Index
> Main > I have two silly questions about ESP register |
| Author |
|
|
revolution
a. ESP can be any value. It can be unaligned and it can also wrap around to 0 (but not both at the same time); assuming your page tables allow it.
b. ESP always points to the last value pushed onto the stack. This is known as a "full descending" stack. Both the Intel and AMD manuals explain this, you just have to know where to look. |
|||
08 May 2014, 17:47 |
|
|
system error
Ok that's it. A snippet to begin with;
Code: push 10 push 20 push 30 call ask ;... ask: push ebp mov ebp,esp ;... pop ebp ret Regarding question b), after "push ebp", which address does ESP refer to as "top of stack"? Is it 6FF90 or 6FF94? Am I having a perception problem here? Code: +--------------+ [6FFA4] | 10 | +--------------+ [6FFA0] | 20 | +--------------+ [6FF9C] | 30 | +--------------+ [6FF98] | return add | +--------------+ [6FF94] | old EBP | +--------------+ [6FF90] | (next avail.)| +--------------+ I extended one more slot down to show next available (4-byte) location on the stack. Last edited by system error on 08 May 2014, 18:21; edited 1 time in total |
|||
|
08 May 2014, 17:50 |
|
|
system error
revolution wrote: a. ESP can be any value. It can be unaligned and it can also wrap around to 0 (but not both at the same time); assuming your page tables allow it. revo, I know about that grow downward thing. Just look at my ugly diagram and tell me what u think is the answer. |
|||
|
08 May 2014, 17:52 |
|
|
revolution
A debugger will show you clearly that ESP is 6FF90 and that TOS is "old EBP". If you execute mov eax,[esp] the value in eax will be old EBP. The phrase "full descending" perfectly describes what happens. If you search for it you will likely find a better description than I can give.
|
|||
|
08 May 2014, 18:22 |
|
|
system error
Damn. I am indeed having a serious perception problem! No more drinks after lunch! LOL
 |
|||
|
08 May 2014, 18:28 |
|
|
system error
revolution wrote: A debugger will show you clearly that ESP is 6FF90 and that TOS is "old EBP". If you execute mov eax,[esp] the value in eax will be old EBP. The phrase "full descending" perfectly describes what happens. If you search for it you will likely find a better description than I can give. |
|||
|
08 May 2014, 18:38 |
|
|
system error
Sorry for the trouble. LOL LOL
|
|||
|
08 May 2014, 18:41 |
|
|
sid123
I know it's a little off topic, but is it possible to look for a stack overflow (no pun intended)? Maybe set manually the limit of the ESP register?
|
|||
|
09 May 2014, 00:07 |
|
|
revolution
sid123 wrote: I know it's a little off topic, but is it possible to look for a stack overflow (no pun intended)? Maybe set manually the limit of the ESP register? Also, in Windows if you exceed your stack allocation the application is terminated without a chance to do any shutdown. You can test this by writing a small program that simply keeps pushing onto the stack and watch what happens. And while you are at it, try skipping over the guard page and watch the application crash. |
|||
|
09 May 2014, 01:24 |
|
|
system error
sid123 wrote: I know it's a little off topic, but is it possible to look for a stack overflow (no pun intended)? Maybe set manually the limit of the ESP register? You meant something like mov esp,0ffffffffh? That's the largest value a 32-bit register can have. How could there be stack overflow in the first place? That instruction is legal |
|||
|
09 May 2014, 22:50 |
|
|
revolution
Stack overflow is when you push too many things and it either clobbers some other memory used for other data or the memory allocation was exceeded and the OS won't/can't give you more space.
|
|||
|
10 May 2014, 01:05 |
|
< Last Thread | Next Thread > |
Forum Rules:
|