Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Shellcode/Appendix/Alphanumeric opcode"

From NetSec
Jump to: navigation, search
(64-bit alphanumeric opcodes)
(0x34)
 
(14 intermediate revisions by the same user not shown)
Line 818: Line 818:
 
| \x41\x5a
 
| \x41\x5a
 
| AZ
 
| AZ
 +
|}
 +
 +
=== Prefixes ===
 +
{|border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Hex Value
 +
! Alpha Value
 +
! Description
 +
|-
 +
| 0x36
 +
| 6
 +
| %ss segment override
 +
|-
 +
| 0x64
 +
| d
 +
| %fs segment override
 +
|-
 +
| 0x65
 +
| e
 +
| %gs segment override
 +
|-
 +
| 0x66
 +
| f
 +
| 16-bit operand size
 +
|-
 +
| 0x67
 +
| g
 +
| 16-bit address size
 +
|-
 +
| 0x41
 +
| A
 +
| 64-bit special register use (%r##)
 +
|-
 +
| 0x48
 +
| H
 +
| 64-bit register size override
 +
|-
 +
| 0x40-4f
 +
| B-P
 +
| Special 64-bit overrides
 
|}
 
|}
  
Line 849: Line 888:
 
| \x66\x41\x5a
 
| \x66\x41\x5a
 
| fAZ
 
| fAZ
 +
|}
 +
 +
=== Operands ===
 +
==== Xor Pop Operands ====
 +
{| border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Assembly
 +
! Hexadecimal
 +
! Alpha
 +
|-
 +
| <syntaxhighlight lang="asm">xor $0x[byte](%rax),%ebx</syntaxhighlight>
 +
| \x33\x58\x##
 +
| 3X?
 +
|}
 +
 +
==== Xor Move To %ebx ====
 +
{| border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Assembly
 +
! Hexadecimal
 +
! Alpha
 +
|-
 +
| <syntaxhighlight lang="asm">xor $0x[byte](%rcx),%ebx</syntaxhighlight>
 +
| \x33\x59\x##
 +
| 3Y?
 +
|}
 +
 +
==== Byte Syntax Example ====
 +
{| border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Assembly
 +
! Hexadecimal
 +
! Alpha
 +
|-
 +
|<syntaxhighlight lang="asm">xor $0x[byte]({reg}),%ebx</syntaxhighlight>
 +
| \x33\x??\x##
 +
| 3*?
 +
|}
 +
 +
=== Accessing Multiple Registers ===
 +
{| border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Assembly
 +
! Hexadecimal
 +
! Alpha
 +
|-
 +
| <syntaxhighlight lang="asm">xor $0x[byte]({reg64}),{reg32}</syntaxhighlight>
 +
| \x33\x??\x#1
 +
| 3*1
 +
|-
 +
| <source lang="asm">imul $0x[dword1],0x[byte2]({reg64}),{reg32}</source>
 +
| \x69\x??\x#2\x#1\x#1\x#1\x#1
 +
| i*21111
 +
|-
 +
| <source lang="asm">imul $0x[byte1],0x[byte2]({reg64}), {reg32}</source>
 +
| \x6b\x??\x#2\x#1
 +
| k*21
 +
|-
 +
| <source lang="asm">movslq 0x[byte1]({reg64}), {reg32}</source>
 +
| \x63\x??\x#1
 +
| c*1
 +
|}
 +
 +
===  ===
 +
{| border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Assembly
 +
! Hexadecimal
 +
! Alpha
 +
|-
 +
| <source lang="asm">imul  $0x[byte1],0x[byte2]({reg64}),{reg64}</source>
 +
| \x48\x6b\x??\x#2\x#1
 +
| Hk*21
 +
|}
 +
 +
=== Xor ===
 +
==== xors ====
 +
{| border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Hexadecimal
 +
! Assembly
 +
|-
 +
| 0x34
 +
| <syntaxhighlight lang="asm">xor $0x##, %al</syntaxhighlight>
 +
|-
 +
| 0x35
 +
| <syntaxhighlight lang="asm">xor $0x########, %eax</syntaxhighlight>
 +
|-
 +
| 0x48 0x35
 +
| <syntaxhighlight lang="asm">xor $0x########, %rax</syntaxhighlight>
 +
|}
 +
 +
==== 0x30 ====
 +
{| border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Hexadecimal
 +
! Assembly
 +
|-
 +
| 0x30
 +
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit})</syntaxhighlight>
 +
|-
 +
|
 +
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},1)</syntaxhighlight>
 +
|-
 +
|
 +
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},2)</syntaxhighlight>
 +
|-
 +
|
 +
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](%{64bit})</syntaxhighlight>
 +
|-
 +
|
 +
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},1)</syntaxhighlight>
 +
|-
 +
|
 +
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},2)</syntaxhighlight>
 +
|-
 +
|
 +
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](%{64bit})</syntaxhighlight>
 +
|-
 +
|
 +
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},1)</syntaxhighlight>
 +
|-
 +
|
 +
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},2)</syntaxhighlight>
 +
|}
 +
 +
==== 0x31 ====
 +
{| border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Hexadecimal
 +
! Assembly
 +
|-
 +
| 0x31
 +
| <syntaxhighlight lang="asm">xor %{32bit}, (%{64bit})</syntaxhighlight>
 +
|}
 +
 +
==== 0x32 ====
 +
{| border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Hexadecimal
 +
! Assembly
 +
|-
 +
| 0x32
 +
| <syntaxhighlight lang="asm">xor (%{64bit}), %{16bit}</syntaxhighlight>
 +
|}
 +
 +
==== 0x33 ====
 +
{| border="1" cellpadding="5" cellspacing="0" align="center"
 +
! Hexadecimal
 +
! Assembly
 +
|-
 +
| 0x32
 +
| <syntaxhighlight lang="asm">xor (%{64bit}), %{16bit}</syntaxhighlight>
 
