Draft Newest approved | Approver: psycore
This is an old revision of the document!
64-Bit Stack CheatSheet
This article is part of the Buffer Overflow series. You can find more on this topic here:
x64 Register
The x64 register is as follows aufgebaut1) 2)
| 64-bit registry | Lower 32 bits | Name | Application |
|---|---|---|---|
| RAX | EAX | Temporary register | First return register |
| RBX | EBX | Callee-backed register | |
| RCX | ECX | Argument register | fourth integer argument |
| RDX | EDX | Argument register | third integer argument, second return register |
| RSI | ESI | Argument register | second integer argument |
| RDI | EDI | Argument register | first argument |
| RBP | EBP | Callee-saved register | Frame Pointer |
| RSP | ESP | Stack Pointer | |
| RIP | EIP | Instruction Pointer | Address of the next machine instruction to be executed, read-only |
| R8 | R8D | Argument register | fifth argument |
| R9 | R9D | Argument register | sixth argument |
| R10 | R10D | Temporary register | |
| R11 | R11D | Temporary register | |
| R12 | R12D | Callee-saved register | |
| … | … | … | … |
| R15 | R15D | Callee-secured register |
Calling conventions
A function (caller) calls a sub-function (callee). The registers RBP, RBX, R12 to R15 belong to the caller. If the callee wants to change them, it must save them on the stack with
push
to save them on the stack. Before returning to the function, these registers must then be restored using
pop
to restore these registers.
More on this can be found in the Cheat-Sheet3)