Index
> Main > I have two silly questions about ESP register |
| Author |
|
|
revolution 08 May 2014, 17:47
a. ESP can be any value. It can be unaligned and it can also wrap around to 0 (but not both at the same time); assuming your page tables allow it.
b. ESP always points to the last value pushed onto the stack. This is known as a "full descending" stack. Both the Intel and AMD manuals explain this, you just have to know where to look. |
|||
08 May 2014, 17:47 |
|
|
system error 08 May 2014, 17:50
Ok that's it. A snippet to begin with;
Code: push 10 push 20 push 30 call ask ;... ask: push ebp mov ebp,esp ;... pop ebp ret Regarding question b), after "push ebp", which address does ESP refer to as "top of stack"? Is it 6FF90 or 6FF94? Am I having a perception problem here? Code: +--------------+ [6FFA4] | 10 | +--------------+ [6FFA0] | 20 | +--------------+ [6FF9C] | 30 | +--------------+ [6FF98] | return add | +--------------+ [6FF94] | old EBP | +--------------+ [6FF90] | (next avail.)| +--------------+ I extended one more slot down to show next available (4-byte) location on the stack. Last edited by system error on 08 May 2014, 18:21; edited 1 time in total |
|||
|
08 May 2014, 17:50 |
|
|
system error 08 May 2014, 17:52
revolution wrote: a. ESP can be any value. It can be unaligned and it can also wrap around to 0 (but not both at the same time); assuming your page tables allow it. revo, I know about that grow downward thing. Just look at my ugly diagram and tell me what u think is the answer. |
|||
|
08 May 2014, 17:52 |
|
|
revolution 08 May 2014, 18:22
A debugger will show you clearly that ESP is 6FF90 and that TOS is "old EBP". If you execute mov eax,[esp] the value in eax will be old EBP. The phrase "full descending" perfectly describes what happens. If you search for it you will likely find a better description than I can give.
|
|||
|
08 May 2014, 18:22 |
|
|
system error 08 May 2014, 18:28
Damn. I am indeed having a serious perception problem! No more drinks after lunch! LOL
 |
|||
|
08 May 2014, 18:28 |
|
|
system error 08 May 2014, 18:38
revolution wrote: A debugger will show you clearly that ESP is 6FF90 and that TOS is "old EBP". If you execute mov eax,[esp] the value in eax will be old EBP. The phrase "full descending" perfectly describes what happens. If you search for it you will likely find a better description than I can give. |
|||
|
08 May 2014, 18:38 |
|
|
system error 08 May 2014, 18:41
Sorry for the trouble. LOL LOL
|
|||
|
08 May 2014, 18:41 |
|
|
sid123 09 May 2014, 00:07
I know it's a little off topic, but is it possible to look for a stack overflow (no pun intended)? Maybe set manually the limit of the ESP register?
|
|||
|
09 May 2014, 00:07 |
|
|
revolution 09 May 2014, 01:24
sid123 wrote: I know it's a little off topic, but is it possible to look for a stack overflow (no pun intended)? Maybe set manually the limit of the ESP register? Also, in Windows if you exceed your stack allocation the application is terminated without a chance to do any shutdown. You can test this by writing a small program that simply keeps pushing onto the stack and watch what happens. And while you are at it, try skipping over the guard page and watch the application crash. |
|||
|
09 May 2014, 01:24 |
|
|
system error 09 May 2014, 22:50
sid123 wrote: I know it's a little off topic, but is it possible to look for a stack overflow (no pun intended)? Maybe set manually the limit of the ESP register? You meant something like mov esp,0ffffffffh? That's the largest value a 32-bit register can have. How could there be stack overflow in the first place? That instruction is legal |
|||
|
09 May 2014, 22:50 |
|
|
revolution 10 May 2014, 01:05
Stack overflow is when you push too many things and it either clobbers some other memory used for other data or the memory allocation was exceeded and the OS won't/can't give you more space.
|
|||
|
10 May 2014, 01:05 |
|
< Last Thread | Next Thread > |
Forum Rules:
|