Binary Exploitation - Part 2: Registers
by acfirth
Date: 8 June 2025Categories: BinaryExploitation
Contents:
- What Are Registers?
- Registers in x86 (32-bit) Binaries
- Registers in x86-64 (64-bit) Binaries
- Function Calling in x86-64 Binaries
Introduction
When learning about Binary Exploitation, before diving straight into attempting to exploit vulnerabilities, you need to understand registers. Which registers are used by which binary architecture, how they differ from each other, what the registers are used for, and how you might need to use or abuse them to meet your goal.
1. What Are Registers?
Registers are small, very fast storage locations directly within the CPU. They store data, temporarily, that the CPU is currently working with. The data includes things such as operands for arithmetic operations, memory addresses, and control information.
Operands:
Operands are the values or data being manipulated by instructions executed by the CPU. These can include immediate values (like integers), memory locations, and registers themselves.
| Instruction | Operand | Description |
|---|---|---|
| mov eax, 5; | 5 | 5 is an immediate value. It is moved into the eax register by the mov instruction. |
| mov esp, [eax]; | [eax] | [eax] is a memory address which is moved into the esp register by the mov instruction. |
| mov ebx, ebp; | ebp | ebp is a register, the value in the register is moved into the ebx register by the mov instruction. |
Control Information
Control information includes intruction pointers and values that influence control flow like jumps, calls, or conditionals.
| Control Instruction | Description |
|---|---|
| cmp eax, ebx; | Compares the values in the eax and ebx registers. |
| call eax; | Calls a function where the memory address is stored in the eax register. |
| ret; | Returns from a function, using the return address on the stack. |
2. Registers in x86 (32-bit) Binaries
The x86 architecture uses 8 general-purpose 32-bit registers as well as some special purpose registers.
x86 General-Purpose Registers
| Register | Full Name | Usage |
|---|---|---|
| EAX | Accumulator | Used for arithmetic operations and return values from functions. |
| EBX | Base | Often used to point to data in memory (like base registers in arrays). |
| ECX | Counter | Used as a loop counter in LOOP instructions and shift/rotate counts. |
| EDX | Data | Often used in I/O operations and extended precision arithmetic. |
| ESI | Source Index | Used in string and memory copy operations (MOVS, LODS, etc.). |
| EDI | Destination Index | Also used in string and memory operations, often as a destination pointer. |
| EBP | Base Pointer | Points to the base of the current stack frame (used for function calls). |
| ESP | Stack Pointer | Points to the top of the stack, critical for function calls and local variables. |
The EIP
The EIP is the Instruction Pointer. This register holds the memory address of the next instruction to be executed. This is the register that you commonly aim to overwrite when performing Buffer Overflow attacks, as it allows an attacker to control what instructions are executed next. Including other functions or pointing to shellcode that the attacker put onto the stack.
3. Registers in x86-64 (64-bit) Binaries
The x86-64 architecture extends the x86 architecture by expanding the register size from 32-bit to 64-bit, as well as adding 8 more general-purpose registers for a total of 16.
In the x86-64 architecture, the “E” at the start of the register names in the x86 architecture becomes an “R”. For example, “EIP” becomes “RIP”.
x86-64 General-Purpose Registers
| Register | Full Name | Usage |
|---|---|---|
| RAX | Extended Accumulator | Return values, arithmetic |
| RBX | Extended Base | General data storage |
| RCX | Extended Counter | Loop counters, function arguments |
| RDX | Extended Data | I/O and argument passing |
| RSI | Source Index | Function arguments, string ops |
| RDI | Destination Index | Function arguments, string ops |
| RBP | Base Pointer | Stack frame base |
| RSP | Stack Pointer | Stack top pointer |
| R8 - R15 | Extra registers | Used for additional arguments or storage |
The RIP
The RIP is the Instruction Pointer. It works the same as the EIP. It’s a register that holds the memory address of the next instruction to be executed. Aagin, when performing Buffer Overflow attacks, this is usually the register the attacker aims to overwrite. Overwriting registers, when performing Buffer Overflow attacks, in x86-64 binaries is a little bit tricker than it is in x86 binaries, which I will discuss in more detail in the post discussing vulnerabilities and the respective attacks.
4. Function Calling in x86-64 Binaries
In 64-bit binaries, when calling a function that requires arguments, the arguments are passed in the registers: RDI, RSI, RDX, RCX, R8, and R9.
In more advanced attacks, especially when building ROP chains, you may have to find gadgets that allow you to pop these registers allowing you to enter your required values into them.
Final Words
This is just a basic description of all of the registers used within different architectures. As you continue to learn about Binary Exploitation, you will begin to understand more about where and when the registers are used and how you may need to use them to exploit a vulnerability.
Tags: Cybersecurity - Binary Exploitation - PWN - Buffer Overflow