| 64-bit | 32-bit | 16-bit | 8-bit | Purpose |
|---|---|---|---|---|
rax |
eax |
ax |
al |
Return value, syscall number |
rbx |
ebx |
bx |
bl |
Base pointer (preserved) |
rcx |
ecx |
cx |
cl |
Counter, 4th arg (Windows) |
rdx |
edx |
dx |
dl |
3rd arg, I/O port |
rsi |
esi |
si |
sil |
2nd arg, source index |
rdi |
edi |
di |
dil |
1st arg, destination index |
rbp |
ebp |
bp |
bpl |
Base/frame pointer |
rsp |
esp |
sp |
spl |
Stack pointer |
rip |
eip |
ip |
- | Instruction pointer |
r8-r15 |
r8d-r15d |
r8w-r15w |
r8b-r15b |
Additional registers |
| Convention | Args Order | Return |
|---|---|---|
| Linux x64 (System V) | rdi, rsi, rdx, rcx, r8, r9 |
rax |
| Windows x64 | rcx, rdx, r8, r9 |
rax |
| Linux x86 (cdecl) | stack (right to left) |
eax |
| Linux syscall x64 | rdi, rsi, rdx, r10, r8, r9 |
rax |
| Instruction | Description |
|---|---|
mov dst, src |
Copy src to dst |
lea dst, [addr] |
Load effective address |
push/pop |
Stack operations |
call/ret |
Function call/return |
jmp/je/jne/jl/jg |
Jumps (unconditional/conditional) |
cmp a, b |
Compare (sets flags) |
test a, b |
Bitwise AND (sets flags) |
xor a, a |
Zero register |
nop |
No operation |
syscall/int 0x80 |
System call |
| Offset | Field | Size | Description |
|---|---|---|---|
| 0x00 | e_ident |
16 | Magic: 7F 45 4C 46 (ELF) |
| 0x10 | e_type |
2 | 1=REL, 2=EXEC, 3=DYN |
| 0x12 | e_machine |
2 | 3=x86, 0x3E=x64 |
| 0x18 | e_entry |
8 | Entry point address |
| 0x20 | e_phoff |
8 | Program header offset |
| 0x28 | e_shoff |
8 | Section header offset |
| Section | Description |
|---|---|
.text |
Executable code |
.data |
Initialized data |
.bss |
Uninitialized data |
.rodata |
Read-only data (strings) |
.plt/.got |
Dynamic linking |
.symtab |
Symbol table |
.strtab |
String table |
| Protection | Check | Description |
|---|---|---|
| NX/DEP | Linuxreadelf -l | grep GNU_STACK |
Non-executable stack |
| CANARY | Linuxchecksec binary |
Stack canary protection |
| PIE | Linuxfile binary |
Position Independent Executable |
| RELRO | Linuxchecksec binary |
Relocation Read-Only |
| ASLR | Linuxcat /proc/sys/kernel/randomize_va_space |
Address Space Layout Randomization |
| Pattern | Example |
|---|---|
| XOR single byte | for(i=0;i<len;i++) s[i]^=key; |
| XOR key array | s[i]^=key[i%keylen]; |
| ROT/Caesar | s[i]=(s[i]-'a'+n)%26+'a'; |
| Base64 + XOR | Decode base64 first, then XOR |
| Stack strings | mov [rbp-8], 0x6c6c6548 |
| Anti-debug | ptrace(PTRACE_TRACEME) |
| Task | Command |
|---|---|
| Unpack APK | Anyapktool d app.apk |
| Repack APK | Anyapktool b folder -o new.apk |
| Sign APK | Anyjarsigner -keystore key.jks new.apk alias |
| Decompile | Anyjadx -d out app.apk |
| Convert DEX | Anyd2j-dex2jar app.apk |
| View manifest | Anyaapt dump badging app.apk |
| Type | Smali |
|---|---|
| void | V |
| int | I |
| boolean | Z |
| String | Ljava/lang/String; |
| array | [I (int[]), [Ljava/lang/String; |
| method call | invoke-virtual {p0}, Lclass;->method()V |
| Command | Description |
|---|---|
Linuxgdb ./binary |
Start GDB |
Linuxr / run |
Run program |
Linuxb *0x401234 |
Set breakpoint |
Linuxb main |
Break at function |
Linuxc / continue |
Continue execution |
Linuxni / si |
Next/step instruction |
Linuxx/20x $rsp |
Examine memory |
Linuxx/s 0x402000 |
Print string |
Linuxinfo registers |
Show registers |
Linuxdisas main |
Disassemble function |
Linuxset $rax=0 |
Modify register |
Linuxvmmap |
Memory map (pwndbg) |
| Task | Command |
|---|---|
| File type | Linuxfile binary |
| Strings | Linuxstrings binary | grep -i flag |
| Security | Linuxchecksec binary |
| Symbols | Linuxnm binary |
| Dynamic libs | Linuxldd binary |
| Headers | Linuxreadelf -h binary |
| Sections | Linuxreadelf -S binary |
| Hex dump | Linuxxxd binary | head |
| Disassemble | Linuxobjdump -d binary |
| Trace syscalls | Linuxstrace ./binary |
| Library calls | Linuxltrace ./binary |