Skip to content

Instantly share code, notes, and snippets.

@7etsuo

7etsuo/cheatsheet_x86.txt

Created June 13, 2025 18:23
Show Gist options
  • Save 7etsuo/f992dea01533be98741914cfe133da34 to your computer and use it in GitHub Desktop.
Save 7etsuo/f992dea01533be98741914cfe133da34 to your computer and use it in GitHub Desktop.
Download ZIP
cheatsheet_x86.txt
Raw
cheatsheet_x86.txt
___ ___ ________ ________________ __
| \/ || ___| \/ | _ | ___ \ \ / /
| . . || |__ | . . | | | | |_/ /\ V /
| |\/| || __|| |\/| | | | | / \ /
| | | || |___| | | \ \_/ / |\ \ | |
┌\_|──|_/\____/\_|──|_/\___/\_|─\_|─\_/────────────────────────────────────────────────────
│ │ ► Function Prologue
│Lower Addresses ▲ ┌───────────────────────────────────┐ │ • push rbp ; Save old base pointer
│0x7fffffffeda8 │ │Local variables ├─►[rsp] Top of stack │ • mov rbp, rsp ; Set up new base pointer
│ │ │[rbp - 8] and below ├─►[rbp - (N+8)] Alignment padding │ • sub rsp, N ; Allocate space for locals
│ │ │Accessed via rbp offsets ├─►[rbp - N] Last local var │ • and rsp, -16 ; Ensure 16-byte alignment
│ │ │mov [rbp - 8], eax ; store local ├─►[rbp - 16] Local var 2 │
│ │ │mov eax, [rbp - 16] ; load local ├─►[rbp - 8] Local var 1 │ ► Function Epilogue
│ │ │May include alignment padding │ │ • mov rsp, rbp ; Restore stack pointer
│ │ └───────────────────────────────────┘ │ • pop rbp ; Restore old base pointer
│ │ ┌───────────────────────────────────┐ │ • leave ; can be used inplace of the above
│ │ │Saved RBP │ │ • ret ; Return to caller
│ │ │[rbp] ├─►[rbp] Saved RBP │
│ │ │Preserved caller's base pointer │ │ ► Argument Passing (System V AMD64 ABI)
│ │ └───────────────────────────────────┘ │ ► Integer/Pointer arguments:
│ │ ┌───────────────────────────────────┐ │ • 1st: rdi 4th: rcx
│ │ │Return address │ │ • 2nd: rsi 5th: r8
│ │ │[rbp + 8] ├─►[rbp + 8] Return address │ • 3rd: rdx 6th: r9
│ │ │Pushed by CALL instruction │ │ • 7th and beyond: pushed on stack right-to-left
│ │ └───────────────────────────────────┘ │ ► Floating-point arguments:
│ │ ┌───────────────────────────────────┐ │ • Use xmm0 to xmm7 for first 8 arguments
│ │ │Stack arguments (if any) ├─►[rbp + 16] Arg 1 (if on stack) │
│ │ │[rbp + 16] and above ├─►[rbp + 24] Arg 2 (if on stack) │ ► During a Nested Function Call
│ │ │7th argument and beyond ├─►[rbp + 32] Arg 3 (if on stack) │ 1. Arguments for the callee are prepared
│ │ │Right to left push order │ ... │ 2. call instruction pushes return address
│0x7fffffffede8 │ │mov edi, [rbp + 16] ; 1st stack arg│ │ 3. Callee's stack frame is set up above
│Higher Addresses └───────────────────────────────────┘ │ 4. RSP moves to top of callee's frame
│ │ 5. On return, callee's frame is removed
└───────────────────────────────────────────────────────────────────────────────────────────┘ 6. RSP is restored to pre-call state
► Key Concepts ► Best Practices
• RBP provides stable frame reference • Always balance pushes and pops
• Local vars accessed via negative offsets from RBP • Preserve callee-saved registers (rbx, r12-r15)
• Arguments (if on stack) via positive offsets • Maintain 16-byte stack alignment before calls
• Stack grows down (to lower addresses) • Clean up stack in the calling convention's standard way
• 16-byte stack alignment maintained
▄▄▄█████▓▓█████▄▄▄█████▓ ██████ █ ██ ▒█████
► Notes ▓ ██▒ ▓▒▓█ ▀▓ ██▒ ▓▒▒██ ▒ ██ ▓██▒▒██▒ ██▒
• This layout follows System V AMD64 ABI conventions ▒ ▓██░ ▒░▒███ ▒ ▓██░ ▒░░ ▓██▄ ▓██ ▒██░▒██░ ██▒
• Some compilers may optimize out RBP usage ░ ▓██▓ ░ ▒▓█ ▄░ ▓██▓ ░ ▒ ██▒▓▓█ ░██░▒██ ██░
• Actual memory layout may vary with optimizations ▒██▒ ░ ░▒████▒ ▒██▒ ░ ▒██████▒▒▒▒█████▓ ░ ████▓▒░
• Windows x64 calling convention differs significantly ▒ ░░ ░░ ▒░ ░ ▒ ░░ ▒ ▒▓▒ ▒ ░░▒▓▒ ▒ ▒ ░ ▒░▒░▒░
• Always consult current ABI documentation for specifics ░ ░ ░ ░ ░ ░ ░▒ ░ ░░░▒░ ░ ░ ░ ▒ ▒░
░ ░ ░ ░ ░ ░ ░░░ ░ ░ ░ ░ ░ ▒
░ ░ ░ ░ ░ ░
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment