in reverseengineering

Reverse Engineering: x86 and x64

Here is my notes on Practical Reverse Engineering chapter : x86 and x64

Operating systems uses rings to distinguish between privileges. Rings 0-3.
Ring 0 = Highest privilege level (Kernel)
Ring 3 = Lowest privilege level


ECX - Counter In loops
ESI - Source in string / memory operations
EDI - Destination in string / memory operations
EBP - Base Frame pointer
ESP - Stack Frame pointer

Bytes - 8 bits example: AL,BL,CL
Word - 16 bits example: Ax,BX,CX
Double Word - 32 bits example: EAX,EBX,ECX
Quad Word - 64 bits

In ARM it takes more instructions to complete tasks. For example to add something you must first Load the register, then add , then store it back. But in x86 you can simply do " inc dword ptr [eax]".

The format for memory access is called address index mode.

mul ecx ; EDX = EAX *ECX

On x86 with physical address extension (PAE) a virtual memory address can be divide into indices into 3 tables and offset. PDPT, PD ,PT and PTE


On x64 most parameters are passed through registers not the stack.