Calling Conventions for Pwn and Profit • Super Pork Chop

Shellcoders and reverse engineers often need intimate knowledge of the registers used in calling functions and syscalls. This is a compressed cheatsheet of some of the most important conventions with a light sprinkling of mnemonics and links to more detailed information.

NOTE: If there are more arguments than registers listed, the remaining arguments are passed on the stack (from right-to-left). Syscall information given is for Linux.

x86

Topic	Description
argument passing (cdecl)	all arguments passed on the stack
argument passing (stdcall)	all arguments passed on the stack
argument passing (fastcall)	`ecx`, `edx`
argument passing (thiscall)	`ecx` gets “this” pointer; other arguments passed on the stack
return value	`eax`
syscall argument passing	`ebx`, `ecx`, `edx`, `esi`, `edi`, `ebp` mnemonic: bcd sdb (“bcd is super dumb binary”)
syscall number	`eax`
syscall table	https://web.archive.org/web/20160907042308/http://docs.cs.up.ac.za/programming/asm/derick%5Ftut/syscalls.html

x86_64

Topic	Description
argument passing (Linux)	`rdi`, `rsi`, `rdx`, `rcx`, `r8`, `r9` mnemonic: “dizzy dixie 89” -> “disi dxcx 89"
argument passing (Windows)	`rcx`, `rdx`, `r8`, `r9` mnemonic: “cd 89"
return value	`rax`
syscall argument passing	`rdi`, `rsi`, `rdx`, `r10`, `r8`, `r9` mnemonic: “dizzy dick 1089” -> “disi dx 1089"
syscall number	`rax`
syscall table	https://blog.rchapman.org/posts/Linux%5FSystem%5FCall%5FTable%5Ffor%5Fx86%5F64/

ARM (32-bit)

Topic	Description
argument passing	`r0`-`r3`
return value	`r0`
callee-save registers	`r4`-`r11` (`r9` may or may not be)
syscall argument passing	`r0`-`r6`
syscall number	`r7`

ARM (64-bit)

Topic	Description
argument passing	`r0`-`r7`
return value	`r0`
callee-save registers	`r19`-`r28`
syscall argument passing	`r0`-`r5`
syscall number	`r8`

MIPS

Topic	Description
argument passing (O32)	`a0`-`a3`
argument passing (N32/N64)	`a0`-`a7`
return value(s)	`v0`, `v1`

RISC-V

Topic	Description
argument passing	`a0`-`a7`
return value(s)	`a0`, `a1`

PowerPC (32-bit)

Topic	Description
argument passing	`gpr3`-`gpr10`
return value	`gpr3`
caller-saved registers	`gpr3`-`gpr12`

References

Architecture	Links
x86	https://lospi.net/assembly/c/developing/software/2015/04/04/common-x86-calling-conventions.html - more information on cdecl, stdcall, and fastcall https://web.archive.org/web/20160907042308/http://docs.cs.up.ac.za/programming/asm/derick%5Ftut/syscalls.html> - syscall table for i386
x86_64	https://blog.rchapman.org/posts/Linux%5FSystem%5FCall%5FTable%5Ffor%5Fx86%5F64/ - syscall table for x86_64 https://stackoverflow.com/questions/2535989/what-are-the-calling-conventions-for-unix-linux-system-calls-on-i386-and-x86-6 - syscall information
ARM	https://stackoverflow.com/questions/261419/what-registers-to-save-in-the-arm-c-calling-convention - calling conventions for 32-bit and 64-bit ARM<br
MIPS	https://courses.cs.washington.edu/courses/cse378/09wi/lectures/lec05.pdf - calling convention for MIPS
PowerPC	https://developer.ibm.com/technologies/linux/articles/l-ppc/ - calling conventions for PowerPC https://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#REG - register usage for 64-bit PowerPC
RISC-V	https://riscv.org/wp-content/uploads/2015/01/riscv-calling.pdf - calling convention for RISC-V