How to determine if the registers are loaded right to left or vice versa

Question

When reviewing gdb output and looking at the assembly calls, usually I can find a command using hard-coded values to determine whether the registers are being loaded right to left or vice versa.

Usually something like the following:

  sub     rsp, 16

or

  sub     16, rsp 

But other times, no values like above are visible. All I see are calls like the following :

(gdb) disassemble
 Dump of assembler code for function main:
 0x0000000100000f54 <main+4>:    mov    $rdi,%r15
 0x0000000100000f59 <main+9>:    mov    $rsi,%r14
 0x0000000100000f60 <main+16>:   mov    $rdx,%r13
 0x0000000100000f67 <main+23>:   mov    $ecx,$r12d
 End of assembler dump.

How does one determine if values are processed left to right or vice versa?

Answer 1

Normally, Gnu tools use AT&T syntax. You can tell that it is AT&T syntax by the presence of little symbols, like the $ preceding literals, and the % preceding registers. For example, this instruction:

sub    $16, %rax

is obviously using AT&T syntax. It subtracts 16 from the value in the rax register, and stores the result back in rax.

In AT&T syntax, the destination operand is on the right:

insn   source, destination     # AT&T syntax

There is also Intel syntax. This is ubiquitous on Windows platforms, and usually also available as an option for Gnu/Linux tools. Intel syntax is unadorned—e.g.:

sub   rax, 16

which is the same as the AT&T instruction above—it subtracts 16 from the value in the rax register, and stores the result back in the rax register.

In Intel syntax, the destination operand is always on the left:

insn  destination, source     ; Intel syntax

To be absolutely certain of which version you've got, you'd need to check the settings for your disassembler/debugger and see what syntax it is configured to use, but it's usually dead-simple to tell at a glance just by looking to see if the symbolic adornments are there (a dead give-away for AT&T syntax).

Summary:

• If the registers have a % prefix → AT&T syntax → src, dst order.
• Otherwise, unadorned registers → Intel syntax → dst, src order.

If you've somehow ended up looking at code that doesn't use any registers (???), another good heuristic clue is that Intel syntax will prepend size specifiers (like DWORD, QWORD, and BYTE) to the associated operand, whereas AT&T syntax will append a suffix (l, q, b, etc.) to the instruction mnemonic itself.