-3

I came accross a problem with debugging a 64 bit binary in Windows using IDA. Normally, after a push RSP value should be deducted by 8. But occasionally, from IDA I saw that RSP was only deducted by 2, and then 8 for the next Push.

The codes involved are

push rax
push rbx
push rsi
push rdi

I'm quite new to x64 environment, thus could anyone explain this behavior ?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Nathan L
  • 3
  • 3
  • 3
    It shouldn't be 2 unless the code is using a 16 bit push (which is not normal). Show the instruction and before-after. – Jester Mar 12 '16 at 14:25
  • 1
    downvted: doesn't include details (like actual text dump from a debugger with before/after values on a specific instruction). – Peter Cordes Mar 12 '16 at 16:08

1 Answers1

8

You're probably getting mixed up by hexadecimal. Counting by 8 goes 

0  8  10  18  20  28  30

Are you looking at that and thinking 10 - 8 == 2? Because it's 0x10 - 0x8 == 0x8.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • 1
    @Jester: Nope, all part of the package :) I've occasionally caught myself making this mistake for a second or two, enough to remember it having happened. It took me a couple minutes while typing a comment to think of this, though. :P – Peter Cordes Mar 12 '16 at 16:44