Assembly

Syscalls numbers x86_64 intel/amd64 architecture

Chromium OS Docs - Linux System Call Table

linux/syscall_64.tbl at master · torvalds/linuxGitHub

Searchable Linux Syscall Table for x86 and x86_64 | PyTux

or

man -s 2 <syscall_name>>

Data Type

Component	Length	Example
byte	8 bits	0xab
word	16 bits - 2 bytes	0xabcd
double word (dword)	32 bits - 4 bytes	0xabcdef12
quad word (qword)	64 bits - 8 bytes	0xabcdef1234567890

Whenever we use a variable with a certain data type or use a data type with an instruction, both operands should be of the same size.

call function and eax register relation

In assembly return code/value is always set in eax register

By convention in many calling conventions when a function finishes its execution, the return value is placed in the EAX register (or its 64-bit extension, RAX, in 64-bit systems).

Tracing main function in a stripped debug symbol binary.

In a binary where we don't have a main function.

By default all decompiler will find the entry point. From this entry point we can find the main function by tracing the eax register.

so inorder to find main, we can trace back what is last returnd value(eax) for entrypoint function then we trace back where it came form possibly that's our main fucntion.

e.g.

0x004013af     call    fcn.00401875  ; fcn.00401875
0x004013b4     mov     ecx, dword [0x004de00c]
0x004013ba     mov     dword [0x004de010], eax

when a function is called it's return value is stored in eax register.

from entrypoint go to last called function track the last return value in graph and see from where it came.

from this graph we see eax value is set after exit of entrypoint. from where this eax is coming

we go upwards

and we see our main function returns that eax value (in ss i renamed the random name to main)

one video: https://www.youtube.com/watch?v=tWSa1L5L394