|}
 
|}
  

Latest revision as of 00:24, 2 December 2012

32-bit printable opcodes

ASCII Shellcode Table
ASCII Value Hex Opcode Assembly Equivalent
0 0x30 xor
1 0x31 xor
2 0x32 xor
3 0x33 xor
4 0x34 xor al, 0x## [byte]
5 0x35 xor eax, 0x######## [DWORD]
6 0x36 SS Segment Override
7 0x37 aaa
8 0x38 cmp
9 0x39 cmp
 : 0x3a cmp
 ; 0x3b cmp
< 0x3c cmp al, 0x## [byte]
= 0x3d cmp eax, 0x######## [DWORD]
> 0x3e [undocced nop]
 ? 0x3f aas
@ 0x40 inc eax
A 0x41 inc ecx
B 0x42 inc edx
C 0x43 inc ebx
D 0x44 inc esp
E 0x45 inc ebp
F 0x46 inc esi
G 0x47 inc edi
H 0x48 dec eax
I 0x49 dec ecx
J 0x4a dec edx
K 0x4b dec ebx
L 0x4c dec esp
M 0x4d dec ebp
N 0x4e dec esi
O 0x4f dec edi
P 0x50 push eax
Q 0x51 push ecx
R 0x52 push edx
S 0x53 push ebx
T 0x54 push esp
U 0x55 push ebp
V 0x56 push esi
W 0x57 push edi
X 0x58 pop eax
Y 0x59 pop ecx
Z 0x5a pop edx
[ 0x5b pop ebx
\ 0x5c pop esp
] 0x5d pop ebp
^ 0x5e pop esi
_ 0x5f pop edi
` 0x60 pushad
a 0x61 popad
b 0x62 bound
c 0x63 arpl
d 0x64 FS Segment Override
e 0x65 GS Segment Override
f 0x66 16 Bit Operand Size
g 0x67 16 Bit Address Size
h 0x68 push 0x######## [dword]
i 0x69 imul reg/mem with immediate to reg/mem
j 0x6a push 0x## [byte]
k 0x6b imul immediate with reg into reg
l 0x6c insb es:[edi], [dx]
m 0x6d insl es:[edi], [dx]
n 0x6e outsb [dx], dx:[esi]
o 0x6f outsl [dx], ds:[esi]
p 0x70 jo 0x## [byte relative offset]
q 0x71 jno 0x## [byte relative offset]
r 0x72 jb 0x## [byte relative offset]
s 0x73 jae 0x## [byte relative offset]
t 0x74 je 0x## [byte relative offset]
u 0x75 jne 0x## [byte relative offset]
v 0x76 jbe 0x## [byte relative offset]
w 0x77 ja 0x## [byte relative offset]
x 0x78 js 0x## [byte relative offset]
y 0x79 jns 0x## [byte relative offset]
z 0x7a jp 0x## [byte relative offset]

