What is the purpose of the instruction fldz on the Aaron Adams shellcode?

Question

I'm studying the Aaron Adams assembly code. You can find the documentation here (section --[ 2.b.i Getting EIP).

I understand that the goal is to get the EIP.

I know that the FPU environment looks like below:

struct _fpstate_32 {
/* Legacy FPU environment: */
__u32                cw;
__u32                sw;
__u32                tag;
__u32                ipoff;
__u32                cssel;
__u32                dataoff;
__u32                datasel;

And ipoff contains the EIP.

So the fnstenv [esp-12] puts cw,sw,tag and ipoff on the stack and then I can get the EIP on ECX with pop ecx.

But I don't understand the purpose of fldz.

fldz "Push +0.0 onto the FPU register stack". It means we have a second stack on the FPU? And why do we need to do this?

score 1 · Accepted Answer · answered Jan 30 '19 at 19:52

From what I understand, the value of EIP that you've mentionned (ipoff) is actually the value taken from the Last instruction pointer register.

Therefore, when calling fnstenv [esp-12], the value that will be pushed on the stack will be a pointer to the fldz instruction, since its the last floating point instruction to be executed before calling fnstenv.

Without it, the value returned by fnstenv could be anything.

Reference : https://home.deec.uc.pt/~jlobo/tc/artofasm/ch14/ch143.htm

The instruction and data pointer registers contain certain state information about the last floating point instruction executed.

What is the purpose of the instruction fldz on the Aaron Adams shellcode?

1 Answers1