Practical Reverse Engineering

Appearance

Architecture Quick Reference

Per-architecture summary of registers, calling conventions, and the disassembly idioms you see most often. Use as a desk reference.

ARM Cortex-M (ARMv6-M / ARMv7-M / ARMv8-M, Thumb only)

Registers:

RegRole
r0–r3argument registers, return in r0 (and r1 for 64-bit return)
r4–r11callee-saved
r12 (ip)intra-procedure scratch
r13 (sp)stack pointer
r14 (lr)link register (return address)
r15 (pc)program counter
s0–s31single-precision FP (Cortex-M4F has SP-only FPv4-SP)
d0–d15double-precision FP (Cortex-M7 with FPv5-D16 only)

Calling convention (AAPCS):

  • args: r0..r3, then stack
  • return: r0 (r0:r1 for 64-bit)
  • stack alignment: 8 bytes at function entry
  • hard-float: float args in s0..s15

Common prologue:

text
push {r4-r7, lr}        ; save callee-saved + lr
sub  sp, #N             ; allocate locals

Common epilogue:

text
add  sp, #N
pop  {r4-r7, pc}        ; restore + return

Memory map (architecture):

RangeContents
0x00000000–0x1FFFFFFFcode
0x20000000–0x3FFFFFFFSRAM
0x40000000–0x5FFFFFFFperipherals
0x60000000–0x9FFFFFFFexternal RAM
0xA0000000–0xDFFFFFFFexternal device
0xE0000000–0xE00FFFFFPrivate Peripheral Bus (PPB) — SCS (NVIC, SysTick, SCB) sub-range at 0xE000E000–0xE000EFFF
0xE0100000–0xFFFFFFFFvendor-specific

Vector table (first words at flash base):

  1. Initial SP
  2. Reset vector
  3. NMI
  4. HardFault
  5. MemManage (M3+)
  6. BusFault (M3+)
  7. UsageFault (M3+)
  8. SecureFault (M33+) / reserved 9-11. reserved
  9. SVCall
  10. DebugMon
  11. reserved
  12. PendSV
  13. SysTick 17+. external IRQs (vendor-defined)

ARM Cortex-A AArch32

Same calling convention as Cortex-M. Adds:

  • ARM mode (32-bit instructions) in addition to Thumb
  • Coprocessor instructions (MRC, MCR)
  • NEON SIMD (q0..q15)
  • MMU, FPU as standard

ARM Cortex-A AArch64

Registers:

RegRole
x0–x7arguments, return in x0/x1
x8indirect result location
x9–x15temporary (caller-saved)
x16–x17intra-procedure scratch
x18platform register (sometimes)
x19–x28callee-saved
x29 (fp)frame pointer
x30 (lr)link register
spstack pointer (separate from x31)
xzrzero register
v0–v31SIMD/FP

Calling convention (AAPCS64):

  • args: x0..x7 integer, v0..v7 FP
  • return: x0 (x1 for 128-bit), v0
  • stack alignment: 16 bytes

Common prologue:

text
stp x29, x30, [sp, #-N]!     ; push fp + lr, allocate frame
mov x29, sp                  ; new fp

Common epilogue:

text
ldp x29, x30, [sp], #N       ; restore + dealloc
ret

Xtensa LX6/LX7 (ESP32 family)

Registers:

RegRole
a0return address
a1 (sp)stack pointer
a2..a7arguments (windowed ABI)
a2..a5return values (up to 16 bytes)
a8..a15local temporaries
(physical)up to 64 physical ARs; only 16 visible at once via the window

Calling convention (windowed):

  • CALL4/8/12 label slides the window by 4, 8, or 12 registers
  • args in a2..a7
  • return in a2..a5
  • RETW returns and slides window back

Common prologue:

text
ENTRY a1, N             ; allocate N bytes, slide window

Common epilogue:

text
RETW.N

ESP32 memory map highlights:

RangeRegion
0x40000000–0x4005FFFFROM
0x40080000–0x4009FFFFIRAM
0x3FFB0000–0x3FFFFFFFDRAM
0x400D0000–0x40400000Flash code (cached)
0x3F400000–0x3F800000Flash data (cached)

RISC-V RV32 (with C extension; ESP32-C, BL602, generic)

Register names (ABI):

ABIRegRole
zerox0hardwired 0
rax1return address
spx2stack pointer
gpx3global pointer
tpx4thread pointer
t0–t2x5–x7temporaries (caller-saved)
s0/fpx8saved / frame pointer
s1x9saved
a0–a1x10–x11args / return
a2–a7x12–x17args
s2–s11x18–x27callee-saved
t3–t6x28–x31temporaries

Calling convention:

  • args: a0..a7 (8 args in regs)
  • return: a0 (a1 for 64-bit on RV32)
  • callee-saved: s0..s11
  • stack: 16-byte aligned (typically)

Common prologue:

text
addi  sp, sp, -N
sw    ra, (N-4)(sp)
sw    s0, (N-8)(sp)
addi  s0, sp, N

Common epilogue:

text
lw    s0, (N-8)(sp)
lw    ra, (N-4)(sp)
addi  sp, sp, N
ret                     ; pseudo for jalr zero, 0(ra)

Compressed (c ext) prefix on instructions: c. — half-size encoding of common operations.

