register
| eax | Accumulator | accumulator |
|---|---|---|
| ebx | Base register | base register |
| ecx | Counter register | Counter register |
| edx | Data register - can be used for I/O port access and arithmetic functions |
Data registers - available for I/O port access and arithmetic functions |
| esi | Source index register | source index register |
| edi | Destination index register | target index register |
| ebp | Base pointer register | base pointer register |
| esp | Stack pointer | stack pointer |
All integer registers are 32 bits. However, so many of them have 16-bit or 8-bit subregisters
| register | sub-register | location description |
|---|---|---|
| eax | ax | Low 16 bits |
| ah | High 16 bits | |
| al | Lower 8 bits | |
| ebx | bx | Low 16 bits |
| bh | High 16 bits | |
| bl | Lower 8 bits | |
| ecx | cx | Low 16 bits |
| ch | High 16 bits | |
| cl | Lower 8 bits | |
| edx | dx | Low 16 bits |
| dh | High 16 bits | |
| dl | Lower 8 bits | |
| esi | and | Low 16 bits |
| edi | Of | Low 16 bits |
| ebp | bp | Low 16 bits |
| esp | sp | Low 16 bits |
Note: When using "?" (Evaluate Expression) in WinDbg to view sub-registers, the "@" symbol must be added before the sub-register, such as ? @ax instead of ? ax. But when using the "r" (Registers) command, the "@" symbol is not required
| eip | Instruction pointer | Instruction pointer, the address of the instruction being executed |
|---|---|---|
| flags | flags | Flag bit |
calling convention
The x86 architecture has several different calling conventions. But all follow the same register retention and function return rules:
- The function must retain all registers except eax, ecx and edx (can be changed within the function call), esp (must be updated according to the calling convention)
- If the result is 32 bits or less, the eax register is the return value. If the result is 64-bit, the result is stored in edx:eax.
Calling conventions used on x86 architecture:
- Win32 (__stdcall)
function arguments are passed on the stack, pushed from right to left, and the callee clears the stack. - Native C++ method calls (also called thiscall)
function parameters are passed on the stack, pushed from right to left, the "this" pointer is passed in the ecx register, and the callee clears the stack. - COM (__stdcall for c++)
- __fastcall
The first two DWORD or smaller parameters are passed in the ecx and edx registers, the remaining parameters are uploaded on the stack, pushed from right to left. The callee clears the stack. - __cdecl
function parameters are passed on the stack, pushed from right to left, and the callee clears the stack. The __cdecl calling convention is used for all functions with variable length arguments.
x86 flag
(Picture quoted from: https://blog.csdn.net/weixin_46013401/article/details/111823010)
| flag code |
Logo name | value | Status and Description | other |
|---|---|---|---|---|
| OF | Overflow Flag overflow flag |
0 1 |
nv-No overflow (no overflow) ov-Overflow (overflow) |
signed number |
| DF | Direction Flag direction sign |
0 1 |
up-Direction up (increase, low to high) dn-Direction down (decrease, high to low) |
Only used in string processing instructions to control the change direction of SI and DI. CLD instruction: Set DF to 0. STD instruction: Set DF to 1. |
| IF | Interrupt Flag interrupt flag |
0 1 |
di-Interrupts disabled (disable interrupts) ei-Interrupts-enabled (enable interrupts) |
STI指令:将IF设置为1 CLI指令:将IF设置为0 |
| SF | Sign Flag 符号标志 |
0 1 |
pl-Positive(or zero)正或零 ng-Negative(负数) |
结果为负数,则SF=1 结果为非负,则SF=0 |
| ZF | Zero Flag 零标志 |
0 1 |
nz-Nonzero(非零) zr-Zero(零) |
结果为零,则ZF=1 结果为非零,则ZF=0 |
| AF | Auxiliary Carry Flag 辅助进位标志 |
0 1 |
na-No auxiliary carry(无辅助进位) ac-Auxiliary carry(辅助进位) |
反映加减运算时最低半字节有无进位或者借位 最低半字节有进位或借位时,AF=1, 否则AF=0。 |
| PF | Parity Flag 奇偶标志 |
0 1 |
pe-Parity even(奇) po-Parity odd(偶) |
所有bit位中的1的个数是否为偶数 偶数:则PF=1,奇数:则PF=0 |
| CF | Carry Flag 进位标志 |
0 1 |
nc-No carry(无进位) cy-Carry(有进位) |
无符号数 有进位或借位时CF=1,否则为0 |
| TF | Trap Flag 跟踪标志 |
0 1 |
0-正常状态 1-单步状态 |
是否允许单步中断 |
| iopl | I/O Privilege Level |
00~11 | 操作系统用来控制对硬件的访问 |
用"r"命令查看或更改标志位的值
条件Conditions
条件描述一个或多个标志的状态。
汇编程序使用一个或两个字母缩写来表示条件。
| 条件名称 | 标志 | 说明 |
|---|---|---|
| Z | ZF=1 | 最后一个操作的结果为零 |
| NZ | ZF=0 | 最后一个操作的结果不为零 |
| C | CF=1 | 最后一个操作进位或借位(对于无符号整数,表示溢出) |
| NC | CF=0 | 最后一个操作不需进位或借位 |
| S | SF=1 | 最后一个操作具有高位集 |
| NS | SF=0 | 最后一个操作没有高位集 |
| O | OF=1 | 当视为有符号整数运算时,最后一个运算导致溢出 |
| NO | OF=0 | 当视为有符号整数运算时,最后一个运算没有溢出 |
条件还可以用于比较两个值。cmp指令比较其两个操作数,然后设置标志,类似从一个操作数减去一个操作数。
| 条件名称 | 标志 | CMP操作后的含义 |
|---|---|---|
| E | ZF=1 | value1 == value2 |
| NE | ZF=0 | value1 != value2 |
| GE、NL | SF=OF | value1 >= value2(有符号整数) |
| LE、NG | ZF=1 or SF!=OF | value1 <= value2(有符号整数) |
| G、NLE | ZF=0 and SF=OF | value1 > value2 (有符号整数) |
| L、NGE | SF!=OF | value1<value2(有符号整数) |
| AE、NB | CF=0 | value1 >= value2 (无符号整数) |
| BE、NA | CF=1 or ZF =1 | value1 <= value2(无符号整数) |
| A、NBE | CF=0 and ZF=0 | value1 > value2 (无符号整数) |
| B、NAE | CF=1 | value1 < value2 (无符号整数) |
条件通常用于处理cmp 或 test 指令的结果。
数据类型
- byte:8 bits
- word:16 bits
- dword:32 bits
- qword:64 bits(包括浮点双精度)
- twod: 80 bits (including floating-point extended double precision)
- oword:128 bits
symbol
| Notation | meaning |
|---|---|
| r,r1,r2… | register |
| m | memory address |
| #n | Immediate constant |
| r/m | Register or memory address |
| r/#n | Register or immediate constant |
| r/m/#n | Register/memory address/immediate constant |
| cc | condition code |
| T | “B”,“W” or “D” (byte,word,dword) |
| accT | For an accumulator of T size , T=“B”, it is al ; T=“W”, it is ax ; T=“D”, it is eax |
Addressing mode
Addressing is in the form of T PTR [expr], where T is a certain data type and expr is some expression involving constants and registers.
The picture comes from the Internet.
Quote:
https://learn.microsoft.com/zh-cn/windows-hardware/drivers/debugger/x86-architecture
https://blog.csdn.net/weixin_46013401/article/details/111823010