CPU Registers each serve specific functions in a program. Something important to note is that each register‟s size is defined by the architecture. In this case, 64 bit, 32 bit, and 16 bit. I‟ll be showing all of these. The most common ASM is x86 since it is still supported by x64 CPUs. This means that lower registers are constant throughout architectures. There is no register that is removed or even renamed, they only grow in size and are added.
Though I will show the list of all of the registers, I‟ll only be talking about the 64 bit registers. Note that the 32 bit registers sere exactly the same purpose. I‟ll also briefly describe the 16 and 8 bit sections of each register.
Main General Purpose Registers:
Each of the General Purpose Registers can be used along with the ones below them. By this I mean 64 bit processors can use 32 and 16 bit registers. 32 bit can use 16 bit as well, etc... As you‟ll soon see, the high registers are continuations.
Code:
64 bit (8 bytes): RAX, RBX, RCX, RDX
32 bit (4 bytes): EAX, EBX, ECX, EDX
16 bit section: AX, BX, CX, DX
8 bit section: AH, AL, BH, BL, CH, CL, DH, DL
RAX (Accumulator Register): the RAX register is used for many purposes. It stores interrupt and system calls, return values after functions, port i/o access, and arithmetic (add, sub, mul, div, etc...).
RBX (Base Register): The RBX register is used, essentially, as a base pointer. It may be used in arguments to point to the base of the memory. IIt may also be used to store secondary data when calling system calls.
RCX (Counter Register): The RCX register is a counter used in loops (such as for loops) and is used to keep track (aka count) how many loops are completed. It can also be used to store tertiary data when making system calls.
RDX (Data Register): The RDX register can simply be viewed as an extension of the EAX register. It may hold data quaternary for system calls, but almost never is. It is often used for data relating to the EAX arithmetic.
Index/Pointer Registers
The index and pointer registers can ONLY be used with the architectures they‟re on. Each is specific to the architecture. However, if the program is compiled as x86, the x64 processors can still process them, but it will stay as the 32 bit register.
Code:
64 bit (8 bytes): RSI, RDI, RBP, RSP, RIP
32 bit (4 bytes): ESI, EDI, EBP, ESP, EIP
16 bit section: N/A
8 bit section: N/A
RSI/RDI (Source/Destination Index Registers): The source and destination index registers are often used in string functions. They hold the read and write address (respectively) of moving or copying a string. Often times, though it is considered bad practice, ASM programmers may use these registers as nothing more than extra storage space.
RBP (Base Pointer): The RBP, EBP, or BP is the base pointer to their respective architectures. The base pointer points to the „bottom of the stack‟ or, more specifically, it points the beginning of the current stack frame. This register is very commonly used as a data storage register since it really doesn‟t serve an important purpose.
RSP (Stack Pointer): The RSP, ESP, or SP is the stack pointer to their respective architectures. The stack pointer points, as expected, to the TOP of the stack. Remember that the stack grows towards lower memory addresses so the top of the stack is at a lower point in memory than the bottom of the stack. The stack pointer register is almost NEVER altered because instructions like call, push, pop, and ret are entirely dependent upon the value of the stack pointer. Local variables are stored in reference to this pointer. Obviously, this pointer is pertinent to the successful functionality of ANY program.
RIP (Instruction Pointer): The RIP is a very well-known register when executing a buffer overflow attack. Whatever is in the RIP (or EIP) register is the instruction that is executed next. This register is NOT subject to user-modification. Contrary to popular belief, in a buffer overflow attack, you do NOT directly overwrite the instruction pointer register. That‟s a ridiculous claim! You overwrite the return address. When the function completes and returns, it will jump to that return address, thus placing it in EIP. You are not writing to it directly nor are you able to do so.
-H
Houga@entropy.cat
