eax/rax → accumulator (return values, math) ebx/rbx → base register (general data) ecx/rcx → counter (loops, 1st arg in Win64) edx/rdx → data register (2nd arg in Win64) esp/rsp → stack pointer (top of stack) ebp/rbp → base pointer (stack frame) esi/rsi → source index (string/mem ops) edi/rdi → destination index (string/mem ops) eip/rip → instruction pointer eflags/rflags → status flags (ZF, SF, CF, OF, etc.) cs, ds, ss, es, fs, gs Assembly Instructions
push <val> → push to stack the top of the stack (esp/rsp -= size) push [val] → push memory address to the top of the stack (esp/rsp -= size)pop <reg> → pop from the top of the stack (esp/rsp += size)pop [val] → pop memory address from the top of the stack (esp/rsp += size)call <func> → push return addr, jump ret → pop return addr, return add reg, val → reg += val sub reg, val → reg -= val inc reg / dec reg → increment / decrement mul / imul → unsigned / signed multiply div / idiv → unsigned / signed divide and reg, val → bitwise AND or reg, val → bitwise OR xor reg, val → bitwise XOR (exclusive OR) not reg → bitwise NOT (invert bits) mov dst, src → dst = src (can also do mov dst, [src] to move the value at src into dst (dereference))lea reg, [mem] → load effective address: calculate the address of the source operand and store that address in the dest register -> Common in loops, array indexing, struct field access.Supposing var1 is defined as: var1 equ 1
| Instruction | Result in eax |
|---|---|
mov eax, var1 |
eax = 1 (immediate) |
mov eax, [var1] |
eax = value at memory address (1) |
lea eax, [var1] |
eax = address of var1 |
movzx -> Copy a smaller value into | Instruction | Result in eax |
|---|---|
mov eax, var1 |
eax = 1 (immediate) |
mov eax, [var1] |
eax = value at memory address (1) |
lea eax, [var1] |
eax = address of var1 |
movzx -> Copy a smaller value into a larger register and fills the extra high bits with 0movsx → Copies a smaller value into a larger register and fills the extra high bits with the sign bit (MSB)xchg → swapmovsb -> moves one byte from the memory location pointed to by ESI to EDI stos stores the value of the accumulator register (AL, AX, or EAX) into memory at the address pointed to by EDI/RDI (destination index), then increments or decrements EDI/RDI depending on the direction flag (DF). Direction flag (DF): determines increment/decrement of EDI. cld → increment. std → decrementstosb ; store byte from AL → [EDI]stosw ; store word from AX → [EDI]stosl ; store doubleword from EAX → [EDI]rep (repeat). rep <instruction> - repeats the following instruction ECX number of times
rep stosl, rep movsb etc.cmp a, b → subtract, set flags (no result stored) test a, b → AND, set flags (no result stored) jmp label je/jz → equal / zero jne/jnz → not equal / nonzero jg/jnle → greater (signed) jl/jnge → less (signed) ja/jb → above / below (unsigned) Debugging and RE Instructions
Registers
remember: intel syntax operation [destination], [source]
nop → no operation (used for patching/aligning). int3 → software breakpoint (triggers debugger). hlt → halt CPU until interrupt (rare, low-level). ud2 → undefined instruction (forces exception). Software breakpoint is represented by the CPU instruction: int3 or 0xCC. Creating software breakpoints directly modify the program's code. In some cases, malware may attempt to detect this.
Hardware breakpoints are implemented by the CPU directly, and stored in the registers DR0, DR1, DR2 and DR3. Hardware breakpoints do not directly modify the program's executing code. This is advantageous when performing analysis. Note: Since only 4 registers exist for HW BP, you can only set 4 at a given time
Hardware Breakpoints can be set on either Address, or Memory Page (x64dbg -> Memory Map). You can specify conditions that cause the breakpoint to be triggered. See the table below:
| Type | Breakpoint Description |
|---|---|
| Hardware, Access | When the address is accessed in any way, breakpoint is triggered |
| Hardware, Write | When the address is accessed and about to be written to breakpoint is triggered |
| Hardware, Execute | When the address is accessed for execution, breakpoint is triggered |
Memory Breakpoints are implemented using by making modification to the Memory Protection attributes of a given memory page.
| Memory, Access | When this memory page is accessed in any way, breakpoint is triggered |
|---|---|
| Memory, Read | When this memory page is accessed for a read operation, breakpoint is triggered |
| Memory, Write | When this memory page is accessed for a write operation, breakpoint is triggered |
| Memory, Execute | When this memory page is accessed for exection, breakpoint is triggered |
[ebp-4], [rbp-8]. base + (index * size). [0x1000] 0A 00 00 00
[0x1004] 14 00 00 00
[0x1008] 1E 00 00 00
[0x100C] 28 00 00 00
+0x00 → pointer to heap data
+0x08 → size
+0x0C → capacity
ecx, edx), and the rest on stack. rcx, rdx, r8, r9; and the rest on stack. ; int add(int a, int b)
add PROC
mov eax, [esp+4] ; a
mov edx, [esp+8] ; b
add eax, edx
ret
add ENDP
; Caller:
push 5
push 3
call add
add esp, 8 ; caller cleans up
; int add(int a, int b)
add PROC
mov eax, [esp+4] ; a
mov edx, [esp+8] ; b
add eax, edx
ret 8 ; callee cleans up (2 args * 4 bytes)
add ENDP
; Caller:
push 5
push 3
call add
; no "add esp, 8" here, callee already cleaned
ecx, edx).; int add(int a, int b)
add PROC
mov eax, ecx ; a
add eax, edx ; eax = a + b
ret
add ENDP
; Caller:
mov ecx, 3 ; 1st arg → ecx
mov edx, 5 ; 2nd arg → edx
call add
rcx, rdx, r8, r9.; int add(int a, int b)
add PROC
mov eax, ecx ; a in rcx (lower 32 bits → ecx)
add eax, edx ; b in rdx (lower 32 bits → edx)
ret
add ENDP
; Caller:
sub rsp, 40 ; allocate 32-byte shadow space + alignment
mov ecx, 3 ; 1st arg → rcx
mov edx, 5 ; 2nd arg → rdx
call add
add rsp, 40 ; restore stack
DataTypes
Function Call Types