Getting EIP from FPU (x86) (last update: 2015-06-25, created: 2015-06-25) back to the list ↑
Because call $+5; pop eax is just too boring.



; Get EIP
fldz
fnstenv [esi]
mov eax, [esi+0xc]
; Address of fldz is now in eax.


At [esi+0xc] there is the FPU Instruction Pointer, which is an FPU register which stores the address of the last FPU non-control instruction executed. In this case the last FPU instruction is fldz, thus eax gets its address.

Full test example (x86-32, nasm, asmloader env):



[bits 32]
call after_space
times 256 db 0
after_space:
pop esi

call after_text
db "eip=%.8x", 0xa, 0
after_text:
pop edi

; Get EIP (offset is +0x116 bytes from code start)
fldz
fnstenv [esi]
mov eax, [esi+0xc]

push eax
push edi
call [ebx+3*4]
call [ebx]


E.g.:


gynvael:haven-windows> asmloader geteip
Simplified Assembly Loader v.0.0.2 by gynvael.coldwind//vx
Code loaded at 0x00030100 (292 bytes)
eip=00030216


【 design & art by Xa / Gynvael Coldwind 】 【 logo font (birdman regular) by utopiafonts / Dale Harris 】