MIPS32 (O32 ABI, big-endian common)

Register names:

ABINumberRole
$zero0hardwired 0
$at1assembler temp
$v0–$v12–3return values
$a0–$a34–7args
$t0–$t78–15temporaries (caller-saved)
$s0–$s716–23callee-saved
$t8–$t924–25temporaries; $t9 holds called fn
$k0–$k126–27kernel-reserved
$gp28global pointer (caller-saved in PIC O32)
$sp29stack pointer
$fp / $s830frame pointer / saved
$ra31return address

Calling convention (O32):

  • args: $a0..$a3, then stack
  • return: $v0 (and $v1 for 64-bit)
  • callee-saved: $s0..$s7, $sp, $fp, $ra
  • $gp: caller-saved in PIC O32, constant in non-PIC code
  • first 16 bytes of caller's stack reserved for arg spill

Common prologue:

text
addiu $sp, $sp, -N
sw    $ra, (N-4)($sp)
sw    $fp, (N-8)($sp)
move  $fp, $sp

Common epilogue:

text
move  $sp, $fp
lw    $fp, (N-8)($sp)
lw    $ra, (N-4)($sp)
addiu $sp, $sp, N
jr    $ra
nop                     ; delay slot

Branch delay slots — the instruction after every branch executes before the branch is taken.

8051

Registers:

RegRole
Aaccumulator
Bsecondary, used by MUL/DIV
R0–R7banked register set (4 banks of 8)
DPTRdata pointer (16-bit, often DPL/DPH split)
SPstack pointer (in IDATA)
PSWprogram status (carry, register bank select, etc.)

SFRs (special function registers) at IDATA addresses 0x80–0xFF. Layout chip-specific. Standard SFRs: P0/P1/P2/P3 (ports), TCON/TMOD (timers), SCON/SBUF (UART), IE (interrupt enable), IP (priority).

Calling convention varies by compiler:

  • SDCC: first arg in DPL/DPH for pointer, R7 for char, R7:R6 for int
  • Keil C51: args in R7..R3 then memory

Memory spaces:

  • CODE — flash, read-only at runtime
  • IDATA — internal RAM (256 bytes max in classic)
  • XDATA — external RAM (up to 64 KiB)
  • SFR — special function registers (in IDATA upper half)
  • BIT — bit-addressable region

Common access patterns:

text
MOV A, #imm                   ; load immediate
MOVX A, @DPTR                 ; load XDATA
MOVC A, @A+DPTR               ; load CODE (table lookup)
LCALL addr                    ; long call
RET                           ; return

Common opcode magic numbers (first byte)

For raw byte identification:

First byteLikely meaning
7F 45 4C 46ELF
02 00 00 EAARM unconditional branch (early ARM image)
27 BD FF E0MIPS BE addiu $sp, -0x20
E0 FF BD 27MIPS LE same
13 ... or 17 ...RISC-V RV32I uncompressed OP-IMM / AUIPC (low 2 bits = 11)
any byte with low 2 bits 00/01/10RISC-V compressed (RVC)
36 41 00Xtensa entry a1, 0x20 (windowed entry)
02 xx xx8051 LJMP (vector table start)
E9 xx xx xx xxx86 32-bit jump
E9 (single byte)ESP image header magic
1F 8Bgzip
42 5A 68bzip2
FD 37 7A 58 5A 00xz
28 B5 2F FDZstandard
89 50 4E 47 0D 0A 1A 0APNG

Endianness check shortcuts

For an unknown blob, decode the first 4 bytes as both endiannesses and check which yields a sensible instruction:

  • If big-endian decode is addiu $sp, $sp, -N (MIPS frame allocation): MIPS BE.
  • If little-endian decode is the same: MIPS LE.
  • If little-endian decode is a Cortex-M push followed by sub sp: Thumb LE.
  • If decode looks like nothing in the candidate ISA: try the other endianness, then a different ISA.

Standard exception/interrupt vector ordering

Cortex-M (first 16 vectors after SP):

NMI, HardFault, MemManage, BusFault, UsageFault, [reserved×4], SVC, DebugMon, [reserved], PendSV, SysTick.

RISC-V (CLINT mode):

A single trap handler (mtvec); software dispatches on mcause.

RISC-V (vectored mode):

Trap base + N×4 entries, indexed by mcause low bits (interrupt number).

MIPS:

Single exception vector (typically 0x80000180); software dispatches on Cause register.

8051:

Reset (0x0000), IE0 (0x0003), TF0 (0x000B), IE1 (0x0013), TF1 (0x001B), RI/TI (0x0023), TF2/EXF2 (0x002B). Vendor-extended interrupts at higher addresses.

Released under CC BY-SA 4.0 (book text) and MIT (build scripts).

Copyright © 2026 DatanoiseTV