Performs the binary operation AND on the two operands,
storing the result in the first
•
and rax,rbx
•
rax = rax & rbx
•
This syntax is used for other binary operations as well:
•
xor
•
or
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
28
#x86_64: The Stack
•
Data structure containing elements in contiguous memory
•
POP: Reads from stack
•
PUSH: Writes to stack
•
Elements are removed in the reverse order that they are added
•
Grows high to low
•
RSP points to top of stack
•
RBP contains base pointer
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
29
#x86_64 Instructions: push/pop
•
push
will grow the stack by 8 and store the operand contents on the
stack
•
push rax
•
Increases the value pointed to by rsp by 8, and stores rax there
•
pop
will load the value pointed to by
rsp
into the operand
•
pop rbx
•
Loads the value pointed by
rsp
into
rbx
, and decreases
rsp
by 8
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
30
#x86_64: The Stack
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
31
Element 1
RAX
RBX
RCX
High Address
Low Address
RBP
RSP
PUSH RAX
PUSH RBX
PUSH RCX
POP RAX
#x86_64 Instructions: jmp/call
•
jmp
is used to change what code is being executed
•
Modifies the value in the instruction pointer (
rip
/
eip
)
•
jmp 0x1000300
•
Set instruction pointer to 0x1000300 and execute the instructions there
•
call
is used to implement function calls
•
Pushes value of
rip
onto stack before jumping
•
call 0x18000000
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
32
#x86_64 Instructions: cmp
•
cmp
performs a comparison operation by subtracting the operands
•
No storage is performed (unlike sub)
•
Based on the result, fields in RFLAGS are set!
•
cmp rax, #5
•
The flags in
RFLAGS
register are used by
jmp
variants
•
jnz:
Jump if not zero
•
jz:
Jump if zero
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
33
#x86_64: Addressing Modes
•
Instructions can access registers and memory in various modes
•
Immediate: The value is stored in the instruction
•
add rax,14; stores rax+14 into RAX
•
Register to Register
•
xor rax,rax; clears the value in RAX
•
Indirect Access:
•
add rax, [rbx];
adds the value
pointed
to by rbx into rax
•
mov rbx, 1234[8*rax+rcx]
•
move word at address 8*RAX+RCX+1234 into rbx
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
34
#x86_64 Instructions Exercise
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
35
| 