Wednesday, December 31, 2014

Practical Reverse Engineering p.17 #1

Question number 1 on page 17 of Practical Reverse Engineering is as follows:

Given what you learned about CALL and RET, explain how you would read the value of EIP? Why can’t you just do MOV EAX, EIP?

You can't do MOV EAX, EIP because the instruction pointer is not readily accessible, likely as a security feature.

Here is one way you can get EIP (after the call) into another register.
    call geteip
    ; ...

    pop eax       ;eax = eip (_start + sizeof(call))
    ; push eax 
    ; ret


  1. Or access EBP+4 of function with stack frames, if not read ESP value in the function begin.

  2. You can also do something like this:

    call 0 ; E8 00 00 00 00
    pop eax ; 58

    You don't need to use labels like "geteip" with this method.