# Assembly

Syscalls numbers x86\_64 intel/amd64 architecture

{% embed url="<https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md>" %}

{% embed url="<https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl>" %}

{% embed url="<https://filippo.io/linux-syscall-table/>" %}

or&#x20;

```
man -s 2 <syscall_name>>
```

## Data Type

| Component           | Length            | Example              |
| ------------------- | ----------------- | -------------------- |
| byte                | 8 bits            | `0xab`               |
| word                | 16 bits - 2 bytes | `0xabcd`             |
| double word (dword) | 32 bits - 4 bytes | `0xabcdef12`         |
| quad word (qword)   | 64 bits - 8 bytes | `0xabcdef1234567890` |

Whenever we use a variable with a certain data type or use a data type with an instruction, both operands should be of the same size.

### call function and eax register relation

In assembly return code/value is always  set in eax register

By convention in many calling conventions  when a function finishes its execution, the **return value** is placed in the **EAX register** (or its 64-bit extension, **RAX**, in 64-bit systems).

### Tracing main function in a stripped debug symbol binary.

In a binary where we don't have a main function.

By default all decompiler will find the entry point. From this entry point we can find the main function by tracing the eax register.

<figure><img src="https://1775328623-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcqyroGfei3tKtTi25FT7%2Fuploads%2F8sHRbA8QFazP0nmE0ifV%2Fimage.png?alt=media&#x26;token=34c4b75b-173d-494d-9643-8ddb0ae5fb50" alt=""><figcaption></figcaption></figure>

so inorder to find main, we can trace back what is last returnd value(eax) for entrypoint function then we trace back where it came form possibly that's our main fucntion.

e.g.

```armasm
0x004013af     call    fcn.00401875  ; fcn.00401875
0x004013b4     mov     ecx, dword [0x004de00c]
0x004013ba     mov     dword [0x004de010], eax
```

when a function is called it's return value is stored in eax register.

from entrypoint go to last called function track the last return value in graph and see from where it came.

from this graph we see eax value is set after exit of entrypoint. from where this eax is coming

<figure><img src="https://1775328623-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcqyroGfei3tKtTi25FT7%2Fuploads%2Fci5DjQHicBici4Ip4T2b%2Fimage.png?alt=media&#x26;token=da4135e0-094f-4b65-986d-92105de9be32" alt=""><figcaption></figcaption></figure>

we go upwards

and we see our main function returns that eax value (in ss i renamed the random name to main)

<figure><img src="https://1775328623-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcqyroGfei3tKtTi25FT7%2Fuploads%2FDs8FgYFoME2YNbu5pxCp%2Fimage.png?alt=media&#x26;token=230f76da-9e4b-40d1-9803-7a6d9d0ad2ac" alt=""><figcaption></figcaption></figure>

one video: <https://www.youtube.com/watch?v=tWSa1L5L394>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://newrouge.gitbook.io/roguebook1/group/assembly.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.