# Instruction pointer Overwrite

## How it works ?

As explained in the "[STACK](/pwn/general-knowledge/operation-of-the-stack/stack-frame.md)" part, at the call of the function the process store the value of the instruction pointer onto the stack. Thus, there is always the saved instruction pointer at the end of a function stack frame.

```
   address     |   values
---------------+------------------------------------------------------------------
               |   +---------------- Function stack frame -------------------+
               |   | +------------- stack vars -------------+ +-saved ebp -+ |
   0xffffd264  |   | | 0x00000000   0x00000000   0x00000000 | | 0xffffd298 | | 
               |   | +--------------------------------------+ +------------+ |
               |   +---------------------------------------------------------+
               |   +-------------------- main stack frame -------------------+
               |   | +-saved eip -+ +---- function params ---+               |
   0xffffd274: |   | | 0x565561dd | | 0x00000001  0x00000002 |	0x00000001   |
               |   | +------------+ +------------------------+               |
```

If a buffer overflow occur within the function, it might be possible to overwrite the saved registers

```
   address     |   values
---------------+------------------------------------------------------------------
               |   +---------------- Function stack frame -------------------+
               |   | +------------- stack vars -------------+ +-saved ebp -+ |
   0xffffd264  |   | | 0x41414141   0x41414141   0x41414141 | | 0x41414141 | | 
               |   | +--------------------------------------+ +------------+ |
               |   +---------------------------------------------------------+
               |   +-------------------- main stack frame -------------------+
               |   | +-saved eip -+ +---- function params ---+               |
   0xffffd274: |   | | 0x41414141 | | 0x00000001  0x00000002 |	0x00000001   |
               |   | +------------+ +------------------------+               |
```

{% hint style="info" %}
In this example, a buffer overflow occur at the variable stored at `0xffffd264` . 20 'A' have been send to entirely overwrite the saved `EIP` register
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ctfrecipes.com/pwn/stack-exploitation/stack-buffer-overflow/instruction-pointer-overwrite.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.