global _start
section .text
_start:
Code
section .data
Initialized Variables
section .bss
Uninitialized Variables # nasm -f elf64 file.nasm -o file.o# ld file.o -o file# ld -N file.o -o file <== Option -N allows program to read/write in .text# objdump -M intel -d FILE.oGenerate Shellcode One Liner # echo “\"$(objdump -d FILE.o | grep '[0-9a-f]:' | $' \t ' | grep -v ' file' | tr -d " \n" | sed ' s/../\\x&/g' \" " "
64 bits
32 bits
16 bits
8 bits
Description
rax
eax
ax
al
Accumulator; used to store some calculation results
rbx
ebx
bx
bl
Base; index register for MOVE
rcx
ecx
cx
cl
Counter; count for string operations & shifts
rdx
edx
dx
dl
Datas; port address for IN and OUT
rsi
esi
si
sil
Source Index (source for data copies)
rdi
edi
di
dil
Destination Index (destination for data copies)
rsp
esp
sp
spl
Stack Pointer
rip
eip
ip
ipl
Instruction Pointer
rbp
ebp
bp
bpl
<base Pointer (start of stack)
r8
r8d
r8w
r8b
General Purpose
...
...
...
...
General Purpose
r15
r15d
r15w
r15b
General Purpose
Bit #
Abbreviation
Description
FLAGS
0
CF
Carry flag
1
Reserved
always 1 in EFLAGS
2
PF
Parity flag
3
Reserved
4
AF
Adjust flag
5
Reserved
6
ZF
Zero flag
7
SF
Sign flag
8
TF
Trap flag (single step)
9
IF
Interrupt enable flag
10
DF
Direction flag
11
OF
Overflow flag
12-13
IOPL
I/O privilege level (286+ only)
14
NT
Nested task flag (286+ only)
15
Reserved.
Always 1 on 8086 and 186,always 0 on later models
EFLAGS
16
RF
Resume flag (386+ only)
17
VM
Virtual 8086 mode flag (386+ only)
18
AC
Alignment check (486SX+ only)
19
VIF
Virtual interrupt flag (Pentium+)
20
VI
Virtual interrupt pending (Pentium+)
21
ID
Able to use CPUID instruction (Pentium+)
22‑31
Reserved
RFLAGS
32‑63
Reserved
Instruction
Description
Opcode
Instruction Size
mov op1, op2
Mov op2 into op1
lea op1, op2
Load Effective Address of op2 into op1
xchg op1, op2
op1 <- op2 and op2 <- op1
Comparison and Test Instructions
Instruction
Description
Opcode
Instruction Size
cmp Op1, Op2
Set condition codes according to Op1-Op2
test Op1, Op2
Set condition codes according to Op1 & Op2
Instruction
Description
Opcode
Instruction Size
add op1, op2
op1 <- (op1 + op2 )
sub op1, op2
op1 <- (op1 - op2 )
inc op1
op1 <- (op1 + 1)
dec op1
op1 <- (op1 + 1)
Scan / Compare / Copy Strings
Instruction
Description
Opcode
Instruction Size
scasb / scasw / scasd / scasq
Compares al/ax/eax/rax with memory pointed by rdi. If equals ZF = 1
cmpsb / cmpsw / cmpsd / cmpsq
[rsi] <- [rdi]
lodsb / lodsw / lodsd / lodsq
rax <- [rsi]
movsb / movsw / movsd / movsq
[rdi] <- [rsi]
Instruction
Description
Condition Code
Opcode
Instruction Size
jmp label
Jump to label
je / jz label
Jump if equal/zero
ZF = 0
jne / jnz label
Jump if not equal/nonzero
ZF = 1
js label
Jump if negative
SF = 1
jns label
Jump if nonnegative
SF = 0
jg / jnle label
Jump if greater (signed)
ZF = 0 and SF = OF
jge / jnl label
Jump if greater or equal (signed)
SF = OF
jl / jnge label
Jump if less (signed)
SF <> OF
jle / jng label
Jump if less or equal
ZF = 1 or SF <> OF
ja / jnbe label
Jump if above (unsigned)
CF = 0 and ZF = 0
jae / jnb label
Jump if above or equal (unsigned)
CF = 0
jb / jnae label
Jump if below (unsigned)
CF = 1
jbe / jna label
Jump if below or equal (unsigned)
CF = 1 or ZF = 1
Instruction
Description
Opcode
Instruction Size
loop label
Decrements CX and jumps to label if CX <> 0
loope / loopz label
Decrements CX and jumps to label if CX <> 0 and ZF = 1
loopne / loopnx label
Decrements CX and jumps to label if CX <> 0 and ZF = 0
Procedure Call instructions
Instruction
Description
Opcode
Instruction Size
call label
Push return address and jump to label
call @
Push return address and jump to specified location
leave
Set RSP to RBP, then pop top of stack into RBP
ret
Pop return address from stack and jump there
Instruction
Description
Opcode
Instruction Size
rol
Rotate Left. bit_0 <- bit_64 and CF <- bit_64
ror
Rotate Right. bit_64 <- bit_0 and CF <- bit_64
rcl
Shift Left. bit_0 <- CF, then CF <- bit_64
rcr
Shift Right._ bit_64_ <- CF, then CF <- bit_0
shl / sal
shr / sar
Instruction
Description
Opcode
Instruction Size
sti / cli
Sets IF to 1 or 0
std / cld
Sets DF to 1 or 0
stc / cls / cmc
Sets CF to 1, 0 or inverts it
Instruction
Description
Opcode
Instruction Size
loop label
rcx -= rcx, if rcx != 0 jumps to label . If rcx == 0 continues
rep instruction
if rcx != 0 execs instruction , then decrements rcx. If rcx == 0 continues
Values returned in RAX.
Registers:
RAX : System Call NumberRDI : Argument 1RSI : Argument 2RDX : Argument 3R10 : Argument 4R8 : Argument 5R9 : Argument 6
global _start
section .text
_start:
jmp call_shellcode
shellcode:
pop rsi ; RSI <- @ string
<CODE>
call_shellcode:
call shellcode
string db “Hello World” Stack String bytes in reverse order. Make RSI get RSP value, then RSI gets the value of @ string
global _start
section .text
_start:
jmp real_start
hello_world: db "Hello World" , 0xa
real_start:
lea rsi , [ rel hello_world ] exit ( int )
fork ( pointer )
read ( uint , char * , int )
write ( uint , char * , int )
open ( char * int , int )Calling Assembly Function from C #include <stdio.h>
int add (int op1 , int op2 );
void (main (void ) {
printf ("%d" , add (1 ,2 ));
}global add
section data
section .text
add :
mov eax , [ esp + 4 ]
mov eax , [ esp + 8 ]
ret # nasm -f elf add.nasm -o add.o# gcc -Wall main.c add.o -o mainCalling C Function from Assembly int add (int op1 , int op2 ) {
return a + b ;
}extern add
extern printf
extern exit
global start
section .data
form at : db "%d" , 10 , 0
section .text
push 2
push 1
call add
push eax
push form at
call printf
push 0
call exit # gcc -Wall -c add.c -o add# nasm -f main.asm -o main.o# ld main.o add.o -lc -I /lib/ld-linux.so.2