I was playing around with some assembly code which is
func:
pop ax
ret
main:
push 0x44
call func
i noticed that the ip pointer now points to 0x44 which the last item on the stack
i'm doing that to understand the ROP technique
i need to understand this behavior because when i do this
func:
ret
main:
call func
it works as expected with EIP pointer points back to the original code
so what is the difference pop made to change the code flow ?
and does the pop ax assigns last value on the the stack to ax ?
EIP is a register. A value on the stack isn't EIP (yet), it's a return address or a value that might become EIP if you pop it into EIP by executing ret.
Think of ret as how x86 spells pop eip.
Executing push 0x44 increases the EIP register by 2, the length of the instruction.
If you use the 0x44 as a return address by executing ret while ESP is pointing to it, then EIP becomes 0x44.
And note that IP is the low 16 bits of EIP. Unless you really mean the low 16 bits, write EIP instead of IP.