- It depends where you are in the function:
Right at the first instruction: no, because the
call instruction put the return address on RSP.
(lldb) x/gx $rsp
Now if you were to take one instruction step into the assembly, you’ll likely hit the following line of assembly:
-> 0x1032197e0 <+0>: push rbp
This will increment RSP (by 8) and put the value of RBP at the top of the stack
So now you would get the return address by
(lldb) x/gx '$rsp + 8'
Following that instruction is the stack pointer gets moved to the base pointer
0x1032197e1 <+1>: mov rbp, rsp
So now, you can reference the return address via
(lldb) x/gx '$rbp + 8'
Now to answer your question: by the time you are executing the
ret instruction, the stack pointer will be pointing to the return address. So it
RSP will have the return function, not
RSP + 0x8. After the
ret, the return address is no longer needed, so it gets popped off. When that happens,
RSP+=8. By the way, this is a very common attack against C x86 programs. If you can figure out how to write data on the stack (via string input?), you can change control execution to a different function on return.
A pointer is a 64 bit process will 8 bytes. A pointer in a 32 bit process will be 4 bytes. You can verify via the
sizeof C function. You can definitely store a 32 bit value in a 64 address, its just the alignment must always be 8 bytes. You will never have a scenario where the stack is returning from a value that is not modulus
Sorta answered in 2?
The function prologue can be variable in size. Whatever amount of assembly that is required to setup up the registers and the stack