Hex Instruction Dictionary (x86)

/*Incomplete listing of Intel x86 instructions’ hex values;  enjoy them, as it took me quite a while to decipher by comparing a hex dump of a binary with the original assembly.*/
push BYTE    ==    ‘6a’
push BYTE 112    ==    ‘6a 70’

mov BYTE al    ==    ‘b0’
mov BYTE bl    ==    ‘b3’
mov BYTE cl    ==    ‘b1’
mov BYTE dl    ==    ‘b2’

mov BYTE al, 10    ==    ‘b0 0a’
mov BYTE bl, 10 == ‘b3 0a’
mov BYTE cl, 10 == ‘b1 0a’
mov BYTE dl, 10 == ‘b2 0a’

mov [ebx+7], al == ’88 43 07′
mov [ebx+8], ebx == ’89 5b 08′
mov [ebx+12],eax == ’89 43 0c’

int        ==    ‘cd’
int 0x80    ==    ‘cd 80′

push        ==    ’68’
push 0x2f552f2f    ==    ’68 2f 2f 55 2f’
push WORD    ==    ’66’
push WORD bx    ==    ’66 53′
push esi    ==    ’56’
push ecx    ==    ’51’
push edx    ==    ’52’
push ebx    ==    ’53’

xor        ==    ’31’
xor eax, eax    ==    ’31 c0′
xor ebx, ebx    ==    ’31 db’
xor ecx, ecx    ==    ’31 c9′
xor edx, edx == ’31 d2′

mov        ==     ’89’
mov ebx, eax    ==    ’89 c3′
mov ecx, esp    ==    ’89 e1′
mov ebx, esp    ==    ’89 e3′
mov edx, esp    ==    ’89 e2′

pop eax        ==    ’58’ #66 58?
pop ebx == ‘5b’ #66 5b?
pop ecx        ==    ’59’ #66 59?
pop edx == ‘5a’ #66 5a?

cdq        ==    ’99’

inc ebx        ==    ’43’

xchg esi, eax    ==    ’96’
xchg eax, ebx    ==    ’93’

dec eax == ’48’ #66 48?
dec ebx == ‘4b’ #66 4b?
dec ecx        ==    ’49’ #66 49?
dec edx == ‘4a’ #66 4a?

jns        ==    ’79’
call == ‘e8’
short jump == ‘eb’ #eb f9?
return == ‘c9’

lea ecx, [ebx+8] == ‘8d 4b 08’
lea edx, [ebx+12] == ‘8d 53 0c’

NOTE: Though most of this dictionary has been created through trial and error using nasm, ndisasm, and hexdump, Jon Erickson’s “Hacking: The Art of Exploitation” was incredibly helpful with sample code and accompanying byte code. I highly recommend the book those interested in computer security.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: