According to 32-bit x86 instruction encoding scheme, the EIP register (instructi
ID: 3806483 • Letter: A
Question
According to 32-bit x86 instruction encoding scheme, the EIP register (instruction pointer) cannot be encoded. (Encoding uses 3 bits to specify one of the eight registers: EAX, ECX, EDX, EBX, ESP, EBP, ESI, and EDI – EIP is conspicuously missing). This is generally OK for most user codes, but some system codes need to obtain the content of EIP. Devise a scheme (i.e., a hack) that allows you to get the content of EIP register using regular x86 instructions. Explain also why your scheme works. (Hint: stack can be useful)
Explanation / Answer
The EIP register (or instruction pointer) can also be called "program counter." It contains the offset in the
current code segment for the next instruction to be executed. It is advanced from one instruction boundary to
the next in straight-line code or it is moved ahead or backwards by a number of instructions when executing
JMP, Jcc, CALL, RET, and IRET instructions. The EIP cannot be accessed directly by software; it is controlled
implicitly by control-transfer instructions (such as JMP, Jcc, CALL, and RET), inter-rupts, and exceptions. The
EIP register can be loaded indirectly by modifying the value of a return instruction pointer on the procedure
stack and executing a return instruction (RET or IRET).
Note that the value of the EIP may not match with the current instruction because of instruction prefetching. The
only way to read the EIP is to execute a CALL instruction and then read the value of the return instruction
pointer from the procedure stack.
mov eax,10
CALL Delay ; after this instruction the Value of EIP is stored in EBP register.
if we read the EBP register after the call instruction we will get the EIP register value.