1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
Linux syscall calling convention:
rax - syscall number
rdi, rsi, rdx, r10, r8, r9 - arguments
return value placed in rax
Instruction set:
mov rax, imm64
>48 b8 IMM64
xor eax, eax (sets rax to 0, much shorter than mov rax, 0)
>31 c0
xor edx, edx
>31 d2
mov rdest, rsrc
ax bx cx dx sp bp si di
0 3 1 2 4 5 6 7
>48 89 (dest | src << 3 | 0xc0)
mov r8, rax (for syscalls)
>49 89 c0
mov r9, rax (for syscalls)
>49 89 c1
mov r10, rax (for syscalls)
>49 89 c2
xchg rax, rbx
>48 93
mov qword [rbx], rax
>48 89 03
mov rax, qword [rbx]
>48 8b 03
mov dword [rbx], eax
>89 03
mov eax, dword [rbx]
>8b 03
mov word [rbx], ax
>66 89 03
mov ax, word [rbx]
>66 8b 03
mov byte [rbx], al
>88 03
mov al, byte [rbx]
>8a 03
mov rax, qword [rbp+imm32]
>48 8b 85 IMM32 (note: imm may be negative)
lea rax, [rbp+imm32]
>48 8d 85 IMM32 (note: imm may be negative)
lea rsp, [rbp+imm32]
>48 8d a5 IMM32 (note: imm may be negative)
mov qword [rbp+imm32], rax
>48 89 85 IMM32 (note: imm may be negative)
mov qword [rsp+imm32], rax
>48 89 84 24 IMM32 (note: imm may be negative)
mov qword [rsp], rbp
>48 89 2c 24
mov rbp, qword [rsp]
>48 8b 2c 24
mov ebx, imm32
>bb IMM32
neg rax
>48 f7 d8
add rax, rbx
>48 01 d8
sub rax, rbx
>48 29 d8
imul rbx
>48 f7 eb
idiv rbx
>48 f7 fb
mul rbx
>48 f7 e3
div rbx
>48 f7 f3
not rax
>48 f7 d0
and rax, rbx
>48 21 d8
or rax, rbx
>48 09 d8
xor rax, rbx
>48 31 d8
shl rax, cl
>48 d3 e0
shl rax, imm8
>48 c1 e0 IMM8
shr rax, cl
>48 d3 e8
shr rax, imm8
>48 c1 e8 IMM8
sar rax, cl
>48 d3 f8
sar rax, imm8
>48 c1 f8 IMM8
sub rsp, imm32
>48 81 ec IMM32
add rsp, imm32
>48 81 c4 IMM32
cmp rax, rbx
>48 39 d8
test rax, rax
>48 85 c0
jmp rel32
>e9 REL32
je rel32
>0f 84 REL32
jne rel32
>0f 85 REL32
jl rel32
>0f 8c REL32
jg rel32
>0f 8f REL32
jle rel32
>0f 8e REL32
jge rel32
>0f 8d REL32
jb rel32
>0f 82 REL32
ja rel32
>0f 87 REL32
jbe rel32
>0f 86 REL32
jae rel32
>0f 83 REL32
call rax
>ff d0
ret
>c3
syscall
>0f 05
nop
>90
(more will be added as needed)
to be removed:
mov qword [rsp], rax
>48 89 04 24
mov rax, qword [rsp]
>48 8b 04 24
|