Results 1 to 8 of 8

Thread: anyone know the order in which PUSHAD works?

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    anyone know the order in which PUSHAD works?

    EAX,0x0 - 0x3
    ECX,0x4 - 0x7
    EDX,0x8 -0xb
    EBX,0xc - 0xf
    EBP,0x10 - 0x13
    ESP,0x14 - 0x17
    ESI,0x1b - 0x1f
    EDI,0x20 - 0x23

    //fixed..can you tell?

    size on stack = 32..4 x 8

    but to determine the order in which there pushed is just a nagging question I havent been able to get to..hopefully someone can help or has some 'tests' that can verify the order in which they are pushed onto the stack by PUSHAD.


    regards BanMe
    Last edited by BanMe; August 2nd, 2009 at 20:14.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Hi

    No empirical proof, but according to

    http://faydoc.tripod.com/cpu/pushad.htm

    Pushes the contents of the general-purpose registers onto the stack. The registers are stored on the stack in the following order: EAX, ECX, EDX, EBX, EBP, ESP (original value), EBP, ESI, and EDI (if the current operand-size attribute is 32) and AX, CX, DX, BX, SP (original value), BP, SI, and DI (if the operand-size attribute is 16). (These instructions perform the reverse operation of the POPA/POPAD instructions.) The value pushed for the ESP or SP register is its value before prior to pushing the first register

  3. #3
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    'EAX, ECX, EDX, EBX, EBP, ESP (original value), EBP, ESI, and EDI'

    as can be seen above that site had a bad editor..good thing he rewrote it at the bottom...

    thankx for that kayaker i discredited that site cause of error..

    BanMe
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Oh yeah, I never noticed that, EBP twice. That's an interesting question though, how *could* you determine the order of pushad empirically? I bet the guyz at the asm forums know..

  5. #5
    Is a very bad thing, pushad and popad don't exist in 64 bits, is a pity, a very useful instructions, and with the lot of registers in 64 bits, could be useful too, but no more.

    ricnar

  6. #6
    Kayaker: simply assign a different value to every register (eg eax=1, ecx=2...), execute pushad, and look at the stack.

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    D'oh, well that's sure logical.
    Testing I get EAX, ECX, EDX, EBX, ESP, then EBP, ESI, EDI.
    So what was the original question?

  8. #8
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    yes..

    Code:
    DWORD Var[8] = {0};
    this what i did to check in debugger the values.. :d
    __asm
    {
        mov eax,1
        mov ecx,2
        mov edx,3
        mov ebx,4
        mov ebp,5
        mov esi,7
        mov edi,8
        lea esp,Var
        pushad
    }

    Code:
    #define 64Pushad(){
     __asm push RAX \
     __asm push RCX \
    __asm push RBX \
     __asm push RDX \
    __asm push RBP \
     __asm push RSP \
     __asm push RSI \
     __asm push RDI \
     __asm push R8 \
     __asm push R9 \
     __asm push R10 \
     __asm push R11 \
     __asm push R12 \
     __asm push R13 \
     __asm push R14 \
     __asm push R15 }
    maybe this can help Narvaja.. just needs a Popad
    sub Rsp,0x400.. lol?

    so essentially ESI EDI EBX EDX ECX EAX.. in reverse order for a call..

    example in pseudo
    Code:
    ..
    DWORD BkpRegs[8] = {0};
    DWORD NwRegs[6] = {0};
    Suspend the Thread
    Get the Context of the thread store backup of (CONTEXT_INTEGER) in BkpRegs in 'correct order'...
    substitute the values in NewRegs in mentioned order into 'a area of memory', 'on the stack directly would be nice' or a fake stack or allocated memory or 'shared' memory alternitives abound..

    BanMe
    Last edited by BanMe; August 2nd, 2009 at 21:16.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. Watermarking by linking order
    By niaren in forum Mini Project Area
    Replies: 25
    Last Post: January 15th, 2011, 22:07
  2. Replies: 2
    Last Post: April 10th, 2006, 17:49
  3. How patching works?
    By keeth in forum The Newbie Forum
    Replies: 3
    Last Post: March 8th, 2006, 22:34
  4. If board works again then...
    By Petroff in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: April 22nd, 2001, 19:31
  5. ... diskcopy don't works... ???
    By xyzero in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: March 18th, 2001, 11:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •