Most-used Instructions
Last updated
Last updated
NOP - No Operation! No registers, no values, no nothin'! used there to pad/align bytes, or to delay time. in exploit development used for allocating space for the shellcode.
Push Word, Doubleword or Quadword onto the Stack " Can either be an immediate (a numeric constant), or the value in a register" The push instruction automatically decrements the stack pointer, esp, by 4 because the value in the register is sent to stack so the stack pointer now points to 4 bytes lower in the address space. push doesn't remove the content of the register, just copies it.
Pop a Value from the Stack Take a DWORD off the stack, put it in a register, and increment esp by 4 because unlike push, pop will take a value off the stack so the address will become undefined because the esp now points to a higher memory address, again pop doesn't remove the value from the stack but because the esp is decremented we cant see the value in the next lower address.
the following example shows a demo of using PUSH and POP to swap the value of 2 variables:
CALL's job is to transfer control to a different function, in a way that control can later be resumed where it left off. First it pushes the address of the next instruction onto the stack – For use by RET for when the procedure is done. Then it changes eip to the address given in the instruction. Destination address can be specified in multiple ways.
Pop the top of the stack into eip (remember pop increments stack pointer), In this form, the instruction is just written as “ret”. Typically used by cdecl functions
Pop the top of the stack into eip and add a constant number of bytes to esp. In this form, the instruction is written as “ret 0x8”, or “ret 0x20”, etc. Typically used by stdcall functions.
Can move:
register to register
memory to register
register to memory
immediate to register
immediate to memory
Intel in Intel ISA you can never move or change values directly in memory. MOV instruction can not move from one memory address to another memory address.
MOV can move data in one of the following forms:
example:
Frequently used with pointer arithmetic, sometimes for just arithmetic in general. Uses the r/m32 form but is the exception to the rule that the square brackets [ ] syntax means dereference (“value at”)
example:
is used for incrementing an operand by one. It works on a single operand that can be either in a register or in memory.
used for decrementing an operand by one. It works on a single operand that can be either in a register or in memory
These instructions are used for performing simple addition/subtraction of binary data in byte, word and doubleword size, i.e., for adding or subtracting 8-bit, 16-bit or 32-bit operands respectively.
There are two instructions for multiplying binary data. The MUL (Multiply) instruction handles unsigned data and the IMUL (Integer Multiply) handles signed data. Both instructions affect the Carry and Overflow flag.
example:
The division operation generates two elements - a quotient and a remainder. In case of multiplication, overflow does not occur because double-length registers are used to keep the product. However, in case of division, overflow may occur. The processor generates an interrupt if overflow occurs. The DIV (Divide) instruction is used or unsigned data and the IDIV (Integer Divide) is used for signed data
example:
we really don't care about them here :)
