x86/win32 reverse engineering cheat ?· x86/win32 reverse engineering cheat­sheet registers...

Download X86/WIN32 reverse engineering Cheat ?· X86/WIN32 REVERSE ENGINEERING CHEAT­SHEET Registers Instructions…

Post on 21-Jun-2018

214 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • X86/WIN32REVERSEENGINEERINGCHEATSHEET

    Registers Instructions

    GENERALPURPOSE32BITREGISTERS ADD, Adds to.maybearegisterormemory.mayEAX Containsthereturnvalueofafunctioncall. Bearegister,memoryorimmediatevalue.ECX Usedasaloopcounter."this"pointerinC++. CALL Callafunctionandreturntothenextinstructionwhenfinished. EBX GeneralPurpose maybearelativeoffsetfromthecurrentlocation,aregisterormemoryaddr.EDX GeneralPurpose CMP, Compare with .SimilartoSUBinstruction butdoesnotESI Sourceindexpointer Modifythe operandwiththeresultofthesubtraction.EDI Destinationindexpointer DEC Subtract1from.maybearegisterormemory.ESP Stackpointer DIV DividetheEDX:EAXregisters(64bitcombo)by.maybeEBP Stackbasepointer a registerormemory.SEGMENTREGISTERS INC Add1to.maybearegisterormemory.CS Codesegment JE JumpifEqual(ZF=1)to.SS Stacksegment JG JumpifGreater(ZF=0andSF=OF)to.DS Datasegment JGE JumpifGreaterorEqual(SF=OF)to.ES Extradatasegment JLE JumpisLessorEqual(SFOF)to.FS PointstoThreadInformationBlock(TIB) JMP Jumpto. Unconditional.GS Extradatasegment JNE JumpifNotEqual (ZF=0)to.

    MISC.REGISTERS JNZ JumpifNotZero(ZF=0)to.EIP Instructionpointer JZ JumpifZero(ZF=1)to.

    EFLAGS Processorstatusflags. LEA, LoadEffectiveAddress.GetsapointertothememoryexpressionSTATUSFLAGS andstoresitin .ZF Zero:OperationresultedinZero MOV, Movedatafrom to.maybeanimmediatevalue,CF Carry:source>destinationinsubtract register, oramemoryaddress.DestmaybeeitheramemoryaddressoraSF Sign:Operationresultedinanegative# register. Both andmaynotbememoryaddresses.OF Overflow:resulttoolargefordestination MUL MultiplytheEDX:EAXregisters(64bitcombo)by.may

    16BITAND8BITREGISTERS bearegisterormemory.Thefourprimarygeneralpurposeregisters(EAX,EBX,ECXandEDX)have16and8bitoverlappingaliases.

    POP Takea32bitvaluefrom thestackandstoreitin.ESPisincremented by4.maybearegister,includingsegmentregisters,ormemory.

    EAX 32bit PUSH Addsa32bitvaluetothetopofthestack.DecrementsESPby4. AX 16bit maybearegister,segmentregister,memoryorimmediatevalue.

    AH AL 8bit ROL, BitwiseRotateLeftthevalueinbybits.maybea registerormemoryaddress.maybeimmediateorCLregister.

    TheStackROR, BitwiseRotateRight thevalueinbybits.maybea

    registerormemoryaddress.maybeimmediateorCLregister.

    LowAddresses

    Empty

    dest)>CF=1,(sourceCF=0andZF=0 Parameters TEST, PerformsalogicalORoperationbutdoesnotmodifythevalueinthe Parentfunction's

    data operand.(source=dest)>ZF=1,(sourcedest)>ZF=0.

    XCHG

Recommended

View more >