X86/WIN32REVERSEENGINEERINGCHEATSHEET

Registers
GENERALPURPOSE32BITREGISTERS
EAX ECX EBX EDX ESI EDI ESP EBP CS SS DS ES FS GS EIP
EFLAGS

Instructions
ADD<dest>,<source> CALL<loc> CMP<dest>,<source> DEC<dest> DIV<divisor> INC<dest> JE<loc> JG<loc> JGE<loc> JLE<loc> JMP<loc> JNE<loc> JNZ<loc> JZ<loc> LEA<dest>,<source> MOV<dest>,<source> MUL<source> POP<dest> PUSH<value> ROL<dest>,<count> ROR<dest>,<count> <ESPpointshere SHL<dest>,<count> SHR<dest>,<count> SUB<dest>,<source> TEST<dest>,<source> XCHG<dest,<source> XOR<dest>,<source> Adds<source> to<dest>.<dest> maybearegisterormemory.<source> may Bearegister,memoryorimmediatevalue. Callafunctionandreturntothenextinstructionwhenfinished. <proc> maybearelativeoffsetfromthecurrentlocation,aregisterormemoryaddr. Compare <source> with <dest>.SimilartoSUBinstruction butdoesnot Modifythe <dest> operandwiththeresultofthesubtraction. Subtract1from<dest>.<dest>maybearegisterormemory. DividetheEDX:EAXregisters(64bitcombo)by<divisor>.<divisor> maybe a registerormemory. Add1to<dest>.<dest> maybearegisterormemory. JumpifEqual(ZF=1)to<loc>. JumpifGreater(ZF=0andSF=OF)to<loc>. JumpifGreaterorEqual(SF=OF)to<loc>. JumpisLessorEqual(SF<>OF)to<loc>. Jumpto<loc>. Unconditional. JumpifNotEqual (ZF=0)to<loc>. JumpifNotZero(ZF=0)to<loc>. JumpifZero(ZF=1)to<loc>. LoadEffectiveAddress.Getsapointertothememoryexpression<source> andstoresitin <dest>. Movedatafrom<source> to<dest>.<source>maybeanimmediatevalue, register, oramemoryaddress.Destmaybeeitheramemoryaddressora register. Both<source> and<dest>maynotbememoryaddresses. MultiplytheEDX:EAXregisters(64bitcombo)by<source>.<source> may bearegisterormemory. Takea32bitvaluefrom thestackandstoreitin<dest>.ESPisincremented by4.<dest> maybearegister,includingsegmentregisters,ormemory. Addsa32bitvaluetothetopofthestack.DecrementsESPby4.<value> maybearegister,segmentregister,memoryorimmediatevalue. BitwiseRotateLeftthevaluein<dest>by<count>bits.<dest> maybea registerormemoryaddress.<count>maybeimmediateorCLregister. BitwiseRotateRight thevaluein<dest>by<count>bits.<dest> maybea registerormemoryaddress.<count>maybeimmediateorCLregister. BitwiseShiftLeftthevaluein<dest>by<count>bits.Zerobitsaddedto theleastsignificantbits.<dest> maybereg.ormem.<count> isimm. orCL. BitwiseShiftLeftthevaluein<dest>by<count>bits.Zerobitsaddedto theleastsignificantbits.<dest> maybereg.ormem.<count> isimm. orCL. Subtract<source> from<dest>.<source>maybeimmediate,memoryora register.<dest> maybememoryoraregister.(source=dest)>ZF=1, (source>dest)>CF=1,(source<dest)>CF=0andZF=0 PerformsalogicalORoperationbutdoesnotmodifythevalueinthe<dest> operand.(source=dest)>ZF=1,(source<>dest)>ZF=0. Exchangethecontentsof<source>and<dest>.Operandsmayberegister ormemory.Bothoperandsmaynotbememory. BitwiseXORthevaluein<source> withthevaluein<dest>,storingtheresult in<dest>.<dest> maybereg or memand<source>maybereg,memorimm.

Containsthereturnvalueofafunctioncall. Usedasaloopcounter."this"pointerinC++. GeneralPurpose GeneralPurpose Sourceindexpointer Destinationindexpointer Stackpointer Stackbasepointer Codesegment Stacksegment Datasegment Extradatasegment PointstoThreadInformationBlock(TIB) Extradatasegment Instructionpointer Processorstatusflags. Zero:OperationresultedinZero Carry:source>destinationinsubtract Sign:Operationresultedinanegative# Overflow:resulttoolargefordestination

SEGMENTREGISTERS

MISC.REGISTERS STATUSFLAGS
ZF CF SF OF

16BITAND8BITREGISTERS
Thefourprimarygeneralpurposeregisters(EAX,EBX, ECXandEDX)have16and8bitoverlappingaliases. EAX 32bit AX 16bit AH AL 8bit

TheStack
Low Addresses EBPx EBP+x High Addresses Empty LocalVariables

SavedEBP ReturnPointer Parameters Parentfunction's data Grandparent function'sdata

<EBPpointshere

AssemblyLanguage
Instructionlistingscontainatleastamnemonic,which is the operation to be performed. Many instructions will take operands. Instructions with multiple operands list the destination operand first and the sourceoperandsecond(<dest>,<source>).Assembler directives may also be listed which appear similar to instructions.

TerminologyandFormulas

PointertoRawData Offsetofsectiondatawithintheexecutablefile. SizeofRawData Amountofsectiondatawithintheexecutablefile. RVA RelativeVirtualAddress.Memoryoffsetfromthebeginningoftheexecutable. VirtualAddress (VA) AbsoluteMemoryAddress (RVA + Base).ThePEHeaderfieldsnamed VirtualAddressactuallycontainRelativeVirtualAddresses. VirtualSize Amountofsectiondatainmemory. BaseAddress Offsetinmemorythattheexecutablemoduleisloaded. ImageBase BaseAddressrequestedinthePEheaderofamodule. ASSEMBLERDIRECTIVES DB<byte> Define Byte. Reserves an explicit Module AnPEformattedfileloadedintomemory.TypicallyEXEorDLL. Amemoryaddress byte of memory at the current Pointer location.Initializedto<byte>value. EntryPoint Theaddressofthefirstinstructiontobeexecutedwhenthemoduleisloaded. DW<word> DefineWord.2Bytes Import DLLfunctionsrequiredforusebyanexecutablemodule. DD<dword> DefineDWord.4Bytes Export FunctionsprovidedbyaDLLwhichmaybeImportedbyanothermodule. RVA>Raw Conversion Raw=(RVA SectionStartRVA)+(SectionStartRVASectionStartPtrToRaw) OPERANDTYPES Immediate Anumericoperand,hardcoded RVA>VA Conversion VA=RVA+BaseAddress Register Ageneralpurposeregister VA>RVAConversion RVA=VA BaseAddress Memory Memoryaddressw/brackets[] Raw>VA Conversion VA=(Raw SectionStartPtrToRaw)+(SectionStartRVA+ImageBase) Copyright 2009NickHarbour www.rnicrosoft.net