MeanDiff
MeanDiff copied to clipboard
Invalid stack operation - `pop`
Description
When execution pop esp
the memory is accessed before incrementing the stack pointer. According to the Intel manual, "The POP ESP
instruction increments the stack pointer (ESP) before data at the old top of stack is written into the
destination."
Reference: Ref. Intel 64 and IA-32 Architecture Software Developer's Manual Vol. 2B 4-384
Affected instructions:
0x5c # pop
Reproduction guide
Instruction:
00000000 5C pop esp
Input:
binsec disasm -decode 5c
Observed output:
⎧ 0: esp := @[esp₍₃₂₎]₄
pop esp ⎨ 1: esp := (esp₍₃₂₎ + 4₍₃₂₎)
⎩ 2: goto ({0x00000001; 32}, 0)
Expected output:
pop esp ⎧ 0: esp := @[esp₍₃₂₎]₄
⎩ 1: goto ({0x00000001; 32}, 0)
System Info
OS:
# uname -a
Linux ubuntu 4.10.0-28-generic #32-Ubuntu SMP Fri Jun 30 05:32:18 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=17.04
DISTRIB_CODENAME=zesty
DISTRIB_DESCRIPTION="Ubuntu 17.04"
BINSEC: 20170301 0.1