X86/WIN32 reverse engineering Cheat ?· X86/WIN32 REVERSE ENGINEERING CHEAT­SHEET Registers Instructions…

Download X86/WIN32 reverse engineering Cheat ?· X86/WIN32 REVERSE ENGINEERING CHEAT­SHEET Registers Instructions…

Post on 21-Jun-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

<ul><li><p>X86/WIN32REVERSEENGINEERINGCHEATSHEET</p><p>Registers Instructions</p><p>GENERALPURPOSE32BITREGISTERS ADD, Adds to.maybearegisterormemory.mayEAX Containsthereturnvalueofafunctioncall. Bearegister,memoryorimmediatevalue.ECX Usedasaloopcounter."this"pointerinC++. CALL Callafunctionandreturntothenextinstructionwhenfinished. EBX GeneralPurpose maybearelativeoffsetfromthecurrentlocation,aregisterormemoryaddr.EDX GeneralPurpose CMP, Compare with .SimilartoSUBinstruction butdoesnotESI Sourceindexpointer Modifythe operandwiththeresultofthesubtraction.EDI Destinationindexpointer DEC Subtract1from.maybearegisterormemory.ESP Stackpointer DIV DividetheEDX:EAXregisters(64bitcombo)by.maybeEBP Stackbasepointer a registerormemory.SEGMENTREGISTERS INC Add1to.maybearegisterormemory.CS Codesegment JE JumpifEqual(ZF=1)to.SS Stacksegment JG JumpifGreater(ZF=0andSF=OF)to.DS Datasegment JGE JumpifGreaterorEqual(SF=OF)to.ES Extradatasegment JLE JumpisLessorEqual(SFOF)to.FS PointstoThreadInformationBlock(TIB) JMP Jumpto. Unconditional.GS Extradatasegment JNE JumpifNotEqual (ZF=0)to.</p><p>MISC.REGISTERS JNZ JumpifNotZero(ZF=0)to.EIP Instructionpointer JZ JumpifZero(ZF=1)to.</p><p>EFLAGS Processorstatusflags. LEA, LoadEffectiveAddress.GetsapointertothememoryexpressionSTATUSFLAGS andstoresitin .ZF Zero:OperationresultedinZero MOV, Movedatafrom to.maybeanimmediatevalue,CF Carry:source&gt;destinationinsubtract register, oramemoryaddress.DestmaybeeitheramemoryaddressoraSF Sign:Operationresultedinanegative# register. Both andmaynotbememoryaddresses.OF Overflow:resulttoolargefordestination MUL MultiplytheEDX:EAXregisters(64bitcombo)by.may</p><p>16BITAND8BITREGISTERS bearegisterormemory.Thefourprimarygeneralpurposeregisters(EAX,EBX,ECXandEDX)have16and8bitoverlappingaliases.</p><p>POP Takea32bitvaluefrom thestackandstoreitin.ESPisincremented by4.maybearegister,includingsegmentregisters,ormemory.</p><p> EAX 32bit PUSH Addsa32bitvaluetothetopofthestack.DecrementsESPby4. AX 16bit maybearegister,segmentregister,memoryorimmediatevalue.</p><p>AH AL 8bit ROL, BitwiseRotateLeftthevalueinbybits.maybea registerormemoryaddress.maybeimmediateorCLregister.</p><p>TheStackROR, BitwiseRotateRight thevalueinbybits.maybea</p><p> registerormemoryaddress.maybeimmediateorCLregister.</p><p>LowAddresses</p><p>Empty </p><p>dest)&gt;CF=1,(sourceCF=0andZF=0 Parameters TEST, PerformsalogicalORoperationbutdoesnotmodifythevalueinthe Parentfunction's</p><p>data operand.(source=dest)&gt;ZF=1,(sourcedest)&gt;ZF=0.</p><p>XCHG</p></li></ul>

Recommended

View more >