Hacking/Shellcode/Alphanumeric/x86 printable opcodes

From Skypher

▼Main Page ├─▷Programming └─▼Hacking   ├─▼Shellcode   │ ├─▷Bind   │ ├─○Restricted instruction set   │ ├─▼Alphanumeric   │ │ ├─○ALPHA2   │ │ ├─▷ALPHA3   │ │ ├─○IMUL 0x30 encoding   │ │ ├─●x86 printable opcodes   │ │ ├─○x86 printable operands   │ │ ├─○x64 printable opcodes   │ │ └─○x64 printable operands   │ ├─▷ASCII Art   │ ├─○kernel32   │ ├─○GetPC   │ └─▷Egg hunt   ├─▷Windows internals   ├─○Vulnerabilities   ├─○Heap spraying   └─○List of security teams contact information

Contents 1 Table 2 Legend 3 Notes 3.1 16- or 32-bit register/memory values 3.2 16- or 32-bit *AX/immediate values 3.3 INC/DEC/PUSH/POP Register 3.4 PUSHA/POPA 3.5 PUSH immediate 3.6 INS/OUTS 4 See Also

---

Below is a list of all printable ASCII characters and the instructions they encode on the x86 platform. This includes all alphanumeric characters (0-9A-Za-z), which have been marked with the yellow background color. At the bottom of the table is some information that explains some of the abbreviations used. It is based on what I found using OllyDbg, WinDbg and the AMD64 Programmer's manual while creating an alphanumeric shellcode decoder for ALPHA2 and ALPHA3.

Table

Opcode Char Instruction 20 AND [m8],r8 21  ! AND [m16/32],r16/32 *1 22 " AND r8,[m8] 23 # AND r16/32,[m16/32] *1 24 $ AND AL,i8 25  % AND AX/EAX,i16/32 *2 26 & ES: PREFIX 27 ' DAA 28 ( SUB [m8],r8 29 ) SUB [m16/32],r16/32 *1 2A * SUB r8,[m8] 2B + SUB r16/32,[m16/32] *1 2C , SUB AL,i8 2D - SUB AX/EAX,i16/32 *2 2E . CS: PREFIX 2F / DAS 30 0 XOR [m8],r8 31 1 XOR [m16/32],r16/32 *1 32 2 XOR r8,[m8] 33 3 XOR r16/32,[m16/32] *1 34 4 XOR AL, i8 35 5 XOR AX/EAX, i16/32 *2 36 6 SS: PREFIX 37 7 AAA 38 8 CMP [m8],r8 39 9 CMP [m16/32],r16/32 *1 3A  : CMP r8,[m8] 3B  ; CMP r16/32,[m16/32] *1 3C < CMP AL,i8 3D = CMP AX/EAX,i16/32 *2 3E > DS: PREFIX 3F  ? AAS

Opcode Char Instruction 40 @ INC AX/EAX *3 41 A INC CX/ECX *3 42 B INC DX/EDX *3 43 C INC BX/EBX *3 44 D INC SP/ESP *3 45 E INC BP/EBP *3 46 F INC SI/ESI *3 47 G INC DI/EDI *3 48 H DEC AX/EAX *3 49 I DEC CX/ECX *3 4A J DEC DX/EDX *3 4B K DEC BX/EBX *3 4C L DEC SP/ESP *3 4D M DEC BP/EBP *3 4E N DEC SI/ESI *3 4F O DEC DI/EDI *3 50 P PUSH AX/EAX *3 51 Q PUSH CX/ECX *3 52 R PUSH DX/EDX *3 53 S PUSH BX/EBX *3 54 T PUSH SP/ESP *3 55 U PUSH BP/EBP *3 56 V PUSH SI/ESI *3 57 W PUSH DI/EDI *3 58 X POP AX/EAX *3 59 Y POP CX/ECX *3 5A Z POP DX/EDX *3 5B [ POP BX/EBX *3 5C \ POP SP/ESP *3 5D ] POP BP/EBP *3 5E ^ POP SI/ESI *3 5F _ POP DI/EDI *3

