'Why use Push/Pop instead of Mov to put a number in a register in shellcode?
I have some sample code from a shell code payload showing a for loop and using push/pop to set the counter:
push 9
pop ecx
Why can it not just use mov?
mov ecx, 9
Solution 1:[1]
This may have different reasons.
In this case this seems to be done because the code is smaller:
The variant with the push and the pop combination is 3 bytes long, the mov instruction is 5 bytes long.
However, I would guess that the mov variant is faster ...
Solution 2:[2]
Essentially the same exact thing. push 9 to stack then pop it into ecx register which is basically the same as mov ecx, 9. Personally I think 9 to ecx is probably more efficient then pushing 9 to the stack and then popping it into ecx but i think the processing time is not an issue so they both equally fast considering how small the code is either way.
Solution 3:[3]
I switched to Hyperkit and I'm not having any issues. So it was definitely something with the Virtualbox config.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Martin Rosenau |
| Solution 2 | Stephen Killgore |
| Solution 3 | jasonlehmanusf |