There are a ton of questions on here that make reference to the
What is the EIP? How is it used, both as an exploit target and in benign code?
EIP is a register in x86 architectures (32bit). It holds the "Extended Instruction Pointer" for the stack. In other words, it tells the computer where to go next to execute the next command and controls the flow of a program.
Research Assembly language to get a better understanding of how registers work. Skull Security has a good primer.
Correct answer by HashHazard on July 27, 2020
EIP is a Basic Program Execution register.
-As an exploit target, I think pg. 81 of the Intel manual says it all
The EIP register cannot be accessed directly by software; it is controlled implicitly by control-transfer instructions (such as JMP, Jcc, CALL, and RET), interrupts, and exceptions. The only way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack. The EIP register can be loaded indirectly by modifying the value of a return instruction pointer on the procedure stack and executing a return instruction
Understanding the role EIP plays in program execution seems simple yet complex when you consider the combination of the Code Segment register (CS) with EIP creates this "logical address" and because all x86 CPUs use prefetching, an instruction read from the bus won't be what's in the EIP register. The simple part is that value in EIP is used to determine the location of the next instruction whether this sends you back to a previous instruction or forward in straight-line code. The results of what your previous instruction came up with is stored in EAX.
-and in benign code?
Well anytime your code executes an algorithm or calls a function you'll definitely make use of this register.
Answered by Robert Houghton on July 27, 2020
One of the basic things that a computer needs to keep track of is where in memory the instructions that are being executed are located.
This is normally done by the CPU using what is often known as the instruction pointer or program counter register. The exact name depends on the architecture, but the concept generalizes across all architectures. It's called the instruction pointer on Intel CPUs, and that's the term I'll be using in this answer. The instruction pointer is continually incremented while instructions are executed from memory, and also updated whenever a jump instruction of some kind is executed. Modern CPU architectures with multiple parallel execution pipelines and multiple cores makes what is actually going on inside the CPU more complex, but to an external observer, the simple explanation is sufficient to understand what is going on and the purpose of the relevant registers.
By virtue of the old Intel 8086/8088, 80186 and 80286 being 16-bit processors, the instruction pointer was normally expressed as a pair of 16-bit values known as the code segment (code selector in the 80286, but except in protected mode selectors function very similarly to segments) and instruction pointer. In assembler parlace,
CS:IP where the colon indicates the pairing of a segment and an offset as a pair to form a memory address. CS and IP here are CPU registers, tiny memory locations within the CPU chip itself, in this particular case each 16 bits in size. (You also had things like
DS:DX which was conventionally the location to where to read or write data in memory; DS was data segment and DX is a general-purpose register that in this case held the data segment offset. There were originally four registers intended for general use, referred to as AX, BX, CX and DX respectively, each of which could be addressed in terms of the high half -- AH, for example -- or the low half -- AL, plus a small number of general-purpose registers that had specific intended uses. Modern CPUs have many, many more registers, with dozens of registers being common and over a hundred not unheard of.)
In making the 80386 CPU in the late 1980s, Intel made a lot of changes, including extending the address space to 32 bits while keeping selectors as a concept. For this reason, the old 16-bit values were no longer sufficient, and the instruction pointer was extended to 32 bits. In order to maintain full backward compatibility (at this point, Intel had probably learned the lesson of the 80286 which was more one-way compatible; it was easy to go from the 8086/8088's real mode into the 80286's protected mode, but going back was a lot more difficult, and this turned out to be a problem in practice), this required a new register for the CPU to keep the instruction pointer when operating in 32-bit mode.
In the 80386, the extended (32-bit) registers were named Exx whereas the corresponding 16-bit registers were as previously referred to as xx. So you'd get for example the old 16-bit accumulator register AX plus the extended 32-bit accumulator register EAX (with AX as the low 16-bit half). In keeping with this naming convention, the Extended Instruction Pointer register was referred to as EIP.
As an aside, most often, the correct value isn't merely EIP, but CS:EIP, because the value of EIP remains an offset from some starting location which is defined by the code selector.
Answered by a CVn on July 27, 2020
0 Asked on December 30, 2020 by uncaught
1 Asked on December 29, 2020 by gsnail
1 Asked on December 29, 2020 by user242761
1 Asked on December 28, 2020 by appdeveloper
0 Asked on December 27, 2020 by waterbyte
2 Asked on December 26, 2020
4 Asked on December 26, 2020 by userk
1 Asked on December 26, 2020 by citylight
3 Asked on December 25, 2020 by thanatos
1 Asked on December 25, 2020
6 Asked on December 24, 2020 by acsor
1 Asked on December 22, 2020 by canine
1 Asked on December 20, 2020 by badddy
1 Asked on December 19, 2020 by user851
2 Asked on December 15, 2020 by turnip
2 Asked on December 12, 2020 by gethopr
2 Asked on December 8, 2020 by nutle
Get help from others!