Opcode Char Instruction 60 ` PUSHAW/PUSHAD *4 61 a POPAW/POPAD *4 62 b BOUND ... 63 c ARPL ... 64 d FS: PREFIX 65 e GS: PREFIX 66 f OPERAND SIZE OVERRIDE 67 g ADDRESS SIZE OVERRIDE 68 h PUSH i32 *5 66 68 fh PUSH i16 *5 69 i IMUL r32, [m32], i32 66 69 fi IMUL r16, [m16], i16 (i16 not i32) 6A j PUSH i8 6B k IMUL r32, [m32], i8 66 6B fk IMUL r16, [m16], i8 6C l INSB 6D m INSW/INSD *6 6E n OUTSB 6F o OUTSW/OUTSD *6 70 p JO o8 71 q JNO o8 72 r JB o8 73 s JAE o8 74 t JE o8 75 u JNE o8 76 v JBE o8 77 w JA o8 78 x JS o8 79 y JNS o8 7A z JP o8 7B { JPO o8 7C | JL o8 7D } JGE o8 7E ~ JLE o8

Legend

r8/16/32: Any 8-, 16- or 32-bit register, except r8-r15.

m8/16/32: A 8-, 16- or 32-bit value at the given memory location (See x86 printable operands for more details about which operands can be used to form the address).

i8/16/32: A 8-, 16- or 32-bit immediate value encoded into the instruction.

o8: An 8-bit immediate value containing the offset to jump from the address of the end of the instruction to the address of the target instruction.

^*1 - See 16- or 32-bit register/memory values.

^*2 - See 16- or 32-bit *AX/immediate values.

^*3 - See INC/DEC/PUSH/POP Register.

^*4 - See PUSHA/POPA.

^*5 - See PUSH immediate.

^*6 - See INS/OUTS.

Notes

16- or 32-bit register/memory values

• The AND/SUB/XOR/CMP instructions with operands [m16/32] and r16/32 use 32-bit registers and memory values by default.
• Operand size can be set to 16-bit using the OPERAND SIZE OVERRIDE prefix (66, 'f').
• See x86 printable operands for more details about which operands can be used.

16- or 32-bit *AX/immediate values

• The AND/SUB/XOR/CMP instructions with operands AX/EAX and i16/32 use 32-bit registers and immediate values by default.
• Operand size can be set to 16-bit using the OPERAND SIZE OVERRIDE prefix (66, 'f').

INC/DEC/PUSH/POP Register

• The INC/DEC/PUSH/POP instructions (40-5F) with operand r16/r32 use 32-bit registers by default.
• Operand size can be set to 16-bit using the OPERAND SIZE OVERRIDE (66, 'f') prefix.
• All values are pushed without any extending.
• Pushing a registers decreases ESP by 4 or 2 for 32-bit and 16-bit registers respectively.

PUSHA/POPA

• The PUSHA/POPA instructions (60, 61) use 32-bit registers by default.
• Register size can be set to 16-bit using the OPERAND SIZE OVERRIDE (66, 'f') prefix.
• Pushing registers decreases ESP by 32 or 16 for 32-bit and 16-bit registers respectively.
• Popping registers discards the SP/ESP value popped of the stack and instead increases the value of ESP by 32 or 16 for 32-bit and 16-bit registers respectively.

PUSH immediate

• The PUSH i16/i32 instruction (68) uses 32-bit immediate values by default.
• Operand size can be set to 16-bit using the OPERAND SIZE OVERRIDE (66, 'f') prefix.
• Pushing a value decreases ESP by 4 or 2 for 32-bit and 16-bit values respectively.

INS/OUTS

• The INS/OUTS instructions use 16-bit DX register for port number and 32-bit memory value at EDI (INS) or ESI (OUTS) by default.
• The memory value operand size can be set to 16-bit using the OPERAND SIZE OVERRIDE prefix (66, 'f').

See Also

• x86 printable operands - details about which operands can be used with various instructions.