7

What is the difference between ESP and EIP registers using the following examples? Explain what the code is doing.

main PROC 
    0000 0020 call MySub 
    0000 0025 mov eax, ebx 
        .
        .
    main ENDP

MySub PROC 
    0000 0040 mov eax, edx 
        .
        .
    ret 
MySub ENDP

0000 0025 is the offset of the instruction immediately following the CALL instruction

0000 0040 is the offset of the first instruction inside MySub

The CALL instruction pushes 0000 0025 onto the stack, and loads 0000 0040 into EIP 

|-------------|              |----------|
| 0000 0025   |<--ESP        | 0000 0040| EIP
|-------------|              |----------|
|             |
|-------------|
|             |
|-------------|

The RET insttruction pops 0000 0025 from the stack into EIP (stack show before RET executes)

|-------------|              |----------|
| 0000 0025   |<--ESP        | 0000 0025| EIP
|-------------|              |----------|
|             |
|-------------|
|             |
|-------------|
Cœur
  • 37,241
  • 25
  • 195
  • 267
jackson blackson
  • 311
  • 1
  • 3
  • 13

1 Answers1

33

EIP is the instruction pointer. It points to (holds the address of) the first byte of the next instruction to be executed.

ESP is the stack pointer. It points to (holds the address of) the most-recently pushed value on the stack.

These are common architectural registers. This code is simply demonstrating how a function call / return sequence works.

Jonathon Reinhart
  • 132,704
  • 33
  • 254
  • 328
  • 1
    Can you explain what you mean by instruction pointer? I am very confused with that register. THank you. – jackson blackson Oct 29 '16 at 23:09
  • 10
    Code is stored in memory, just like data. To keep track of the currently executing code, the CPU has a register that stores the memory address of the instruction that's about to be executed. That's EIP. – Seva Alekseyev Oct 30 '16 at 00:27