Assembly Language
Registers
Syscall Number / Return value
rax
al
Callee Saved
rbx
bl
1st arg
rdi
dil
2nd arg
rsi
sil
3rd arg
rdx
dl
4th arg - Loop Counter
rcx
cl
5th arg
r8
r8b
6th arg
r9
r9b
Pointer Registers
Base Stack Pointer
rbp
bpl
Current / Top Stack Pointer
rsp
spl
Instruction Pointer ('call only')
rip
ipl
Assembly and Disassembly
nasm -f elf64 helloWorld.s
Assemble code
ld -o helloWorld helloWorld.o
Link code
ld -o fib fib.o -lc --dynamic-linker /lib64/ld-linux-x86-64.so.2
Link code with libc
objdump -M intel -d helloWorld
Disassemble .text section
objdump -M intel --no-show-raw-insn --no-addresses -d helloWorld
Show binary assembly code
objdump -sj .data helloWorld
Disassemble .data section
GDB
gdb -q ./helloWorld
Open binary in gdb
info functions
View binary functions
info variables
View binary variables
registers
View registers
disas _start
Disassemble function or label
b _start
Break on label/function
b *0x401000
Break at specific address
r
Run binary
x/4xg $rip
Examine register
si
Step instruction
s
Step source line
ni
Step function
c
Continue execution
patch string 0x402000 "Patched!\\x0a"
Patch memory value
set $rdx=0x9
Set register value
Assembly Instructions
Data Movement
mov
Move or load immediate data
mov rax, 1 → rax = 1
lea
Load address of value
lea rax, [rsp+5] → rax = rsp+5
xchg
Swap two registers or addresses
xchg rax, rbx
Unary Arithmetic
inc
Increment by 1
inc rax → rax++
dec
Decrement by 1
dec rax → rax--
Binary Arithmetic
add
Add operands
add rax, rbx
sub
Subtract source from destination
sub rax, rbx
imul
Multiply operands
imul rax, rbx
Bitwise Operations
not
Invert bits
not rax
and
Logical AND
and rax, rbx
or
Logical OR
or rax, rbx
xor
Logical XOR
xor rax, rbx
Loops and Branching
Loops
mov rcx, x
Set loop counter
mov rcx, 3
loop
Jump back until counter = 0
loop exampleLoop
Branching
jmp
Unconditional jump
-
jz
Jump if zero
D = 0
jnz
Jump if not zero
D ≠ 0
js
Jump if negative
D < 0
jns
Jump if not negative
D ≥ 0
jg
Jump if greater
D > S
jge
Jump if greater or equal
D ≥ S
jl
Jump if less
D < S
jle
Jump if less or equal
D ≤ S
cmp
Compare (sets FLAGS)
cmp rax, rbx
Stack Operations
push
Copy register/address to stack
push rax
pop
Pop stack top to register
pop rax
Functions
call
Push return address, jump
call printMessage
ret
Pop address into rip, jump
ret
System and Function Calls
`cat /usr/include/x86_64-linux-gnu/asm/unistd_64.h
grep write`
man -s 2 write
Man page for write syscall
man -s 3 printf
Man page for printf
Syscall Convention
Save registers to stack.
Place syscall number in
rax.Set arguments in registers.
Use the
syscallinstruction.
Function Convention
Save caller-saved registers.
Pass function arguments.
Fix stack alignment.
Return value in
rax.
Shellcoding
Common Commands
pwn asm 'push rax' -c 'amd64'
Assemble instruction
pwn disasm '50' -c 'amd64'
Disassemble shellcode
python3 shellcoder.py helloworld
Extract binary shellcode
python3 loader.py '4831..0f05'
Run shellcode
python assembler.py '4831..0f05'
Assemble shellcode
Shellcraft
pwn shellcraft -l 'amd64.linux'
List available syscalls
pwn shellcraft amd64.linux.sh
Generate shellcode
pwn shellcraft amd64.linux.sh -r
Run shellcode
Msfvenom
`msfvenom -l payloads
grep 'linux/x64'`
msfvenom -p 'linux/x64/exec' CMD='sh' -a 'x64' --platform 'linux' -f 'hex'
Generate shellcode
msfvenom -p 'linux/x64/exec' CMD='sh' -a 'x64' --platform 'linux' -f 'hex' -e 'x64/xor'
Generate encoded shellcode
Shellcoding Requirements
No variables.
No direct memory references.
No null bytes (
00).
Last updated