1. ## anyone know the order in which PUSHAD works?

EAX,0x0 - 0x3
ECX,0x4 - 0x7
EDX,0x8 -0xb
EBX,0xc - 0xf
EBP,0x10 - 0x13
ESP,0x14 - 0x17
ESI,0x1b - 0x1f
EDI,0x20 - 0x23

//fixed..can you tell?

size on stack = 32..4 x 8

but to determine the order in which there pushed is just a nagging question I havent been able to get to..hopefully someone can help or has some 'tests' that can verify the order in which they are pushed onto the stack by PUSHAD.

regards BanMe

2. Hi

No empirical proof, but according to

Pushes the contents of the general-purpose registers onto the stack. The registers are stored on the stack in the following order: EAX, ECX, EDX, EBX, EBP, ESP (original value), EBP, ESI, and EDI (if the current operand-size attribute is 32) and AX, CX, DX, BX, SP (original value), BP, SI, and DI (if the operand-size attribute is 16). (These instructions perform the reverse operation of the POPA/POPAD instructions.) The value pushed for the ESP or SP register is its value before prior to pushing the first register

3. 'EAX, ECX, EDX, EBX, EBP, ESP (original value), EBP, ESI, and EDI'

as can be seen above that site had a bad editor..good thing he rewrote it at the bottom...

thankx for that kayaker i discredited that site cause of error..

BanMe

4. Oh yeah, I never noticed that, EBP twice. That's an interesting question though, how *could* you determine the order of pushad empirically? I bet the guyz at the asm forums know..

5. Is a very bad thing, pushad and popad don't exist in 64 bits, is a pity, a very useful instructions, and with the lot of registers in 64 bits, could be useful too, but no more.

ricnar

6. Kayaker: simply assign a different value to every register (eg eax=1, ecx=2...), execute pushad, and look at the stack.

7. D'oh, well that's sure logical.
Testing I get EAX, ECX, EDX, EBX, ESP, then EBP, ESI, EDI.
So what was the original question?

8. yes..

Code:
```DWORD Var[8] = {0};
this what i did to check in debugger the values.. :d
__asm
{
mov eax,1
mov ecx,2
mov edx,3
mov ebx,4
mov ebp,5
mov esi,7
mov edi,8
lea esp,Var
}```

Code:
```#define 64Pushad(){
__asm push RAX \
__asm push RCX \
__asm push RBX \
__asm push RDX \
__asm push RBP \
__asm push RSP \
__asm push RSI \
__asm push RDI \
__asm push R8 \
__asm push R9 \
__asm push R10 \
__asm push R11 \
__asm push R12 \
__asm push R13 \
__asm push R14 \
__asm push R15 }```
maybe this can help Narvaja.. just needs a Popad
sub Rsp,0x400.. lol?

so essentially ESI EDI EBX EDX ECX EAX.. in reverse order for a call..

example in pseudo
Code:
```..
DWORD BkpRegs[8] = {0};
DWORD NwRegs[6] = {0};```
Get the Context of the thread store backup of (CONTEXT_INTEGER) in BkpRegs in 'correct order'...
substitute the values in NewRegs in mentioned order into 'a area of memory', 'on the stack directly would be nice' or a fake stack or allocated memory or 'shared' memory alternitives abound..

BanMe

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•