Wednesday, December 31, 2014

Practical Reverse Engineering p.17 #1

Question number 1 on page 17 of Practical Reverse Engineering is as follows:

Given what you learned about CALL and RET, explain how you would read the value of EIP? Why can’t you just do MOV EAX, EIP?

You can't do MOV EAX, EIP because the instruction pointer is not readily accessible, likely as a security feature.

Here is one way you can get EIP (after the call) into another register. 
_start:
    call geteip
    ; ...

geteip:
    pop eax       ;eax = eip (_start + sizeof(call))
    ; push eax 
    ; ret
Posted by at
Labels: , ,

2 comments :

  1. francoatmegaMay 14, 2017 at 7:57 PM

    Or access EBP+4 of function with stack frames, if not read ESP value in the function begin.

    ReplyDelete
  2. 2010kohtepSeptember 9, 2017 at 8:12 AM

    You can also do something like this:

    call 0 ; E8 00 00 00 00
    pop eax ; 58

    You don't need to use labels like "geteip" with this method.

    ReplyDelete

Subscribe to: Post Comments ( Atom )