Looks to me like your arguments to write() are weird. Should be
write(int fd, const void *buf, size_t count), but the signature I'm inferring from your code is more like
write(GARBAGE, const void *buf, int fd).
Popping rax (a 64-bit value) when you're trying to get 32-bit values back out is probably also not going to work at all. Since it seems everything you're getting in is 32 bits wide, you're getting garbage by popping 64-bit-wide values. If my quick mental work-through is correct, you're getting argc and argv[0] in rax after the first pop, then argv[1] and argv[2] in rax following the second pop. I
think that given the endianness (x86 is little-endian), you actually have argv[1] in the high 32 bits of rax.
I think I noted this earlier- you seem to be mixing 32 and 64-bit ABIs, and I'm amazed it works. You're assembling 64-bit (hence the assembler not letting you use 32-bit registers with push/pop) but using the system's 32-bit ABI, which might break horribly when you start throwing around pointers, depending on where they actually are in memory. I wrote a quick program in C that's similar to yours and compiled it on a 64-bit system as a 64-bit binary, and the results are rather different (especially for syscalls):
Code: #include <unistd.h>
int main(int argc, char **argv) {
write(1, argv[1], 5);
}
Disassemblies, my own comments within:
Code: (gdb) disassemble _start
Dump of assembler code for function _start:
# Housekeeping
0x0000000000400400 <+0>: xor %ebp,%ebp
0x0000000000400402 <+2>: mov %rdx,%r9
0x0000000000400405 <+5>: pop %rsi
0x0000000000400406 <+6>: mov %rsp,%rdx
0x0000000000400409 <+9>: and $0xfffffffffffffff0,%rsp
# argc
0x000000000040040d <+13>: push %rax
# argv
0x000000000040040e <+14>: push %rsp
# More housekeeping?
0x000000000040040f <+15>: mov $0x4005b0,%r8
0x0000000000400416 <+22>: mov $0x400520,%rcx
0x000000000040041d <+29>: mov $0x4004e4,%rdi
# More setup and eventually call main()
0x0000000000400424 <+36>: callq 0x4003e0 <__libc_start_main@plt>
# Terminate
0x0000000000400429 <+41>: hlt
0x000000000040042a <+42>: nop
0x000000000040042b <+43>: nop
End of assembler dump.
(gdb) disassemble main
Dump of assembler code for function main:
# Function prelude
0x00000000004004e4 <+0>: push %rbp
0x00000000004004e5 <+1>: mov %rsp,%rbp
0x00000000004004e8 <+4>: sub $0x10,%rsp
# Smidge more setup
0x00000000004004ec <+8>: mov %edi,-0x4(%rbp)
0x00000000004004ef <+11>: mov %rsi,-0x10(%rbp)
# argv
0x00000000004004f3 <+15>: mov -0x10(%rbp),%rax
# rax = argv[1]
0x00000000004004f7 <+19>: add $0x8,%rax
0x00000000004004fb <+23>: mov (%rax),%rax
# Arguments to write()
0x00000000004004fe <+26>: mov $0x5,%edx
0x0000000000400503 <+31>: mov %rax,%rsi
0x0000000000400506 <+34>: mov $0x1,%edi
# C library call
0x000000000040050b <+39>: callq 0x4003f0 <write@plt>
# Leave function
0x0000000000400510 <+44>: leaveq
0x0000000000400511 <+45>: retq
(gdb) disassemble write
# Magic address determined at link-time, looks like
0x00007ffff7b44b30 <+0>: cmpl $0x0,0x298d71(%rip) # 0x7ffff7ddd8a8
0x00007ffff7b44b37 <+7>: jne 0x7ffff7b44b49 <write+25>
# Syscall 1 (not int 80h)
0x00007ffff7b44b39 <+9>: mov $0x1,%eax
0x00007ffff7b44b3e <+14>: syscall
0x00007ffff7b44b40 <+16>: cmp $0xfffffffffffff001,%rax
0x00007ffff7b44b46 <+22>: jae 0x7ffff7b44b79 <write+73>
0x00007ffff7b44b48 <+24>: retq
# snipped the rest since it's mostly error-handling
You'll note that it's throwing around 64-bit pointers and using 32-bit register specifiers where possible to save on code space. In most cases, constants get sign-extended out to 64 bits when you use the 32-bit register parts, but you can't make any assumptions about what your pointers will be doing. 
