Reverse analysis from x86 to x64tips

Tips1
An article written before 3 The process under the ring is hidden —-64 position windows 10 A question raised in ：

Originally thought x64 The address below is 8 byte , therefore jmp Of address need -9 Of , As a result, the debugging found that it was still the same as x86 equally -5 That's it …..

Here is the x86—->x64 One thing to pay special attention to in the process of reverse analysis ,jmp Instructions and call Changes in instructions
Although in OD There are many jump instructions jmp xxxxx, But a closer look at his binary code reveals a big difference
There are several binary codes that can be interpreted as jmp, But they have different meanings
1>
x86 Next :
EB Short jump , He will put EB Later on 1 Bytes are interpreted as the relative address of the jump .
The formula for calculating the relative jump address is ： EB XX= The address to jump to -EB Where the command is located -2
x64 Next :
identical , It is also after parsing 1 Bytes are relative addresses , The calculation formula is the same

2>
x86 Next ：
E9 It means relative jump , He will put E9 Later on 4 Bytes are interpreted as the relative address of the jump .
The formula for calculating the relative jump address is ： E9 XXXXXXXX= The address to jump to -E9 Where the command is located -5
x64 Next :
identical , It is also after parsing 4 Bytes are relative addresses , The calculation formula is the same

3>
x86 Next ：
FF25 xxxxxxxx among xxxxxxxx It's an absolute address （FF25 Will solve the current absolute address * Number , That is, the absolute address [ Destination address ]）
x64 Next ：
FF25 xxxxxxxx among xxxxxxxx It's the relative address （FF25 The current relative address will be solved * Number , That is, the relative address [ Destination address ]）

So x64 The biggest difference is his FF25 It is not absolute address resolution , It also becomes a relative address ,x64 There is no absolute address for the jump .
because x64 The address pointer of should be greater than x86 It's doubled , But to prevent the jump instruction length from increasing , So it's all done as absolute address jump

Tips2
The function calling convention is in 32 For CNOOC in the system cdecl,stdcall,fastcall several , To 64 The system is unified as fastcall, The parameter transfer method is
Parameters ————— Integer type ————— real
1st——————RCX—————–XMM0
2nd—————–RDX—————–XMM1
3rd——————R8——————-XMM2
4th——————R9——————-XMM3
From 5 The parameters are passed by stack , The stack cleaning after parameter transfer is cleared by the caller . But although the function's front 4 Parameters are stored in registers but space is still reserved in the stack space , That is to say, No 5 The storage location of the parameters is not in rsp, It is rsp+sizeof（1+2+3+4）

Tips3
x64 Hardly used RBP register , Even if he still has a stack , So the stack depends on RSP Register implementation