Calling Convention
توضیح:
قانونیه که میگه آرگومان ها چطور به تابع داده میشن و نتیجه چطور برمیگرده
وقتی دارید مهندسی معکوس میکنی اگه Convention رو نشناسید اصلا نمیفهمید تابع چی از کجا ورودی میگیره و چی رو تغییر میده
سه Convention مهم برای مهندسی معکوس
فقط همین سهتا رو باید مسلط باشید بقیه شون یا قدیمین یا کم استفاده
System V AMD64 برای لینوکس و مک
شش آرگومان اول داخل رجیسترها:
بقیه آرگومانها روی استک
اگه کد لینوکسه نگاهتون اول باید بره سراغ RDI و RSI %90 آرگومان ها اونجاست
Windows x64 Convention
چهار آرگومان اول در رجیستر ها:
ویندوز فقط چهار تا رجیستر میده بهتون بقیش میره رو استک
Stack-based (cdecl / stdcall / fastcall قدیمی تر
اینا تو x86 زیاد بودن تو x64 کمتر
ولی هنوز هستت
همه آرگومان ها روی استک
return
در RAX یا EAX
Caller یا Callee
استک رو تمیز میکنه بسته به نوع
اگر دیدید قبل از call کلی push push push انجام شد تقریبا یعنی Convention قدیمیه
چطور توی دیساسمبلی Convention رو تشخیص بدیم (Detect)
رجیستر هایی که قبل از call مقدار میگیرن
بعضی compilerها قبل از شروع تابع shadow space میذارن فقط تو ویندوز
یعنی:
اینجا ویندوزه Convention: Windows x64
Calling Convention
Explanation:
A rule that says how arguments are given to a function and how the result is returned
When you are reverse engineering, if you do not know the Convention, you will not understand at all what the function takes input from, where it comes from, and what it changes
Three important conventions for reverse engineering
You only need to master these three, the rest are either old or rarely used
System V AMD64 for Linux and Mac
The first six arguments are in the registers:
The rest of the arguments are on the stack
return value → RAX
If it is Linux code, your first look should be at RDI and RSI, 90% of the arguments are there
Windows x64 Convention
The first four arguments are in the registers:
The rest of the arguments are on the stack
return RAX
Windows only provides four registers The rest goes to the stack
Stack-based (older cdecl / stdcall / fastcall
This was more in x86, less in x64
But it's still there
All arguments on the stack
return
in RAX or EAX
Caller or Callee
Cleans the stack depending on the type
If you see a whole push push push done before the call, it almost means the Convention is old
How to detect the Convention in disassembly
Registers that get values before the call
Some compilers put a shadow space before the function starts, only in Windows
Meaning:
Here is Windows Convention: Windows x64
@reverseengine
توضیح:
قانونیه که میگه آرگومان ها چطور به تابع داده میشن و نتیجه چطور برمیگرده
وقتی دارید مهندسی معکوس میکنی اگه Convention رو نشناسید اصلا نمیفهمید تابع چی از کجا ورودی میگیره و چی رو تغییر میده
سه Convention مهم برای مهندسی معکوس
فقط همین سهتا رو باید مسلط باشید بقیه شون یا قدیمین یا کم استفاده
System V AMD64 برای لینوکس و مک
شش آرگومان اول داخل رجیسترها:
RDI, RSI, RDX, RCX, R8, R9
بقیه آرگومانها روی استک
return value → RAX
اگه کد لینوکسه نگاهتون اول باید بره سراغ RDI و RSI %90 آرگومان ها اونجاست
Windows x64 Convention
چهار آرگومان اول در رجیستر ها:
RCX, RDX, R8, R9
بقیه آرگومانها روی استک
return RAX
ویندوز فقط چهار تا رجیستر میده بهتون بقیش میره رو استک
Stack-based (cdecl / stdcall / fastcall قدیمی تر
اینا تو x86 زیاد بودن تو x64 کمتر
ولی هنوز هستت
همه آرگومان ها روی استک
return
در RAX یا EAX
Caller یا Callee
استک رو تمیز میکنه بسته به نوع
اگر دیدید قبل از call کلی push push push انجام شد تقریبا یعنی Convention قدیمیه
چطور توی دیساسمبلی Convention رو تشخیص بدیم (Detect)
رجیستر هایی که قبل از call مقدار میگیرن
RDI/RSI
قطعا System V
RCX/RDX