64-bit alphanumeric opcodes

Numeric
ASCII Hex Assembler Instruction
0 0x30 xor %{16bit}, (%{64bit})
1 0x31 xor %{32bit}, (%{64bit})
2 0x32 xor (%{64bit}), %{16bit}
3 0x33 xor (%{64bit}), %{32bit}
4 0x34 xor [byte], %al
5 0x35 xor [dword], %eax
6 0x36  %ss segment register
7 0x37 Bad Instruction!
8 0x38 cmp %{16bit}, (%{64bit})
9 0x39 cmp %{32bit}, (%{64bit})
Uppercase
ASCII Hex Assembler Instruction
A 0x41 64 bit reserved prefix
B 0x42 64 bit reserved prefix
C 0x43 64 bit reserved prefix
D 0x44 64 bit reserved prefix
E 0x45 64 bit reserved prefix
F 0x46 64 bit reserved prefix
G 0x47 64 bit reserved prefix
H 0x48 64 bit reserved prefix
I 0x49 64 bit reserved prefix
J 0x4a 64 bit reserved prefix
K 0x4b 64 bit reserved prefix
L 0x4c 64 bit reserved prefix
M 0x4d 64 bit reserved prefix
N 0x4e 64 bit reserved prefix
O 0x4f 64 bit reserved prefix
P 0x50 push %rax
Q 0x51 push %rcx
R 0x52 push %rdx
S 0x53 push %rbx
T 0x54 push %rsp
U 0x55 push %rbp
V 0x56 push %rsi
W 0x57 push %rdi
X 0x58 pop %rax
Y 0x59 pop %rcx
Z 0x5a pop %rdx


Lowercase
ASCII Hex Assembler Instruction
a 0x61 Bad Instruction!
b 0x62 Bad Instruction!
c 0x63 movslq (%{64bit}), %{32bit}
d 0x64 %fs segment register
e 0x65  %gs segment register
f 0x66 16 bit operand override
g 0x67 16 bit ptr override
h 0x68 push [dword]
i 0x69 imul [dword], (%{64bit}), %{32bit}
j 0x6a push [byte]
k 0x6b imul [byte], (%{64bit}), %{32bit}
l 0x6c insb (%dx),%es:(%rdi)
m 0x6d insl (%dx),%es:(%rdi)
n 0x6e outsb %ds:(%rsi),(%dx)
o 0x6f outsl %ds:(%rsi),(%dx)
p 0x70 jo [byte]
q 0x71 jno [byte]
r 0x72 jb [byte]
s 0x73 jae [byte]
t 0x74 je [byte]
u 0x75 jne [byte]
v 0x76 jbe [byte]
w 0x77 ja [byte]
x 0x78 js [byte]
y 0x79 jns [byte]
z 0x7a jp [byte]

Push: Alphanumeric x86_64 data

One-byte, two-byte, and four-byte quantities
Assembly Hexadecimal Alphanumeric ASCII
pushw [word] \x66\x68\x##\x## fh??
pushq [byte] \x6a\x## j?
pushq [dword] \x68\x##\x##\x##\x## h????

Push: x86_64 Extended Registers

Push: X86_64 Extended Registers
Assembly Hexadecimal Alphanumeric ASCII
push %rax \x50 P
push %rcx \x51 Q
push %rdx \x52 R
push %rbx \x53 S
push %rsp \x54 T
push %rbp \x55 U
push %rsi \x56 V
push %rdi \x57 W

Push: x86_64 General Registers

Push: X86_64 General Registers
Assembly Hexadecimal Alphanumeric ASCII
push %r8 \x41\x50 AP
push %r9 \x41\x51 AQ
push %r10 \x41\x52 AR
push %r11 \x41\x53 AS
push %r12 \x41\x54 AT
push %r13 \x41\x55 AU
push %r14 \x41\x56 AV
push %r15 \x41\x57 AW

Push: x86_64 16 bit Registers

Push: X86_64 16 bit Registers
Assembly Hexadecimal Alphanumeric ASCII
push %ax \x66\x50 fP
push %cx \x66\x51 fQ
push %dx \x66\x52 fR
push %bx \x66\x53 fS
push %sp \x66\x54 fT
push %bp \x66\x55 fU
push %si \x66\x56 fV
push %di \x66\x57 fW

Push: x86_64 16 bit General Registers

Push: X86_64 16 bit General Registers
Assembly Hexadecimal Alphanumeric ASCII
push %r8w \x66\x41\x50 fAP
push %r9w \x66\x41\x51 fAQ
push %r10w \x66\x41\x52 fAR
push %r11w \x66\x41\x53 fAS
push %r12w \x66\x41\x54 fAT
push %r13w \x66\x41\x55 fAU
push %r14w \x66\x41\x56 fAV
push %r15w \x66\x41\x57 fAW

