View Full Version : anyone know the order in which PUSHAD works?
BanMe
August 2nd, 2009, 14:46
EAX,0x0 - 0x3
ECX,0x4 - 0x7
EDX,0x8 -0xb
EBX,0xc - 0xf
EBP,0x10 - 0x13
ESP,0x14 - 0x17
ESI,0x1b - 0x1f
EDI,0x20 - 0x23
//fixed..can you tell?
size on stack = 32..4 x 8
but to determine the order in which there pushed is just a nagging question I havent been able to get to..hopefully someone can help or has some 'tests' that can verify the order in which they are pushed onto the stack by PUSHAD.
regards BanMe
Kayaker
August 2nd, 2009, 15:01
Hi
No empirical proof, but according to
http://faydoc.tripod.com/cpu/pushad.htm
Quote:
Pushes the contents of the general-purpose registers onto the stack. The registers are stored on the stack in the following order: EAX, ECX, EDX, EBX, EBP, ESP (original value), EBP, ESI, and EDI (if the current operand-size attribute is 32) and AX, CX, DX, BX, SP (original value), BP, SI, and DI (if the operand-size attribute is 16). (These instructions perform the reverse operation of the POPA/POPAD instructions.) The value pushed for the ESP or SP register is its value before prior to pushing the first register |
BanMe
August 2nd, 2009, 15:10
'EAX, ECX, EDX, EBX, EBP, ESP (original value), EBP, ESI, and EDI'
as can be seen above that site had a bad editor..good thing he rewrote it at the bottom...
thankx for that kayaker i discredited that site cause of error..
BanMe
Kayaker
August 2nd, 2009, 15:21
Oh yeah, I never noticed that, EBP twice. That's an interesting question though, how *could* you determine the order of pushad empirically? I bet the guyz at the asm forums know..

Ricardo Narvaja
August 2nd, 2009, 17:25
Is a very bad thing, pushad and popad don't exist in 64 bits, is a pity, a very useful instructions, and with the lot of registers in 64 bits, could be useful too, but no more.
ricnar
arc_
August 2nd, 2009, 17:39
Kayaker: simply assign a different value to every register (eg eax=1, ecx=2...), execute pushad, and look at the stack.
Kayaker
August 2nd, 2009, 20:19
D'oh, well that's sure logical.
Testing I get EAX, ECX, EDX, EBX, ESP,
then EBP, ESI, EDI.
So what was the original question?
BanMe
August 2nd, 2009, 20:19
yes..
Code:
DWORD Var[8] = {0};
this what i did to check in debugger the values.. :d
__asm
{
mov eax,1
mov ecx,2
mov edx,3
mov ebx,4
mov ebp,5
mov esi,7
mov edi,8
lea esp,Var
pushad
}
Code:
#define 64Pushad(){
__asm push RAX \
__asm push RCX \
__asm push RBX \
__asm push RDX \
__asm push RBP \
__asm push RSP \
__asm push RSI \
__asm push RDI \
__asm push R8 \
__asm push R9 \
__asm push R10 \
__asm push R11 \
__asm push R12 \
__asm push R13 \
__asm push R14 \
__asm push R15 }
maybe this can help Narvaja.. just needs a Popad
sub Rsp,0x400.. lol?
so essentially ESI EDI EBX EDX ECX EAX.. in reverse order for a call..
example in pseudo
Code:
..
DWORD BkpRegs[8] = {0};
DWORD NwRegs[6] = {0};
Suspend the Thread
Get the Context of the thread store backup of (CONTEXT_INTEGER) in BkpRegs in 'correct order'...
substitute the values in NewRegs in mentioned order into 'a area of memory', 'on the stack directly would be nice' or a fake stack or allocated memory or 'shared' memory alternitives abound..
BanMe
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.