The cheat sheet is intended for 32-bit Windows programming with FASM. One A4 page contains almost all general-purpose x86 instructions (except FPU, MMX and SSE instructions).
For Prof Tuck’s CS3650, fall 2018.
This uses AT&T syntax (per norms for the GNU C compiler).
- CS 161 x86/C/GDB Cheat Sheet Number Representation To begin, recall that 1 byte is equal to 8 bits, and 1 word is equal to 4 bytes (32 bits). In this class, we do everything in a 32-bit address space. Thus, every address can be written using 1 word of memory. One hexadecimal digit.
- X8664 NASM Assembly Quick Reference ('Cheat Sheet') Instructions (basically identical to 32-bit x86) For gory instruction set details, read the full Intel PDFs: part 1 (A-M) and part 2 (N-Z).
- X86 assembly cheat sheet PDF x64 Cheat Sheet, x64 Cheat Sheet x64 assembly code uses sixteen 64-bit registers. There are sixteen 64-bit registers in x86-64:%rax,%rbx,%rcx,%rdx,%rdi,%rsi,%rbp. X64 Cheat Sheet Fall 2019 1. X6 4 R e g i st e rs x6 4 a sse mb l y co d e u se s si xt e e n 6 4 -b i t re g i st e rs.
Registers
In AMD64, we have 16 registers that can each hold 64-bits (8 bytes):
Group 1:
- %rax - accumulator: arithmetic source & destination
- %rcx - counter: loop index
- %rdx - data: arithmetic source
- %rbx - base: historically used for segmented addressing
Group 2:
- %rsi - source index
- %rdi - destination index
- %rsp - stack pointer
- %rbp - base pointer
Group 3:
- %r8, %r9, …, %r15
Groups 1 and 2 are the extended form of the old 16 bit registers fromthe Intel 8086, while Group 3 was added specifically for AMD64.
Shorter parts of these registers are also accessible by the hisorical names:
64-bit register | Low 32-bits | Low 16 bits | Low 8 bits | Byte 7* |
---|---|---|---|---|
%rax | %eax | %ax | %al | %ah |
%rsi | %esi | %si | %sil | n/a |
%r8 | %r8d | %r8w | %r8b | n/a |
The names for the other registers follow the pattern within the same group.
For the Group 1 registers, the high and low bytes of the low 16-bits be accessedby dedicated names (%ah, %al, %ch, %cl, etc).
There are a couple of other registers worth remembering:
Blogdown r. Blogdown: Creating Websites with R Markdown A note from the authors: Some of the information and instructions in this book are now out of date because of changes to Hugo and the blogdown package. If you have suggestions for improving this book, please file. We introduce an R package, blogdown, in this short book, to teach you how to create websites using R Markdown and Hugo. If you have experience with creating websites, you may naturally ask what the benefits of using R Markdown are, and how blogdownis. R Markdown (Allaire et al. 2021)is a plain-text document format consisting of two components: R (or other computing languages) and Markdown. Markdown makes it easy for authors to write a document due to its simple syntax.
- %rip - Instruction pointer. Points to next instruction to execute. Not readable.
- %flags - (%eflags, %rflags) - Each bit means something specific. Not writable.
Instructions
Arithmetic Instructions
Instruction | Description |
---|---|
mov %rxx, %ryy | Copy data from register %rxx to %ryy |
inc %rxx | Add one to %rxx |
dec %rxx | Subtract one from rxx |
neg %rxx | Negate %rxx |
not %rxx | Bitwise NOT %rxx |
add %rxx, %ryy | %ryy += %rxx |
sub %rxx, %ryy | %ryy -= %rxx |
or %rxx, %ryy | %ryy = %rxx OR %ryy (bitwise) |
and %rxx, %ryy | %ryy = %rxx AND %ryy (bitwise) |
imul %rxx | %rdx:%rax = %rax * %rxx |
imul %rxx, %ryy | %ryy = %ryy * %rxx (truncated to 64-bits) |
idiv %rxx | %rax = %rdx:%rax / %rxx; %rdx = quot |
Flow Control and Logic
Note: The argument order for “cmp” is backwards here.
