Hacking/Shellcode/Alphanumeric/x64 printable operands

From Skypher

▼Main Page ├─▷Programming └─▼Hacking   ├─▼Shellcode   │ ├─▷Bind   │ ├─○Restricted instruction set   │ ├─▼Alphanumeric   │ │ ├─○ALPHA2   │ │ ├─▷ALPHA3   │ │ ├─○IMUL 0x30 encoding   │ │ ├─○x86 printable opcodes   │ │ ├─○x86 printable operands   │ │ ├─○x64 printable opcodes   │ │ └─●x64 printable operands   │ ├─▷ASCII Art   │ ├─○kernel32   │ ├─○GetPC   │ └─▷Egg hunt   ├─▷Windows internals   ├─○Vulnerabilities   ├─○Heap spraying   └─○List of security teams contact information

Contents 1 Operand types 1.1 REX 1.2 ModRM 1.3 SIB 1.4 r8/16/32/64 1.5 [m16/32/64] 1.6 i16/32/64 1.7 REX

---

^{[todo:This is a work in progress, please ignore anything you see here unless it is accidentally correct.]}

The AND (21, 23), SUB (29, 2B), XOR (31, 33), CMP (39, 3B), MOVSX (63) and IMUL (69, 6B) instructions can use a wide range of operands through their ModRM and SIB bytes. In addition to this, the OPERAND SIZE OVERRIDE (OSO) prefix (66) and REX prefixes can be used to specify different operand sizes and use the r8-r15 registers. I've created this list ot help clarify what can and what cannot be done using only those bytes that are printable or alphanumeric in the ASCII character set.

The AND (21, 23), SUB (29, 2B), XOR (31, 33) and CMP (39, 3B) instructions have two forms: [m], r and r, [m]. The ModRM and SIB bytes are exactly the same for both forms and the effect of the OSO and REX prefixes is also the same. This page only describes the operands in the r, [m] form, but everything applies to the [m], r form exactly the same.

Operand types

REX

Bits:	7	6	5	4	3	2	1	0
	0100 (4)				W	R	X	B

ModRM

Bits:	7	6	5	4	3	2	1	0
	mod		reg			r/m

SIB

Bits:	7	6	5	4	3	2	1	0
	scale		index			base

r8/16/32/64

A register of the specified size:

r8	al, ah, bl, bh, cl, ch, dl, dh, spl, bpl, sil, dil, r8b, r9b, r10b, r11b, r12b, r13b, r14b, r15b
r16	ax, bx, cx, dx, sp, bp, si, di, r8w, r9w, r10w, r11w, r12w, r13w, r14w, r15w
r32	eax, ebx, ecx, edx, esp, ebp, esi, edi, r8d, r9d, r10d, r11d, r12d, r13d, r14d, r15d
r64	rax, rbx, rcx, rdx, rsp, rbp, rsi, rdi, r8, r9, r10, r11, r12, r13, r14, r15

[m16/32/64]

An address takes one of the following forms:

Address form	ModRM	SID	OSO	REX
[i32]

i16/32/64

REX

REX prefixes use 3 bits to change the registers using in the r and m operand