POP

Table of Contents

1. POP（pop）
   1. Basic Function
   2. Instruction Execution Process
   3. Instruction Format
   4. Behavioral Characteristics
   5. Equivalent Expansion Example
   6. ASCII Stack Diagram
   7. Common Uses

POP（pop）

Basic Function

The POP instruction pops the top value from the stack into the destination operand, then moves the stack pointer upward.
In contrast to PUSH, POP increases ESP/RSP.

Instruction Execution Process

64-bit:

1
操作数 = [rsp]
2
rsp = rsp + 8

32-bit:

1
操作数 = [esp]
2
esp = esp + 4

Instruction Format

The following operands are allowed:

• pop r/m16
• pop r/m32
• pop r/m64

Not allowed:

• pop memory to memory
• pop immediate

Behavioral Characteristics

• The stack pointer moves upward
• The original stack data is not cleared; it only becomes logically invalid
• POP cannot directly pop an immediate value
• The destination register size must match when popping into a register (pop rax → 8 bytes)

Equivalent Expansion Example

1
pop rax
2
; 等价于
3
mov rax, [rsp]
4
add rsp, 8

ASCII Stack Diagram

Before execution:

1
rsp → +------------------+
2
      |   要弹出的值       |
3
      +------------------+

After executing pop rax:

1
rsp → +------------------+
2
      |   （旧数据）       |
3
      +------------------+
4
;       rax = 原栈顶值

⚠️ Note: the stack data at 0x0012FF88 here will not be cleared, but it will be overwritten during normal program execution

Common Uses

• Restore saved registers
• Restore stack state before a function returns
• Move the top of the stack to skip data
• Used in PWN for stack pivoting or stack adjustment