x86 (32-bit)

Resources

x86 Assembly and Call StackComputer Security
LogoCPU Registers x86 - OSDev Wikiwiki.osdev.org

1. Little Endian

  • The least significant byte is stored at the lowest address, and the most signifcant byte is stored at the highest address

Eg. Suppose we want to store 0x44332211 in memory. In this case 0x11 is the least significant byte portion, while 0x44 is the most significant byte:

Image taken directly from source

2. Stack grows downwards to lower memory addresses

3. Registers

3.1 Special registers

a. EIP: Extended Instruction Pointer

  • Stores the address of the current machine instruction

b. EBP: Extended Base Pointer

  • Stores the address of the higher address of the current stack frame

    • This can be the top or bottom of the stack layout when drawn visually (depending on the on how it is drawn)

  • Used to create a stable reference point

    • used as an offset to reference local variables

c. ESP: Extended Stack Pointer

  • Stores the address of the lower address of the current stack frame

    • This can be the top or bottom of the stack layout when drawn visually (depending on the on how it is drawn)

3.2 General-purpose registers

EAX, EBX, ECX, EDX, ESI and EDI

Note: the e prefix for the register naming stands for "extended". This indicates a 32-bit system (extended from the original 16-bit).

3.3 EFLAGS registers

The EFLAGS register hold the state of the processor. It is modified by many intructions and is used for comparing some parameters, conditional loops and conditionnal jumps. Each bit holds the state of specific parameter of the last instruction

The following lists the EFLAGS registers:

Bit   Label    Desciption
---------------------------
0      CF      Carry flag
2      PF      Parity flag
4      AF      Auxiliary carry flag
6      ZF      Zero flag
7      SF      Sign flag
8      TF      Trap flag
9      IF      Interrupt enable flag
10     DF      Direction flag
11     OF      Overflow flag
12-13  IOPL    I/O Priviledge level
14     NT      Nested task flag
16     RF      Resume flag
17     VM      Virtual 8086 mode flag
18     AC      Alignment check flag (486+)
19     VIF     Virutal interrupt flag
20     VIP     Virtual interrupt pending flag
21     ID      ID flag

3.4 Control, Segment, etc. registers

For more information on the various types of registers, refer to the link under the Resources section above.

Write/read operations on the stack

Since we are working with a 32-bit architecture, the increment/decrement value will be 4 bytes (32 bits). Additionally, remember that the x86 architecture grows the stack downwards to lower memory addresses.

Pushing to stack (WRITE)

When data is pushed to the stack (push command), the ESP is decremented by 4, before the CPU appends the data to the memory location found in the ESP .

Reading (pop) from stack (READ)

To retrieve data from the stack, the memory location value stored in the EIP will be retrieved, before being incremented by 4.

Note that the data stored in the memory location of the old EIP value (before increment) will still be present. However, due to the change of the EIP value, the data will be treated as if it has been removed, and subsequent writes will overwrite this value

Memory layout

PreviousInstruction Set Architecture (ISA)Nextx64 (64-bit)

Last updated