Assembly 💯
Calling 🤙 Conventions in x86
In this article I’m giving an overview of different calling conventions with examples.
Intro
Consider the following code snippet:
int mysteriousFunction(int a, int b)
{
return a + b + c;
}
mysteriousFunction(2,4);
// then the above function is called
Let’s see the assembly code for each calling convention
CDECL
The output in assemble would be this:
_mysteriousFunction:
push ebp
mov ebp, esp
mov eax, [ebp + 8]
mov edx, [ebp + 12]
add eax, edx
pop ebp
ret
and
;main function
push 4 ; the second argument is pushed first
push 2 ; the first argument is pushed second
call _mysteriousFunction
add esp, 8
As is clearly seen from the above snippet, the arguments to the function are passed in reverse order by means of PUSH instruction (placed on stack). Observe the _mysteriousFunction’s code: values added to eax, but nothing seems to be returning, just ret. That’s because this calling convention passes return values in eax register by default.
Flags
CF
Its full name is carry flag. Its main purpose is to tell that the resulting number after some operations is too much to bear for the registry size. For example, the maximum size of a number is 32 bit, but if we add 0xFFFF
ZF
OF
Operations
In this article I’m describing all assembly operations that I’ve encountered myseld and also wasn’t lazy anough to put down an explanation about here. However, I won’t be paying much attention to some operation that I consider straightforward, like ADD. I’m going to put a flag for each operation indicating corresponding arch: arm or x86 (just learning ARM myself for iOS analysis).
Most of instruction have the following anatomy: instruction <destination operand>, <source operand>. Some operations look like this: instruction <source operand> when <destination operand> is always the same register (default). An example: MUL. When MULing, you always multiply eax on some value.
Registers
EAX
EIP
EBP
RSI/ESI
Source Index.
RSI - 64 bit, ESI - 32.
RDI/EDI
Destination Index.
RDI - 64 bit, EDI - 32.
For ARM Registers here - https://azeria-labs.com/arm-data-types-and-registers-part-2/
Assembly Cheatsheet
Lorem markdownum aequalis strigis. Saetigeri iubeas, vultu huic alvum nondum de obside ut laniavit arbor palmis, cum quin. Rupes vetat videndo, armigerae crimen habet Priamum nec.
ARM Assembly
In this article I’m giving a quick dive-in into assembly. It’s very simple and very difficult at the same time. It takes time and patience to get friendly with it. And once you do, there will be ARM emerging, which scares the hell out of you again. But it takes less time, once you’re familiar with its “big brother”.
Analogy
Sometimes when I look at assembly code I remember back in the ‘olden days’ when I worked as office manager. I didn’t love my job and used to describe it to a small circle of close friends as “moving papers from one place to another”. Of course, there was much more to it than just that, but it felt that way. When I left this job and found the one as a C# programmer, I thought, I’ll never be doing that again. Surprisingly, I was right… When I left my job as a C# programmer, I thought I’d never have anything to do with HTML again. Here, I was wrong….
Assembly Intro
In this article I’m giving a quick dive-in into assembly. It’s very simple and very difficult at the same time. It takes time and patience to get friendly with it. And once you do, there will be ARM emerging, which scares the hell out of you again. But it takes less time, once you’re familiar with its “big brother”.
Analogy
Sometimes when I look at assembly code I remember back in the ‘olden days’ when I worked as office manager. I didn’t love my job and used to describe it to a small circle of close friends as “moving papers from one place to another”. Of course, there was much more to it than just that, but it felt that way. When I left this job and found the one as a C# programmer, I thought, I’ll never be doing that again. Surprisingly, I was right… When I left my job as a C# programmer, I thought I’d never have anything to do with HTML again. Here, I was wrong….