What is the difference between ESP and EIP registers
What is the difference between ESP and EIP registers using the following examples? Explain what the code is doing.
main PROC
0000 0020 call MySub
0000 0025 mov eax, ebx
.
.
main ENDP
MySub PROC
0000 0040 mov eax, edx
.
.
ret
MySub ENDP
0000 0025 is the offset of the instruction immediately following the CALL instruction
0000 0040 is the offset of the first instruction inside MySub
The CALL instruction pushes 0000 0025 onto the stack, and loads 0000 0040 into EIP
|-------------| |----------|
| 0000 0025 |<--ESP | 0000 0040| EIP
|-------------| |----------|
| |
|-------------|
| |
|-------------|
The RET insttruction pops 0000 0025 from the stack into EIP (stack show before RET executes)
|-------------| |----------|
| 0000 0025 |<--ESP | 0000 0025| EIP
|-------------| |----------|
| |
|-------------|
| |
|-------------|
Answer
EIP is the instruction pointer. It points to (holds the address of) the first byte of the next instruction to be executed.
ESP is the stack pointer. It points to (holds the address of) the most-recently pushed value on the stack.
These are common architectural registers. This code is simply demonstrating how a function call / return sequence works.