OSDev.org

Im reading the intel manuals and it talks about how the only way to access the EIP is by executing a CALL instruction then reading the value of the return instruction pointer from the procedure stack. Can someone explain to me how this is done with a small example? Thanks!

For mov EAX, EIP: It's movEAXEIP that I believe they're talking about. To do 'mov EIP, EAX' you'd just do 'jmp eax'.

No need for a RET, this works too, and is simpler.

I was just remembering a thread where there was all of this talk about some sort of return address stack cache and doing that messes it up and slows everything down for a while. I don't know if that's really the case, but better safe than sorry.

Lol. No, that's not what he's asking. After doing the call, you get EIP from the stack. Check the Intel manuals to see exactly what CALL pushes on the stack (sizes and order) and then read memory relative to SP

If I pop the value of EIP, does it affect the functionality if i use ret? ret is supposed to pop the top of the stack to eip

If you pop EIP, then ret won't work. Instead use someting like
Which will keep ret working and give you the value of the pushed EIP.

Or just use

thepowersgang wrote:Or just use

Code: Select all

getEip:
    pop eax
    jmp eax

not really a good idea, in general, because it will trash the CPUs CALL stack...

Aha! I knew there was something like that!
That's why I used the code I did.

callstack-friendly:

Isn't that almost what I had in the second post in the thread? Or is this some sort of "come up with as many ways to do the exact same thing" contest?