can get it at running time?

Posted on 2003-08-25 02:19:13 by lube

call @F
pop eax
sub eax, 5
Posted on 2003-08-25 02:21:35 by roticv
could you tell me when the application is running
the relation between stack and ip(eip)?
Posted on 2003-08-25 02:25:47 by lube
When you call an address, the return address is pushed onto the stack. pop eax just pop the return address into eax. That's the basic relationship between stack and eip. The sub eax,5 is because the call opcodes takes up 5 bytes (I think) with 4 byte displacement.
Posted on 2003-08-25 02:32:24 by roticv
The current executed opcode is pointed by EIP
The current Stack location is pointed by ESP...

So basically there is no relation between those two pointers

However when a Call instuction is found the next addres to be executed is saved on stack ... so that the CPU knows where to return when it will find the next RET instruction... this also happens on INT instructions etc

So you might find EIP values stored on Stack at times
Posted on 2003-08-25 17:34:21 by BogdanOntanu
but can i get it and change it to the branch that i want ?
Posted on 2003-08-25 19:22:14 by lube

mov eax, address
jmp eax

of course there are other ways like retn, seh and so on.
Posted on 2003-08-26 02:50:32 by roticv
Isn't the EIP pointer to instruction that should be executed next, rather than pointer to instruction being executed??
I mean this

call @F ; eip is now ptr on "pop eax"
pop eax ; eip is now ptr on "sub eax,5"
sub eax, 5 ; eip ptr on next instruction

So if the question was how do we retrive EIP at "call @F" instruction, then we should remove "sub eax,5".

Please, correct me if I am wrong.
Posted on 2003-08-26 18:31:57 by Mikky