x86 Cheatsheet
Register eg.: EAX
0000 0000 0000 0000 0000 0000 0000 0000
|
| AX
0000 0000 0000 0000
|
AH | AL
0000 0000
EAX - generally contains the return value for function calls
EBX - general purpose register
ECX - general purpose register
EDX - general purpose register
EBP - Base Pointer: contains the base address of the function's frame. EBP is used to backup ESP when a function is called
ESP - Stack Pointer
ESI - Used for String operations: Source Index
EDI - Used for String operations: Destiation Index
EIP - Instruction Pointer: points to next instruction
Flags
ZF - zero flag is set when the result of an operation is equal to zero
CF - carry flag is set when the result of an operation is too large or too small for the destination operand
SF - sign flag is set when the result of an operation is negative or cleared when the result is positive
TF - debugging
Instructions
mov - move data from one location to another e.g reading and writing memory
lea - put a memory address into the destination.
For example, lea eax, [ebx+8] will put EBX+8 into EAX.
In contrast, mov eax, [ebx+8] loads the data at the memory address specified by EBX+8.
Sometimes used for calculations.
add - adds a value from a destination operand
sub - modifies two important flags: the zero flag (ZF) and carry flag (CF).
The ZF is set if the result is zero, and CF is set if the destination is less than the value subtracted
inc/dec - dec/increments a register by one
mul/div - act on a predefined register, so the command is simply the instruction, plus the value that the register will be multiplied or divided by
assignment of the register on which a mul or div instruction acts can occur many instructions earlier
Results are stored in EDX and EAX
OR/AND - perform the specified operation between the source and destination operands and store the result in the destination
XOR - often used to set register to 0
shr/shl - shift bits right/left. may shift a bit into CF flag
ror/rol - like shift but bit rotates to the other end
HINT: a function containing only the instructions xor, or, and, shl, ror, shr, or rol repeatedly and seemingly randomly is probably encountered an encryption or compression function
push - pushes to stack (arguments before function call)
pop - pulls from stack
call - causes contents of the EIP to be pushed onto the stack and set EIP to functions memory_location
leave - sets ESP to equal EBP and pops EBP off the stack
ret - pops the return address off the stack and into EIP
test - zero flag (ZF) is typically the flag of interest after the test instruction
cmp - zero flag and carry flag (CF) may be changed as a result
cmp dst, src ZF CF
dst = src 1 0
dst < src 0 1
dst > src 0 0
jmp - jumps to location im memory
jz loc Jump to specified location if ZF = 1.
jnz loc Jump to specified location if ZF = 0.
je loc used after a cmp instruction. Jump if the destination operand equals the source operand.
jne loc used after a cmp. Jump if the destination operand is not equal to the source operand.
jg loc jump after a cmp if the destination operand is greater than the source operand.
jge loc jump after a cmp if the destination operand is greater than or equal to the source operand.
jl loc jump after a cmp if the destination operand is less than the source operand.
jle loc jump after a cmp if the destination operand is less than or equal to the source operand.
movsx - x = b,w,d for byte, word, dword
movsb - moves one byte
repeat prefixes are used for multibyte operations
Instruction Description
rep Repeat until ECX = 0
repe, repz Repeat until ECX = 0 or ZF = 0
repne, repnz Repeat until ECX = 0 or ZF = 1
rep movsb - is the logical equivalent of the C memcpy function
cmpsb - equivalent to the C function memcmp
stosb - equivalent to the C function memset