I picked up the book "Practical reverse engineering" and i have the following example on page 14 (x86 assembly):
mov eax, 0AAAAAAAh
mov ebx, 0BBBBBBBh
push eax
push ebx
pop esi
pop edi
Now, I push eax and ebx on to the stack, but i pop esi and edi of the stack. Why is that? I thought I would push and pop the same registers.
On
You don't push registers, you push the values held in these registers. In this case, the values come from registers eax and ebx. The registers themselves remain where they were (somewhere inside the CPU).
You can pop these values into any registers, like esi and edi here. It simply depends on where in your code and in which registers you need these values.
Sometimes you only want to clear a few values from the stack. Then you could do
pop esi ; or whatever register is not in use at the moment
pop esi
That would not affect any other register. (Of course, you could also simply change the stack pointer, but that is another topic.)
On
When you pop the stack, the register operand just receives the value that was on the top of the stack. As long as the same number of bytes are pushed and popped, the stack is balanced, regardless of where the bytes go. You do not necessarily need to pop back into the same location that was the source of your earlier pushed value.
For example, this code loads the register ecx with whatever was currently in eax, without misaligning the stack:
push eax
pop ecx
You can also perform an effective "operand-less" pop by manually adjusting the stack pointer:
push eax
...
add esp, 4 ; Discard 32-bits on top of stack
; Stack is now balanced (assuming the intermediate instructions did not misalign the stack)
look for more details: push / pop explanation