Pop ESP

December 19, 2014 Leave a comment

I came across a pop esp in real code, which I think is a kind of confusing instruction. i.e. What is the value of esp after the following?

push    0x0400
pop     esp

What does pop esp do? People who look at x86 asm more than me no doubt know. But to understand let’s look at what pop eax basically does.

add esp, 4       ;"instruction" 1
mov eax, [esp]   ;"instruction" 2

What is the order of operations here? There could be two solutions – it could be 0x0400 (if it increments esp first – instruction 1 then 2) – or esp could be 0x0404 (if the increment is second – instruction 2 then 1).

It turns out the second is what happens. So if you guessed that esp is 0x0400, you’re right!

Filed under Reverse Engineering Tagged with

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: