| Instruction | Parameters | Usage |
|---|---|---|
mov |
destination, source |
Move data from the source to the destination |
| MOV RAX, 0x1234 ; Move hex value to RAX register | ||
| MOV RBX, RAX ; Move value in RAX to RBX register | ||
add |
destination, source |
Add the source to the destination |
| Example: ADD RAX, 0x20 ; Add hex value to RAX register | ||
sub |
destination, source |
Subtract the source from the destination |
Example: sub eax, ebx subtracts the value of the ebx register from the value of the eax register. |
||
cmp |
operand1, operand2 |
Compare the two operands and set the appropriate flags |
Example: cmp eax, 0x1 compares the value of the eax register to the value 0x1. |
||
jmp |
label or address |
Jump to the specified label or address |
Example: jmp 0x401000 jumps to the address 0x401000. |
||
jz |
label or address |
Jump to the specified label or address if the zero flag is set |
Example: jz end_loop jumps to the label end_loop if the zero flag is set. |
||
call |
function_address |
Call the specified function at the given address |
Example: call 0x401000 calls the function located at address 0x401000. |
||
ret |
None | Return from a function |
Example: ret returns from the current function. |
-
The first 6 integer parameters are passed in order from left to right, and are stored in registers RDI, RSI, RDX, RCX, R8, and R9.
-
Floating-point parameters are passed in order from left to right and are stored in registers XMM0 through XMM7.
-
If there are more than 6 integer parameters, the extra parameters are passed on the stack in reverse order from right to left.
-
If there are more than 8 floating-point parameters, the extra parameters are passed on the stack in reverse order from right to left.
-
For struct or object parameters, their pointers are passed as parameters, i.e., the address of the struct or object is passed as an integer parameter.
-
The return value is usually stored in the RAX register. If the return value is a floating-point value, it is stored in the XMM0 register. If the return value is large, a pointer to the storage space is passed to return the value.
Note that these rules only apply to functions generated by compilers and linkers that comply with the x86-64 ABI (Application Binary Interface) standard. For functions that do not comply with the standard, the parameter passing order may be different.
- The system function uses the stack to pass parameters as the number and types of parameters are not fixed.
- The system function pushes all parameters into the stack from right to left and then calls the system call to pass them to the kernel.
- In Linux, the system function executes commands through the execve system call, where the first parameter is the path of the program to be executed, and the other parameters are the command line arguments to be passed to the program.
- When the system function calls the execve system call, it passes the parameters in the stack as command line arguments to the program to be executed.
- The system function does not prioritize the use of floating-point or integer parameters. Instead, it reads parameters in the order they appear on the stack until all parameters are read.
- Therefore, when the system function is called, it does not consider the type of parameters. It reads parameters in the order they appear on the stack, and then passes them as command line arguments to the program to be executed.
-pop rdi; ret is an x86-64 assembly instruction sequence that pops the next value from the stack and stores it in the RDI register, then jumps to the next address on the stack to execute. -This instruction sequence is very useful in Return Oriented Programming (ROP) attacks because it allows an attacker to control the value of the RDI register, thereby passing their own data as parameters to a function. -In a ROP attack, the attacker constructs a sequence of instructions, called a ROP chain, by exploiting vulnerabilities in the program to redirect the program's execution flow to the ROP chain. -Since the stack grows from high to low addresses, the attacker can place the ROP chain at the end of the stack and use instruction sequences such as pop rdi; ret to pop parameters from the stack and pass them to functions. -After pop rdi; ret is executed, the program will jump to the next address on the stack and continue executing, allowing the attacker to control the program's execution flow and execute any code they wish. -It is important to note that ROP attacks are a highly advanced attack technique that requires a deep understanding of program internals and assembly language to implement. In practice, using ROP attacks requires mastery of multiple techniques and tools, as well as in-depth analysis and understanding of the target program. Therefore, it is not recommended to attempt ROP attacks without authorization, unless you are a security expert or conducting security-related research.
If pop rdi; ret is followed by bin/cat flag.txt, then when pop rdi; ret is executed, bin/cat flag.txt will be popped off the stack and stored in the RDI register. Next, the program will jump to the ret instruction to continue execution, and then return to the location where the system function was called. At this point, the RDI register stores the address of the bin/cat flag.txt string, and the system function will pass this string to a shell process as a command line argument, thus executing the cat flag.txt command and outputting the contents of the flag.txt file.
Note that in an actual ROP attack, the attacker needs to ensure that the address of the bin/cat flag.txt string is correctly placed in the proper location in the ROP chain so that it can be properly popped into the RDI register. In addition, the impact of protection mechanisms such as Address Space Layout Randomization (ASLR) on ROP attacks needs to be taken into account, and a series of techniques are needed to bypass these protection mechanisms in order to successfully execute ROP attacks.
Why does the system function execute the value in the RDI instead of the value in the XMM0 register?
Under the x86-64 architecture, function calls are passed through registers for integer-type arguments and XMM registers for floating-point arguments. Since the argument type of the system function is a string type (i.e., an array of characters), it should use integer-type registers to pass the arguments. Under Linux x86-64, the first argument of the system function should be passed through the RDI register. Therefore, the function of pop rdi; ret is to set the value in the RDI register to the address of the next ROP chain element, thus enabling parameter passing. Since the system function takes only one argument, there is no need to pass floating-point arguments using the XMM register
Under the x86-64 architecture, function calls are passed through registers for integer-type parameters and XMM registers for floating-point parameters. This is because integer arguments are passed faster than floating-point arguments. The passing of floating-point parameters requires the use of XMM registers, and the number of XMM registers is limited, so if too many XMM registers are used to pass integer-type parameters, it will lead to the problem of insufficient register allocation. Therefore, parameters of string type are usually converted to pointers of integer type and then passed through integer type registers. Under Linux x86-64, the first argument of a function is usually passed through the RDI register, so arguments of string type are then converted to pointers to strings and passed through the RDI register.