EIP

[sweetgum]

Im reading the intel manuals and it talks about how the only way to access the EIP is by executing a CALL instruction then reading the value of the return instruction pointer from the procedure stack. Can someone explain to me how this is done with a small example? Thanks!

[Firestryke31]

For mov EAX, EIP:

Code: Select all

codeWantingEIP:
 call movEAXEIP
 ; do stuff with EIP

movEAXEIP:
 mov eax, [esp]
 ret

It's movEAXEIP that I believe they're talking about. To do 'mov EIP, EAX' you'd just do 'jmp eax'.

[CodeCat]

No need for a RET, this works too, and is simpler.

Code: Select all

codeWantingEIP:
call next
next:
pop eax

[Firestryke31]

I was just remembering a thread where there was all of this talk about some sort of return address stack cache and doing that messes it up and slows everything down for a while. I don't know if that's really the case, but better safe than sorry.

[Love4Boobies]

Lol. No, that's not what he's asking. After doing the call, you get EIP from the stack. Check the Intel manuals to see exactly what CALL pushes on the stack (sizes and order) and then read memory relative to SP

[sweetgum]

If I pop the value of EIP, does it affect the functionality if i use ret? ret is supposed to pop the top of the stack to eip

[JohnnyTheDon]

If you pop EIP, then ret won't work. Instead use someting like

Code: Select all

mov eax, dword [esp]

Which will keep ret working and give you the value of the pushed EIP.

[thepowersgang]

Or just use

Code: Select all

getEip:
    pop eax
    jmp eax

[JAAman]

Or just use

Code: Select all

getEip:
    pop eax
    jmp eax

not really a good idea, in general, because it will trash the CPUs CALL stack...

[Firestryke31]

Aha! I knew there was something like that!
That's why I used the code I did.

[Combuster]

callstack-friendly:

Code: Select all

pop eax
push eax
ret

[Firestryke31]

Isn't that almost what I had in the second post in the thread? Or is this some sort of "come up with as many ways to do the exact same thing" contest?