تقریبا همیشه Windows x64
push
پشت هم احتمالا stack-based
prologue
بعضی compilerها قبل از شروع تابع shadow space میذارن فقط تو ویندوز
sub rsp, 0x20
یعنی:
اینجا ویندوزه Convention: Windows x64
Calling Convention
Explanation:
A rule that says how arguments are given to a function and how the result is returned
When you are reverse engineering, if you do not know the Convention, you will not understand at all what the function takes input from, where it comes from, and what it changes
Three important conventions for reverse engineering
You only need to master these three, the rest are either old or rarely used
System V AMD64 for Linux and Mac
The first six arguments are in the registers:
RDI, RSI, RDX, RCX, R8, R9
The rest of the arguments are on the stack
return value → RAX
If it is Linux code, your first look should be at RDI and RSI, 90% of the arguments are there
Windows x64 Convention
The first four arguments are in the registers:
RCX, RDX, R8, R9
The rest of the arguments are on the stack
return RAX
Windows only provides four registers The rest goes to the stack
Stack-based (older cdecl / stdcall / fastcall
This was more in x86, less in x64
But it's still there
All arguments on the stack
return
in RAX or EAX
Caller or Callee
Cleans the stack depending on the type
If you see a whole push push push done before the call, it almost means the Convention is old
How to detect the Convention in disassembly
Registers that get values before the call
RDI/RSI
Definitely System V
RCX/RDX
Almost always Windows x64
push
Back to back probably stack-based
prologue
Some compilers put a shadow space before the function starts, only in Windows
sub rsp, 0x20
Meaning:
Here is Windows Convention: Windows x64
@reverseengine
❤1
ReverseEngineering
Calling Convention توضیح: قانونیه که میگه آرگومان ها چطور به تابع داده میشن و نتیجه چطور برمیگرده وقتی دارید مهندسی معکوس میکنی اگه Convention رو نشناسید اصلا نمیفهمید تابع چی از کجا ورودی میگیره و چی رو تغییر میده سه Convention مهم برای مهندسی معکوس…
مثال تشخیص Calling Convention
دیساسمبلی:
این خط داریم دو آرگومان به func میدیم چون RDI/RSI هست پس کد لینوکسه و
Convention = System V
Example of Calling Convention Detection
Disassembly:
In this line, we are giving two arguments to func because it is RDI/RSI, so it is Linux code and Convention = System V
@reverseengine
دیساسمبلی:
mov rdi, rax
mov rsi, rbx
call func
این خط داریم دو آرگومان به func میدیم چون RDI/RSI هست پس کد لینوکسه و
Convention = System V
Example of Calling Convention Detection
Disassembly:
mov rdi, rax
mov rsi, rbx
call func
In this line, we are giving two arguments to func because it is RDI/RSI, so it is Linux code and Convention = System V
@reverseengine
❤1
Enumerating Windows Clipboard History in PowerShell
https://devblogs.microsoft.com/oldnewthing/20230303-00/?p=107894
@reverseengine
https://devblogs.microsoft.com/oldnewthing/20230303-00/?p=107894
@reverseengine
Microsoft News
Enumerating Windows clipboard history in PowerShell
Doing Windows Runtime things from PowerShell.
❤1
LayeredSyscall Abusing VEH to Bypass EDRs
https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusing-veh-to-bypass-edrs
@reverseengine
https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusing-veh-to-bypass-edrs
@reverseengine
White Knight Labs
LayeredSyscall - Abusing VEH to Bypass EDRs | White Knight Labs
Generating legitimate call stack frame along with indirect syscalls by abusing Vectored Exception Handling (VEH) to bypass User-Land EDR hooks in Windows.
