Hacking/Shellcode/Alphanumeric/x64 printable opcodes

From Skypher

(Redirected from X64 alphanumeric opcodes)
Jump to: navigation, search

Main Page
├─▷Programming
└─▼Hacking
  ├─▼Shellcode
  │ ├─▷Bind
  │ ├─○Restricted instruction set
  │ ├─▼Alphanumeric
  │ │ ├─○ALPHA2
  │ │ ├─▷ALPHA3
  │ │ ├─○IMUL 0x30 encoding
  │ │ ├─○x86 printable opcodes
  │ │ ├─○x86 printable operands
  │ │ ├─●x64 printable opcodes
  │ │ └─○x64 printable operands
  │ ├─▷ASCII Art
  │ ├─○kernel32
  │ ├─○GetPC
  │ └─▷Egg hunt
  ├─▷Windows internals
  ├─○Vulnerabilities
  ├─○Heap spraying
  └─○List of security teams contact information

Contents


Below is a list of all printable ASCII characters and the instructions they encode on the x64 platform. This includes all alphanumeric characters (0-9A-Za-z), which have been marked with the yellow background color. At the bottom of the table is some information that explains some of the abbreviations used. It is based on what I found using WinDbg and the AMD64 Programmer's manual while creating an alphanumeric shellcode decoder for ALPHA3.

Table

Opcode Char Instruction
20 AND [m8],r8
21  ! AND [m16/32/64],r16/32/64 *1
22 " AND r8,[m8]
23 # AND r16/32/64,[m16/32/64] *1
24 $ AND AL,i8
25  % AND AX/EAX/RAX,i16/32/64 *2

26 & ES: PREFIX

27 ' Invalid

28 ( SUB [m8],r8
29 ) SUB [m16/32/64],r16/32/64 *1
2A * SUB r8,[m8]
2B + SUB r16/32/64,[m16/32/64] *1
2C , SUB AL,i8
2D - SUB AX/EAX/RAX,i16/32/64 *2

2E . CS: PREFIX

2F / Invalid

30 0 XOR [m8],r8
31 1 XOR [m16/32/64],r16/32/64 *1
32 2 XOR r8,[m8]
33 3 XOR r16/32/64,[m16/32/64] *1
34 4 XOR AL, i8
35 5 XOR AX/EAX/RAX, i16/32/64 *2

36 6 SS: PREFIX

37 7 Invalid

38 8 CMP [m8],r8
39 9 CMP [m16/32/64],r16/32/64 *1
3A  : CMP r8,[m8]
3B  ; CMP r16/32/64,[m16/32/64] *1
3C < CMP AL,i8
3D = CMP AX/EAX/RAX,i16/32/64 *2

3E > DS: PREFIX

3F  ? Invalid
Opcode Char Instruction
40 @ REX:....
41 A REX:...B
42 B REX:..X.
43 C REX:..XB
44 D REX:.R..
45 E REX:.R.B
46 F REX:.RX.
47 G REX:.RXB
48 H REX:W...
49 I REX:W..B
4A J REX:W.X.
4B K REX:W.XB
4C L REX:WR..
4D M REX:WR.B
4E N REX:WRX.
4F O REX:WRXB

50 P PUSH AX/RAX/R8 *3
51 Q PUSH CX/RCX/R9 *3
52 R PUSH DX/RDX/R10 *3
53 S PUSH BX/RBX/R11 *3
54 T PUSH SP/RSP/R12 *3
55 U PUSH BP/RBP/R13 *3
56 V PUSH SI/RSI/R14 *3
57 W PUSH DI/RDI/R15 *3

58 X POP AX/RAX/R8 *3
59 Y POP CX/RCX/R9 *3
5A Z POP DX/RDX/R10 *3
5B [ POP BX/RBX/R11 *3
5C \ POP SP/RSP/R12 *3
5D ] POP BP/RBP/R13 *3
5E ^ POP SI/RSI/R14 *3
5F _ POP DI/RDI/R15 *3
Opcode Char Instruction
60 ` Invalid
61 a Invalid
62 b Invalid

63 c MOVSXD r64,[m32] (Zero extend)
66 63 fc MOVSXD r64,[m16] (Zero extend)
48 63 Hc MOVSXD r64,[m32] (Sign extend)

