Table of Contents

Question

Come up with at least two code sequences to set EIP to 0xAABBCCDD.

Answer

There are several instructions in the x86 ISA to manipulate EIP register(control flow instructions) but in this exercise, we are going to see two of the most popular ones(and something which we’ve already encountered before in the previous exercise).

  1. CALL
call 0xAABBCCDD

The call instruction is used to call a procedure; it pushes the retdaddr on the stack before changing EIP to the call target effectively transferring control to it.

  1. RET
push 0xAABBCCDD
ret

The ret instruction is used to return from a procedure; it pops whatever’s at the top of the stack into EIP register and transfers control to it.

Fun Fact: This method of changing the instruction pointer is often used in code-reuse attacks such as Return Oriented Programming(ROP).