Does the ret instruction cause "esp" register to be increased by 4?
Asked
Active
Viewed 1.6k times
12
Peter Cordes
- 328,167
- 45
- 605
- 847
remainn
- 1,125
- 3
- 9
- 14
3 Answers
25
Yes, it performs
pop eip
You can use
mov eax, [esp]
jmp eax
to avoid it.
EDIT: It's exactly what ret does. For example, jmp rel_offet is nothing than a hidden add eip, offset, or jmp absolute_offset is mov eip, absolute_offset. Sure there are differences in the way the processor treats them, but from programmer's point of view it's all that happens.
Also, there is a special form of ret : ret imm8 that also adds this imm8 value to esp : for example a __stdcall function uses it to discard its parameters from the stack. Not to mention retf version, used in 16bit mode, that also pops the cs from the stack.
EDIT2:
pop register
means:
mov register, [esp]
add esp, 4
ruslik
- 14,714
- 1
- 39
- 40
-
Doesn't eip cann't be modified directly? – remainn Nov 27 '10 at 15:55
-
If only the instruction: ret Does it change the value of register ESP. – remainn Nov 27 '10 at 16:07
-
1@remainn `jmp target_of_jump` is the way to modify eip directly (since `mov eip, target_of_jump` doesn't work). For details on Intel 64 and IA32 assembly I recommend the "Intel® 64 and IA-32 Architectures Software Developer's Manual": http://www.intel.com/products/processor/manuals/ BTW: Unless I am mistaken on ARM processors you can read/write the Program Counter directly (it's register 15 there). – Nubok Nov 27 '10 at 16:16
2
yes, because on the stack there is (well, there should be, see buffer overflow) the address to where resume the execution of the program. So ret means
pop ret_addr ; pop deletes ret_addr from stack by adding 4 to esp
mov eip, ret_addr
which is
pop eip
just as ruslik said
BlackBear
- 22,411
- 10
- 48
- 86
0
Yes, when the processor is running in 32-bit protected mode. In Real mode or 16-bit protected mode RET does a POP IP, which will cause an ADD ESP, 2 (instead of 4).
Brian Knoblauch
- 20,639
- 15
- 57
- 92