Concepts
- Common Instructions
- Value Representation
- Negative Numbers
- 2s Complement
- Endianess
- Data Structures
- Negative Numbers
- Stack Frame Format
Dynamic Analysis
- Tools
- gdb
- strace
- Break Points
- Inspecting Buffers
- Registers
- Variables
- Stack
- Invoking Functions
Static Analysis
- Tools
- Binary Ninja
- strings
- Labelling Variables
- Identifying Routine Instructions
- System/Function Calls
- function call: call
- system call: syscall (invoke what's stored in rax)
- rax = system call code
- first six params on rdi, rsi, rdx, rcx, r8d, r9d
- push other params into stack
- zero-out eax
- call function (pushes return address to stack)
- save ebp
- update ebp to esp
- return value is stored in rax
- https://filippo.io/linux-syscall-table/
- If/Else Blocks
- Returning Values
- AX/EAX/RAX usually designated as return register
- Loops
- Counter-based
- Register Preservation / Delegating Temporary Registers
- Pushing registers upon entry to function and then popping them upon exit
- System/Function Calls
Important Notes https://wiki.cdot.senecacollege.ca/wiki/X86_64_Register_and_Instruction_Quick_Start
Usage during syscall/function call:
- First six arguments are in rdi, rsi, rdx, rcx, r8d, r9d; remaining arguments are on the stack.
- For syscalls, the syscall number is in rax.
- Return value is in rax.
- The called routine is expected to preserve rsp,rbp, rbx, r12, r13, r14, and r15 but may trample any other registers.
Other References: