Hi!
I'm trying to find out if my instruction pointer is in the function's epilog.
To do so I need to know which instruction the IP is pointing at and which parameters the instruction gets.
(From what I understand, I just need to check if it points at a POP, "mov esp,ebp" or a RET instructions - and if it is one of these instruction - I'm in the epilog).
But how can I figure out which instruction the IP is pointing at?
thanks! :)
I looked at the disassembly of a testing program I wrote and I saw it looked like this:
5F pop edi
5E pop esi
5B pop ebx
8B E5 mov esp,ebp
5D pop ebp
C3 ret
Can I be sure that whenever I see that the IP points at "5D" it's the POP ESI instruction, and the same for the other instructions?
What are you trying to achieve? In what language? Is this an introspective program, or are you analysing another process?
Why don't you use a debugger??? Even without the source you should still be able to start the program with it and place breakpoints, view call stack ect
you should be able to see eip or whatever it's called in x64 in the cpu register debug window
EDIT: oh well, if it's in another process, i dunno, i guess the ip is stored somewhere on the stack somewhere like in 32 bits, but i never really tried it in 64 bit...
First of all, that's 32-bit x86 assembly, not x64. So if you're trying to analyze an x64 process with those bytecode values, you're going to get incorrect results :-)I looked at the disassembly of a testing program I wrote and I saw it looked like this:
5F pop edi
5E pop esi
5B pop ebx
8B E5 mov esp,ebp
5D pop ebp
C3 ret
Can I be sure that whenever I see that the IP points at "5D" it's the POP ESI instruction, and the same for the other instructions?
oops, thanks :)
Is there a place where I can see a list of the op codes for x64 (or how the op code are structured)?
I think it will be much more easy and "safe" than to look for what I need in random assembly code...
POP Rdi
POP Rsi
POP Rbx
MOV Esp, Ebp
POP Rbp
RETN
