MyProgram.

Language Processing System

Preprocessor
Processes macros and
substitutes text in the
Main Memory/RAM (lower to higher memory addresses)
program code accordingly 0x00000000
.text Program instructions
gcc -E MyProgram.c
-
.data Initialized, static data (.rdata == "Read-Only Data")
Preprocessed MyProgram.c
.bss (block starting
Uninitialized static variables (zeroed out)
symbol)

Compiler
Translates high-level code
to assembly code Dynamically allocated (allocated at runtime) and grows toward higher
Heap
memory addresses ↓
gcc -S MyProgram.c
- Local variables, function parameters, return addresses, and grows
MyProgram.S Stack toward lower memory addresses ↑
0x7FFFFFFF

Assembler
Converts assembly code to
machine code

gcc -c MyProgram.c
-
MyProgram.o
Merges code and data from
multiple files into

Linker
appropriate sections and
MyProgram.exe Loader
resolves any
references/symbols from
external modules
Control Unit
(Fetches Instructions
from RAM)

Central Processing Unit (CPU)

Arithmetic Logic Unit
(Executes instructions and sets
registers/flags)

Register Register Register Register

int main() {
...
int res = MyFunc(1, 2, 3);
...
}

int MyFunc(int x, int y, int z) {

int a = 1;
int b = 2;
return ((a * x) + (b - y * z));
}

Common x86 Calling Conventions (decided by compiler or programmer) Common x86 Instructions Common x86 Registers

cdecl Parameters pushed onto stack from right-to-left; Caller cleans up the stack mov eax, ebx; mov eax, 0x13, RAX/EAX/AX/AH/AL Accumulator; Used for input/output, arithmetic,and return values from functions
and return value stored in EAX Copy a value (from register, from literal, or from address) to a register Stack Layout During Function Call
mov eax, [0x4000000]
RBX/EBX/BX/BH/BL Base; Used for indexed addressing (using one register as base and other as index)
stdcall Same as cdecl, except called function cleans up the stack Load effective address; Similar to move, but loads the address "ebx + esi * 4" itself into a
lea eax, [ebx+esi*4]
register rather than the data at that address RCX/ECX/CX/CH/CL Count; Stores loop count variables in iterative operations

First few arguments pushed to registers (commonly ECX and EDX),
fastcall
additional parameters are pushed right-to-left, calling function cleans up add eax, 0x1; sub eax, 0x1;
inc eax; dec eax
mul eax, 0x5; div eax, 0x5;
imul eax, 0x5; cdq; idiv eax,
0x5;
EBP-8
b (2) ESP
Add, subtract, increment, or decrement the value in a register
RDX/EDX/DX/DH/DL Data; Input/output, sometimes extends RAX for multiply/divide
Multiply the value in EAX or Divide the value in EDX:EAX, and store results in EDX:EAX
(for division, result in EAX, remainder in EDX); imul and idiv are signed operations (cdq is RSP/ESP/SP/SPL Stack Pointer; Stores current position within the stack
used prior to idiv to sign-extend EAX to EDX)

EBP-4
a (1)
xor eax, eax; or eax, ebx; and Base Pointer; Helps in referencing parameter and other stack variables as offsets from
XOR, OR, AND, and NOT bitwise operations RBP/EBP/BP/BPL
eax, ebx; not eax the "base" of the stack

Bitwise shift and and rotate operations (bits shifted "fall off" vs bits rotated are cycled RSI/ESI/SI/SIL Used as a source index for string operations
shl bl, 0x4; shr bl, 0x4; rol bl, back to the least significant bit) (NOTE: There are variations such as SAR/SAL which you
0x4; ror bl, 0x4; may see used instead of SHR/SHL to preserve sign bits - also note that SAL and SHL Saved EBP (start of

EBP
perform exactly the same operations, whereas SHR and SAL do not). RDI/EDI/DI/DIL Used as a destination index for string operations MyFunc stack frame)
EBP

No operation; Just do absolutely nothing and wait for the next thing to happen (relatable,
nop RIP/EIP/IP Stores next instruction to be executed
amirite?)
jz 0x4000000; jnz ...; je ...; jne Conditional jumps (zero, not zero, equal, not equal, greater than, greater than or equal to,
..; jg ...; jge ...; jl ...; jle ...; ja ...; less than, less than or equal to, greater than (unsigned), greater than or equal R8-R15 x64 general purpose registers

EBP+4
Return Address to main()
jb ...; jae ...; jbe ...; jo ...; js ... (unsigned); less than or equal to (unsigned), overflow bit set, sign bit set
16-bit segment registers for accessing specific areas of memory segments, including:
Test is the same as AND and sets the zero flag (test eax, eax is the same as checking if CS/DS/SS/ES/FS/GS
test eax, eax; cmp eax, 0x4 Code (.text)/Data (.data)/Stack/Extra/General/General
eax is 0); cmp is identical to SUB but only sets zero and carry flags
Status register holding one-bit flags, e.g. ZF (zero-flag), CF (carry-flag), SF (sign-flag),
RFLAGS/EFLAGS

EBP+8 (or ECX)

Increments ESI and EDI offsets and decrements ECX; rep continues until ECX is 0, TF (trap-flag)
rep; repe; repz; repne; repnz; repe/repz/repne/repnz continue until ECX is 0 or the zero flag is set (repe/repz stop if ZG
= 0; repne/repnz stop if ZF = 1) But wait, there's more! Check the video resource links for more information on registers - x (1)
MOAR
EDI and ESI are two buffers; ECX is buffer length; Compares both buffers until ECX = 0 there are a lot of them!
repe cmpsb
or a difference is found in the buffer contents

EBP+12 (or RDX)

rep stosb Initialize all values of the buffer at EDI to the value in AL Parentheses show how parameters are passed in fastcall/x64.

Note that XMM0, XMM1, XMM2, etc. are used instead of y (2)
ESI is source buffer; EDI is destination buffer; ECX is length of bytes to copy; Copies
rep movsb RCX/RDX/R8/etc. for parameter values that are floating-point and for
these bytes from ESI to EDI until ECX is 0 non-scalar return values.

EDI is the address of a buffer; AL contains a search byte; ECX is the buffer length;
repne scasb
Searches the buffer for the search byte until it is found or ECX is 0

EBP+16 (or R8)

Pushes the value in EAX onto the stack (ESP); Pops the value at the top of the stack into z (3)
push eax; pop ebx; pusha; EBX and adjusts ESP; Pushes 16-bit general purpose registers on the stack; Pushes the
pushad; popa; popad 32-bit general purpose registers on the stack; Pops 16-bit values from stack into general
purpose registers; Pops 32-bit values from stack to general purpose registers

Calls a function; Moves value of EIP to stack and sets EIP to the start of the function at
call 0x41001000
0x41001000

ret Pops the return address off of the stack into EIP

But wait, there's more! Check the video resource links for more information on registers -
MOAR
there are a lot of them!