Instruction | Description |
---|---|
cmp %rxx, %ryy | Compares the two registers, updating the flags register |
je label | Jump if equal (if previous cmp set equal flag; %rxx %ryy) |
jne label | Jump if not equal (%rxx != %ryy) |
jl label | Jump if less than (%rxx < %ryy) |
jle label | <= |
jg label | > |
jge label | >= |
sete %rzz | Set %rzz if %rxx %ryy in the previous cmp, else clear it. |
setg %rzz | Set %rzz if %rxx > %ryy |
setl %rzz | Set %rzz if %rxx < %ryy |
Function Call and Stack
Instruction | Description |
---|---|
push %rxx | Copy %rxx to stack @ %rsp, move down %rsp |
pop %rxx | Copy from stack @ %rsp to %rxx, move up %rsp |
enter $NN, $0 | Allocate a stack frame with NN bytes of space |
leave | Deallocate a stack frame |
call label | Push $rip and jump to the address of the “label” function |
Memory and Immediate Arguments
In addition to operating on registers, many instructions can accept alternatemodes that operate on data in memory or on constant values.
Example Instruction | Description |
---|---|
add (%rcx), %rdx | %rdx = %rdx + (value at address in %rcx) |
add $10, %rdx | %rdx = %rdx + 10 |
addq $10, 2(%e10, %e11, 2) | (the value at %e10+2*%e11) += 10 |
add -16($rsp), %rax | %rax += the value 16 bytes below where %rsp points |
There’s a special instruction,
lea
, that calcuates an address as if it weregoing to access an argument in memory but gives you the address as its output.Example Instruction | Description |
---|---|
lea -16($rsp), %rax | %rax = %rsp - 16 |
Instruction suffixes: Instructions can have a single letter suffix added toindicate hte size of the value operated on: b, w, l, q for 1, 2, 4, 8 bytes.
Example Instruction | Description |
---|---|
movw $10, (%rdx) | Move a 16-bit (2 byte, short) int to the address in %rdx |
movq %10, (%rdx) | Move a 64-bit (8 byte, long) int to the address in %rdx |
Calling a Function
To call a function with the “call” instruction, you must first:
- Put arguments in the appropriate registers / stack.
- %rdi, %rsi, %rdx, %rcx, %r8, %r9, then the stack
- Think about “callee save” registers.
- That’s all the data registers except %rbx and %r12-%r15.
- Assume calling any function corrupts them.
- You can push these before the call and pop after, but a differentallocation with stack / caller-save might work better.
- Make sure %rsp points to an address divisible by 16 bytes.
- This is not true when you enter a function, because call pushes areturn address.
- Pushing %ebp (e.g. with “enter $0,…”) corrects this.
- Make sure you do an even number of pushes / reserve stack space inmultiples of 16 bytes.
Once the function returns, your result will be in %rax. An optional secondresult is returned in %rdx.
X86 Register Cheat Sheet
Writing a Function
These registers are callee-saved. If you want to use them, save them to thestack in your prologue and restore them in your epilogue:
- %rbx, %r12-%r15
The stack registers (%rsp, %rbp) are technically callee save, but this ishandled by the standard use of “enter” and “leave” calls.
Register Allocation
- Function arguments: %rdi, %rsi, %rdx, %rcx, %r8, %r9
- Temporary registers: %r10, %r11, (argument registers)
- Safe registers: %r12, %r13, %r14, %r15, %rbx
How to map variables / values to locations:
- Local variables that get their address taken should go on the stack.
- Local variables that get used before and after a function call shouldgo in a safe (callee-saved) register.
- Local variables that don’t need to survive a function call can goin temporary registers.
- Temporary values should go in temporary registers.
The caller-save strategy, where temporary registers are pushed/popped arounda function call to preserve them can be used but tends to be more annoyingthan using safe registers. Quality transmission on arsenal.
Compiling ASM with GCC
- By default, program starts at _start
- If you declare “.global main”, program will start at main.
- The “-no-pie” flag is needed for Ubuntu 18.04. This disablesASLR for the binary, which hurts security.
Compiling ASM without libc
X86 Register List
Using GDB with ASM
X86 Assembly Language Registers Cheat Sheet
- Compile with -g
- Use
break
to set breakpoints on labels or line numbers. - Print registers with
p $rax
orp/x $rax
. - Print all registers with
info reg
- Brown CS0330: Great x86-64 assembly cheat sheet.