Reading Note _ CALL and RET commands

 

The CALL command is used by x86CPU to CALL functions. It stores the current EIP register value in the stack (called linking information ), the function is then transferred to (branch to) the function specified by the target operand (called process) to continue execution.

CALL is divided into Near Call and Far Call based on whether the called process is in the same code segment. In the recent call, the CPU operations are as follows:

A. Press the current value of the EIP Register into the stack for return.

B. Load the offset (relative to the current segment) of the called process to the EIP register.

C. Start the execution of the called Process

For remote calls, the CPU performs the following operations:

A. Press the current value of the CS Register into the stack for return.

B. It is used when the current value of the EIP register is pushed to the stack for return.

C. Load the segment selection child that contains the called process to the CS register

D. Load the offset of the call process to the EIP register.

E. Start the execution of the called process.

It can be seen that the difference between near-call and far-call is whether to process segment registers. Because near-call occurs in a code call, it is not necessary to load and switch code segments into the stack, because Remote calls occur between different code segments, you need to save and switch the code segments. However, for the NT series windows, because the flat memory is used, the code in the same process is in a large 4 GB segment, so you do not have to consider the differences in segments, almost all requests are called in a near future.

The RET command is used to return from the called process to initiate the call. The RET command can have an optional parameter n, which is used to specify the number of bytes to increase in the ESP register, the increase of n Bytes in ESP is equivalent to the pop-up of n Bytes from the stack, which is often used to release parameters on the stack. Compared with the Near-called Return, it is called the Near Return (Near Return), and compared with the Far-called Return (Far Return ).

For near return, the CPU performs the following operations:

1. pop up the data at the top of the stack to the EIP register. This value should be the return address pushed by the CALL command when the near CALL is initiated.

2. If the RET command contains the parameter n, the number of bytes in the ESP register is increased by n.

3. Continue to execute the instruction pointed to by the program pointer, which is usually the next instruction that calls the instruction in the parent function.

For the remote return, the CPU will display the CS register that is pushed in when the remote call is executed between Step 1 and step 2. Therefore, the RET command simply returns the address stored at the top of the stack when the command is executed. If the stack register (ESP) does not point to a proper location or the address on the stack is damaged, the RET command is returned to other places.