RET

Table of Contents

1. RET (ret)
   1. Basic purpose
   2. Instruction execution process
   3. Instruction format
   4. Behavioral characteristics
   5. Common uses

RET (ret)

Basic purpose

RET pops the return address from the top of the stack and jumps to it; it is the exit instruction used when a function finishes execution. Equivalent behavior:

1
pop rip

Immediate version:

1
ret 8

Equivalent to:

1
pop rip
2
add rsp, 8

Used by calling conventions to clean up arguments.

Instruction execution process

1. Read the return address from RSP and assign it to RIP
2. Increase RSP by 8 (x64)

Instruction format

1
ret
2
ret imm16

Behavioral characteristics

• The jump target is determined entirely by the stack contents

• Does not modify EFLAGS

• Is the core trampoline of ROP attacks

• If the return address is overwritten, program control flow is hijacked

Common uses

• Function return
• Gadgets in a ROP chain
• Constructing attack patterns such as ret2libc and ret2plt
• Implementing lightweight jumps in shellcode