x86-64 Cheat Sheet

x86-64 Cheat Sheet#

It is a good idea to have this cheat sheet with you, e.g., by printing it, when writing x86-64 code.

Online emulator: https://cs.au.dk/~timany/x64emu
Registers:

Register	Description	Preserved Across Calls
`rip`	Instruction pointer; cannot be manipulated directly	Irrelevant but no!
`rax`	General purpose; stores return value	No
`rbx`	General purpose; sometimes also used as the base pointer	Yes
`rdx`, `rcx`	General purpose; used for 3rd and 4th arguments	No
`rsp`	Stack pointer	Yes (automatically)
`rbp`	Can be used as base pointer	Yes
`rdi`, `rsi`	General purpose; used for 1st and 2nd arguments	No
`r8`, `r9`	General purpose; used for 5th and 6th arguments	No
`r10`, `r11`	General purpose	No
`r12`–`r15`	General purpose	Yes

Stack: Stack grows from higher address to lower addresses (push decrements rsp; pop increments rsp)
Endianness: x86 is little-endian: the value 0xFFA02B1C is stored in memory as follows: 1C2BA0FF
Flags: SF (sign; 1 if negative), ZF (zero), OF (overflow), CF (carry), PF (parity; 1 if number of 1’s is even)
Instructions:

Instruction	Description	Flags	Src/Dest
`movq`	Move 64-bit value	-	Reg/Mem→Reg/Mem
`leaq`	Load effective address	-	Mem→Reg
`incq`, `decq`, `negq`, `addq`, `subq`	Arithmetic/Logic	all above	Reg/Mem→Reg/Mem
`imulq`, `cmpq`, `notq`, `xorq`, `orq`, `andq`	Arithmetic/Logic	all above	Reg/Mem→Reg/Mem
`cqto`	sets `rdx:rax` for division	-	→`rdx:rax`
`idivq`	divides `rdx:rax` by	undefined	Reg/Mem→q:`rax`,r:`rdx`
`shlq`, `sarq`, `shrq`	Shift dest	all above	Imm/`cl`→Reg/Mem
`pushq`, `popq`	manipulate stack	-	Reg/mem↔stack
`callq`, `retq`	function calls	-	`callq` dest: Mem
`jmp`	unconditional jump	-	Mem
`j(e/ne/g/ge/l/le)`	conditional jump	-	Mem
`set(e/ne/g/ge/l/le)`	conditionally set byte	-	Mem

Note: the idivq instruction throws exception on div by zero or overflow; use cqto to avoid overflow

Conditions determined by flags for instructions j(e/ne/g/ge/l/le) and set(e/ne/g/ge/l/le):

Condition	Flags	Condition	Flags	Condition	Flags
`e` (=)	`ZF=1`	`g` (>)	`ZF=0` and `SF=OF`	`l` (<)	`SF!=OF`
`ne` (≠)	`ZF=0`	`ge` (≥)	`SF=OF`	`le` (≤)	`ZF=1` or `SF!=OF`

Operands (we use AT&T assembly syntax with src operand first: instr src, dest):

Description	Syntax
Register	`%rax`
Immediate	`$10`
`rip`-relative addressing	`movq abc(%rip), %rax`
indirect addressing for data	`(%rax)`
indirect addressing for jump	`jmp *(%rax)`
indirect relative addressing for data	`10(%rax)`
indirect relative addressing for jump	`jmp *10(%rax)`
indirect (relative) addressing for conditional jump	N/A

Assembly (.s) files:

Description	Syntax	Description	Syntax
Data section	`.data`	Constant 64-bit number	`.quad n`
Text (code) section	`.text`	Constant string	`.asciiz "str"`
Labels (code or data)	`label:`	Declare label global	`.global label`

Calling convention (System V ABI):

The first 6 arguments passed in registers: %rdi, %rsi, %rdx, %rcx, %r8, %r9 (also in the registers’ table)
Remaining arguments pushed on the stack from right to left, before call
Respect callee versus caller saved registers; callee saved registers are marked as “Preserved Across Calls” in the registers’ table
Stack must be 16-byte aligned before callq instruction, otherwise, your program may crash on calls!

Function prologue example:

pushq %rbp        ; save the caller's base pointer on the stack
movq %rsp, %rbp   ; set our base pointer to the current stack pointer
                  ; this is useful to be able to restore it and
                  ; as an anchor for referring to variables on the stack
subq 112, %rsp    ; reserve memory on stack for function's local
                  ; variables (112 = 14 * 8)

Function epilogue example:

movq %rbp, %rsp; restore the rsp to where it was right after pushing %rbp
               ; of the caller
popq %rbp      ; restore the rbp to caller's value
               ; the stack pointer is now exactly where it was before entering
               ; the function, i.e., right at the return address
retq           ; return to the caller