Pop: x86_64 Extended Registers

Pop: X86_64 Extended Registers
Assembly Hexadecimal Alphanumeric ASCII
pop %rax \x58 X
pop %rcx \x59 Y
pop %rax \x5a Z

Pop: x86_64 General Registers

Pop: X86_64 General Registers
Assembly Hexadecimal Alphanumeric ASCII
pop %r8 \x41\x58 AX
pop %r9 \x41\x59 AY
pop %r10 \x41\x5a AZ

Prefixes

Hex Value Alpha Value Description
0x36 6  %ss segment override
0x64 d  %fs segment override
0x65 e  %gs segment override
0x66 f 16-bit operand size
0x67 g 16-bit address size
0x41 A 64-bit special register use (%r##)
0x48 H 64-bit register size override
0x40-4f B-P Special 64-bit overrides

x86_64 16 bit registers

Assembly Hexadecimal Alphanumeric ASCII
pop %ax \x66\x58 fX
pop %cx \x66\x59 fY
pop %dx \x66\x5a fZ
pop *%r8w \x66\x41\x58 fAX
pop *%r9w \x66\x41\x59 fAY
pop *%r10w \x66\x41\x5a fAZ

Operands

Xor Pop Operands

Assembly Hexadecimal Alpha
<syntaxhighlight lang="asm">xor $0x[byte](%rax),%ebx</syntaxhighlight> \x33\x58\x## 3X?

Xor Move To %ebx

Assembly Hexadecimal Alpha
<syntaxhighlight lang="asm">xor $0x[byte](%rcx),%ebx</syntaxhighlight> \x33\x59\x## 3Y?

Byte Syntax Example

Assembly Hexadecimal Alpha
<syntaxhighlight lang="asm">xor $0x[byte]({reg}),%ebx</syntaxhighlight> \x33\x??\x## 3*?

Accessing Multiple Registers

Assembly Hexadecimal Alpha
<syntaxhighlight lang="asm">xor $0x[byte]({reg64}),{reg32}</syntaxhighlight> \x33\x??\x#1 3*1
imul $0x[dword1],0x[byte2]({reg64}),{reg32}
\x69\x??\x#2\x#1\x#1\x#1\x#1 i*21111
imul $0x[byte1],0x[byte2]({reg64}), {reg32}
\x6b\x??\x#2\x#1 k*21
movslq 0x[byte1]({reg64}), {reg32}
\x63\x??\x#1 c*1

Assembly Hexadecimal Alpha
imul   $0x[byte1],0x[byte2]({reg64}),{reg64}
\x48\x6b\x??\x#2\x#1 Hk*21

Xor

xors

Hexadecimal Assembly
0x34 <syntaxhighlight lang="asm">xor $0x##, %al</syntaxhighlight>
0x35 <syntaxhighlight lang="asm">xor $0x########, %eax</syntaxhighlight>
0x48 0x35 <syntaxhighlight lang="asm">xor $0x########, %rax</syntaxhighlight>

0x30

Hexadecimal Assembly
0x30 <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit})</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},1)</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},2)</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](%{64bit})</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},1)</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},2)</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](%{64bit})</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},1)</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},2)</syntaxhighlight>

0x31

Hexadecimal Assembly
0x31 <syntaxhighlight lang="asm">xor %{32bit}, (%{64bit})</syntaxhighlight>

0x32

Hexadecimal Assembly
0x32 <syntaxhighlight lang="asm">xor (%{64bit}), %{16bit}</syntaxhighlight>

0x33

Hexadecimal Assembly
0x32 <syntaxhighlight lang="asm">xor (%{64bit}), %{16bit}</syntaxhighlight>

x86 Intercompatibility

Intercompatible x86* Alphanumeric Opcodes
Hex ASCII Assembler Instruction
0x64, 0x65 d,e [fs | gs] prefix
0x66, 0x67 f,g 16bit [operand | ptr] override
0x68, 0x6a h,j push
0x69, 0x6b i,k imul
0x6c-0x6f l-o ins[bwd], outs[bwd]
0x70-0x7a p-z Conditional Jumps
0x30-0x35 0-5 xor
0x36 6  %ss segment register
0x38-0x39 8,9 cmp
0x50-0x57 P-W push *x, *i, *p
0x58-0x5a XYZ pop [*ax, *cx, *dx]