❤1
vmp-3.5.1.zip
20.2 MB
VMProtect Source Code (Leaked 07.12.2023)
mirror:
https://github.com/jmpoep/vmprotect-3.5.1
@reverseengine
intel.cc and processors.cc included
mirror:
https://github.com/jmpoep/vmprotect-3.5.1
@reverseengine
❤1
Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device
https://boschko.ca/qemu-emulating-firmware
@reverseengine
https://boschko.ca/qemu-emulating-firmware
@reverseengine
Boschko Security Blog
Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device
A step-by-step how-to guide to using QEMU in Ubuntu 18.04 to emulate embedded devices.
❤1
Msdocviewer is a Simple Tool that Parses Microsoft's Win32 API
https://github.com/alexander-hanel/msdocsviewer
@reverseengine
https://github.com/alexander-hanel/msdocsviewer
@reverseengine
GitHub
GitHub - alexander-hanel/msdocsviewer: msdocsviewer is a simple tool that parses Microsoft's win32 API and driver documentation…
msdocsviewer is a simple tool that parses Microsoft's win32 API and driver documentation to be used within IDA. - alexander-hanel/msdocsviewer
❤1
Advanced Root Detection & Bypass Techniques
https://8ksec.io/advanced-root-detection-bypass-techniques
@reverseengine
https://8ksec.io/advanced-root-detection-bypass-techniques
@reverseengine
❤1
Analysis of Malware Attacked Bank X Customers
https://www.reddit.com/r/MalwareAnalysis/comments/bgqz7m/analysis_of_malware_attacked_bank_x_customers
@reverseengine
https://www.reddit.com/r/MalwareAnalysis/comments/bgqz7m/analysis_of_malware_attacked_bank_x_customers
@reverseengine
Reddit
From the MalwareAnalysis community on Reddit: Analysis of malware attacked bank X customers
Explore this post and more from the MalwareAnalysis community
❤1
Malware Development Trick 53: Steal Data
https://cocomelonc.github.io/malware/2025/10/22/malware-tricks-53.html
@reverseengine
https://cocomelonc.github.io/malware/2025/10/22/malware-tricks-53.html
@reverseengine
cocomelonc
Malware development trick 53: steal data via legit XBOX API. Simple C example.
﷽
❤1
تحلیل یکی از حملات گروه Lynx Ransomware
Analysis of a Lynx Ransomware attack
https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware
@FUZZ0x
Analysis of a Lynx Ransomware attack
https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware
@FUZZ0x
The DFIR Report
Cat’s Got Your Files: Lynx Ransomware
Key Takeaways The intrusion began with a successful RDP login using already-compromised credentials, likely obtained via an infostealer, data breach reuse, or an initial access broker. Within minut…
❤1
Malchela
A Yara & Malware Analysis Toolkit
Written in Rust
https://github.com/dwmetz/MalChela
@reverseengine
A Yara & Malware Analysis Toolkit
Written in Rust
https://github.com/dwmetz/MalChela
@reverseengine
GitHub
GitHub - dwmetz/MalChela: A YARA & Malware Analysis Toolkit written in Rust.
A YARA & Malware Analysis Toolkit written in Rust. - dwmetz/MalChela
❤1
Dirty Vanity: A New Approach to Code Injection & EDR Bypass
Clone the shellcode
https://www.deepinstinct.com/blog/dirty-vanity-a-new-approach-to-code-injection-edr-bypass
@reverseengine
Clone the shellcode
https://www.deepinstinct.com/blog/dirty-vanity-a-new-approach-to-code-injection-edr-bypass
@reverseengine
❤2
Process Injection without R/W target memory and without creating a remote thread
https://github.com/Maff1t/InjectNtdllPOC
@reverseengine
https://github.com/Maff1t/InjectNtdllPOC
@reverseengine
GitHub
GitHub - Maff1t/InjectNtdllPOC: Process Injection without R/W target memory and without creating a remote thread
Process Injection without R/W target memory and without creating a remote thread - Maff1t/InjectNtdllPOC
❤1
Analyzing a Modern In-the-wild Android Exploit
https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html
@reverseengine
https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html
@reverseengine
projectzero.google
Analyzing a Modern In-the-wild Android Exploit - Project Zero
By Seth Jenkins, Project ZeroIntroductionIn December 2022, Google’s Threat Analysis Group (TAG) discovered an in-the-wild exploit chain targeting Samsu...
❤2