List of all register on a x86_X64 cpu

This is for people who want to understand how programs get loaded under linux. In particular it talks about dynamically loaded x86 ELF files. The information you learn will let you understand how to debug problems that occur in your program before main starts up.

at&t syntax utilization example

through with the basics, we will look at writing shellcode, encoders, decoders, crypters and other advanced low level applications.

The course outline follows the exact same outline of our 32-bit course but all the topics will be taught with x86_64 64-bit assembly.

Complete x86/x64 JIT and Remote Assembler for C++

Clean assembler code injection in c++

A big doc about how asm instruction are decode

7 bytes

0000000: 6641 2521 2173 21 fA%!!s!

As 32 bit

00000000 6641 inc cx
00000002 2521217321 and eax,0x21732121

As 64 bit

00000000 6641252121 and ax,0x2121
00000005 7321 jnc 0x28

and clears the carry flag so the 64 bit version always jumps. For 64-bit the 6641 is the operand size override followed by rex.b so the operand size for the and comes out as 16 bit. On 32-bit the 6641 is a complete instruction so the and has no prefix and has a 32-bit operand size. This changes the number of immediate bytes consumed by the and giving two bytes of instructions that are only executed in 64-bit mode.

An array of all x86/x86_x64 instruction, very useful

While reading some disassembly, we came across a weird-looking instruction, that was present in most everything we gave objdump.

f3 c3 repz ret

When starting out as a reverse engineer or malware analyst, it is often tempting to trust your disassembler to correctly resolve the various bytes into code or data. However, to become an expert, it is important to gain as much insight as possible into the Instruction Set Architecture (ISA) of the chip you are working with. This opens many new possibilities: polymorphic code becomes easier to handle, and you become able to use some custom disassembly techniques in your own rootkits or understand these techniques when used by others.

In pipelined processors, instruction are fetched, decoded, and executed speculatively, and are not permitted to modify system state until instruction commit. For instructions that modify registers, this is often achieved using register renaming. For stores to memory, speculative stores write into a store queue at execution time and only write into cache after the store instructions have committed.

This article’s aim is to explain how a modern operating system makes it possible to use shared libraries with load-time relocation. It focuses on the Linux OS running on 32-bit x86, but the general principles apply to other OSes and CPUs as well.