Originally Posted by
abachler
It s possible to POP CS, although not specifically with that mnemonic. Simply PUSH the value onto the stack and execute an IRET, although this also pops IP and causes execution to continue at the target address.
You do not need to use IRET (in fact, that would probably not WORK), but a "far ret" would work fine, and "pop" CS. But the point was more that there is no instruction in x86 that restored CS on it's own from the stack (or for that matter "loads" CS from memory, or some such). You have to use one of the JUMP, CALL or RET instructions that take a CS:rIP pair - or use task-switching instructions).
As to DS and CS being the same, I was referring to x86. Most other processors do not have DS and CS register. Of course, there are at least some processors that have a harvard or pseudo-harvard architecture. A good way to avoid accidentally executing data!
Note also that my simple push, push, ret example is just ONE of many different ways that we could come up with a "stack-frame that points to a function". You most likely would have to completely follow the whole of the instruciton flow to know what's going on. A more complex example:
Code:
mov ebp, esp
push ebp
mov eax, 0xFFFFFFFF
xor eax, ebp
not eax
sub eax, 4
mov [eax], a
sub eax, 4
mov [eax], b
xchg esp, eax
ret
a:
leave
ret
...
b:
...
[I don't guarantee that the above code is actually CORRECT - but something along those lines WILL be able to execute correctly].
By the time you can follow such things, you have pretty much build a complete x86 instructin simulator. Which is a MAJOR task.
--
Mats