The Stack

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
Posts: 1437
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 471

The Stack

Post by TheyCallMeTim13 » Sat May 12, 2018 5:38 pm ... rial:Stack
The Stack

If you're unfamiliar with registries please start here: Registers

So what is the stack?

Well I hate to use the word in the definition, but it's just a metaphorical stack of bytes; or an abstract data type that serves as a collection of elements, with two principal operations.
PUSH Adds an element to the collection. POP Removes the most recently added element that was not yet removed. The stack is primarily used to store values for a process. It uses a LIFO (last in, first out) behavior. So if we PUSH value A onto the stack and then PUSH value B, when we POP it will be value B first then value A with the second POP.[1]


Working with the Stack
So let's just dig in, if we have some code like this.

Code: Select all

push 123ABC
push 00DEAD
push 00BEEF

pop dword ptr [TestVals]
pop dword ptr [TestVals+4]
pop dword ptr [TestVals+8]
And if we assemble this in some memory.

So let's set a breakpoint and watch the stack as we step though the opcode.
Note: You can select a line of opcode in the memory view form and press F5 to set a breakpoint. Note: Step though opcode in the memory view form by pressing F7, after a breakpoint has been hit. Note: to view the stack you may need to select it for viewing. Image

Code step 1

Code step 2
So it's here that we start to see the values on the stack. Image

Code step 3

Code step 4

Code step 5
And here we can start to see the values being popped in the reverse order that they were pushed. Image

Code step 6

Code step 7

And that's really all there is to the basics of the stack.

The thing to remember is that if you push in some injected code then you will need to pop in order to clean (or sanitize) the stack.

Working with the registries
We can PUSH and POP most registries, this is useful for saving and restoring stuff in injected code. The x86 architecture has 8 General-Purpose Registers (GPR), 6 Segment Registers, 1 Flags Register and an Instruction Pointer. 64-bit x86 has additional registers.[2]

Code: Select all

push eax
push ebx
push ecx
push edx
push esi
push edi
push ebp
push esp

pop esp
pop ebp
pop edi
pop esi
pop edx
pop ecx
pop ebx
pop eax
There is the PUSHAD and POPAD to save and restore all the generic registries. So the above code could just be written like this.

Code: Select all


Note: PUSHAD and POPAD are not available in 64 bit mode.

Working with the Flags registry
We can even PUSH and POP the Flags registry, using PUSHF and POPF (for 16 bit registry). This allows us to save and restore the Flags when doing compares (conditional opcodes). The FLAGS register is the status register in Intel x86 microprocessors that contains the current state of the processor. This register is 16 bits wide. Its successors, the EFLAGS and RFLAGS registers, are 32 bits and 64 bits wide, respectively. The wider registers retain compatibility with their smaller predecessors.[3]
Note: when in 32 bit mode you should use PUSHFD and POPFD to manipulate the full 32 bits of the EFlags registry. Note: when in 64 bit mode you should use PUSHFQ and POPFQ to manipulate the full 32 bits of the EFlags registry.

Code: Select all

cmp eax,ebx
movcc eax,ecx

See Also Sources
Last edited by TheyCallMeTim13 on Sat May 12, 2018 5:59 pm, edited 3 times in total.
CE wiki - Tutorials CE wiki - Auto Assembler Basics - CE wiki - Lua Basics If it's not a Personal Message don't PM me, use the forum. I ignore PMs that should be asked on the forum.

Posts: 9
Joined: Fri Aug 11, 2017 3:59 pm
Reputation: 0

Re: The Stack

Post by ins » Mon Dec 10, 2018 11:30 am

Nice work.

The pop/push image at the start is a good candidate for "an image is worth a thousand words". :)

User avatar
Posts: 2295
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 835

Re: The Stack

Post by SunBeam » Fri Dec 28, 2018 4:38 pm

Hey, Tim.. try this and tell me if it works for ya ;)

Memory View > View > Preferences > Disassembler area > "Space between lines" > Above: 1; Below -1;
Memory View > View > Preferences > Hexview area > "Space between lines" > 1

Thank me later ;)

Post Reply

Who is online

Users browsing this forum: No registered users