64 d FS: PREFIX
65 e GS: PREFIX

66 f OPERAND SIZE OVERRIDE
67 g ADDRESS SIZE OVERRIDE

68 h PUSH i32 (Sign extend to i64) *4
66 68 fh PUSH i16 *4

69 i IMUL r32, [m32], i32
66 69 fi IMUL r16, [m16], i16 (i16 not i32)
48 69 Hi IMUL r64, [m64], i32

6A j PUSH i8

6B k IMUL r32, [m32], i8
66 6B fk IMUL r16, [m16], i8
48 6B Hk IMUL r64, [m64], i8

6C l INSB
6D m INSW/INSD/INSQ *5
6E n OUTSB
6F o OUTSW/OUTSD/OUTSQ *5

70 p JO o8
71 q JNO o8
72 r JB o8
73 s JAE o8
74 t JE o8
75 u JNE o8
76 v JBE o8
77 w JA o8
78 x JS o8
79 y JNS o8
7A z JP o8
7B { JPO o8
7C | JL o8
7D } JGE o8
7E ~ JLE o8

Legend

r8/16/32/64: Any 8-, 16-, 32- or 64-bit register, except R8-R15. Please note that r8 refers to ANY 8 bit register, while R8 refers to the first extra register available on x64.
m8/16/32/64: A 8-, 16-, 32- or 64-bit value at the given memory location (See x64 printable operands for more details about which operands can be used to form the address).
i8/16/32/64: A 8-, 16-, 32- or 64-bit immediate value encoded into the instruction.
o8: An 8-bit immediate value containing the offset to jump from the address of the end of the instruction to the address of the target instruction.
*1 - See 16-, 32- or 64-bit register/memory values.
*2 - See 16-, 32- or 64-bit *AX/immediate values.
*3 - See PUSH/POP Register.
*4 - See PUSH immediate.
*5 - See INS/OUTS.

Notes

16-, 32- or 64-bit register/memory values

  • The AND/SUB/XOR/CMP instructions with operands [m16/32/64] and r16/32/64 use 32-bit registers and memory values by default.
  • Operand size can be set to 64-bit using the REX:W prefixes (48-4F, 'H'-'O').
  • Operand size can be set to 16-bit using the OPERAND SIZE OVERRIDE prefix (66, 'f').
  • See x64 printable operands for more details about which operands can be used.

16-, 32- or 64-bit *AX/immediate values

  • The AND/SUB/XOR/CMP instructions with operands AX/EAX/RAX and i16/32/64 use 32-bit registers and immediate values by default.
  • Operand size can be set to 64-bit using the REX:W prefixes (48-4F, 'H'-'O').
  • Operand size can be set to 16-bit using the OPERAND SIZE OVERRIDE prefix (66, 'f').
  • Use of the R8-R15 register is not possible.

PUSH/POP Register

  • The PUSH r16/r64/POP r16/r64 instructions (50-5F) use 64-bit registers by default.
  • Operand size cannot be set to 32-bit.
  • Operand size can be set to 16-bit using the OPERAND SIZE OVERRIDE (66, 'f') prefix.
  • All values are pushed without any extending.
  • Pushing a registers decreases ESP by 8 or 2 for 64-bit and 16-bit registers respectively.
  • Use of the R8-R15 register is possible using the REX:B prefixes (41,43,45,..., 'A','C','E',...).

PUSH immediate

  • The PUSH i16/i32 instruction (68) uses 32-bit immediate values by default.
  • Operand size cannot be set to 64-bit.
  • Operand size can be set to 16-bit using the OPERAND SIZE OVERRIDE (66, 'f') prefix.
  • 32-bit values are sign-extended to 64-bit before being pushed, 16-bit values are pushed without any extending.
  • Pushing a value decreases ESP by 8 or 2 for 64-bit and 16-bit values respectively.

INS/OUTS

  • The INS/OUTS instructions use 16-bit DX register for port number and 32-bit memory value at EDI (INS) or ESI (OUTS) by default.
  • The memory value operand size can be set to 64-bit using the REX:W prefixes (48-4F, 'H'-'O').
  • The memory value operand size can be set to 16-bit using the OPERAND SIZE OVERRIDE prefix (66, 'f').

See Also

Personal tools