According to 32-bit x86 instruction encoding scheme, the EIP register (instructi

Question

According to 32-bit x86 instruction encoding scheme, the EIP register (instruction pointer) cannot be encoded. (Encoding uses 3 bits to specify one of the eight registers: EAX, ECX, EDX, EBX, ESP, EBP, ESI, and EDI  – EIP is conspicuously missing). This is generally OK for most user codes, but some system codes need to obtain the content of EIP. Devise a scheme (i.e., a hack) that allows you to get the content of EIP register using regular x86 instructions. Explain also why your scheme works. (Hint: stack can be useful)  

Explanation / Answer

The EIP register (or instruction pointer) can also be called "program counter." It contains the offset in the

current code segment for the next instruction to be executed. It is advanced from one instruction boundary to

the next in straight-line code or it is moved ahead or backwards by a number of instructions when executing

JMP, Jcc, CALL, RET, and IRET instructions. The EIP cannot be accessed directly by software; it is controlled

implicitly by control-transfer instructions (such as JMP, Jcc, CALL, and RET), inter-rupts, and exceptions. The

EIP register can be loaded indirectly by modifying the value of a return instruction pointer on the procedure

stack and executing a return instruction (RET or IRET).

Note that the value of the EIP may not match with the current instruction because of instruction prefetching. The

only way to read the EIP is to execute a CALL instruction and then read the value of the return instruction

pointer from the procedure stack.

mov eax,10

CALL Delay ; after this instruction the Value of EIP is stored in EBP register.

if we read the EBP register after the call instruction we will get the EIP register value.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.