# Instruction pointer Overwrite ## How it works ? As explained in the "[STACK](https://www.ctfrecipes.com/pwn/general-knowledge/operation-of-the-stack/stack-frame)" part, at the call of the function the process store the value of the instruction pointer onto the stack. Thus, there is always the saved instruction pointer at the end of a function stack frame. ``` address | values ---------------+------------------------------------------------------------------ | +---------------- Function stack frame -------------------+ | | +------------- stack vars -------------+ +-saved ebp -+ | 0xffffd264 | | | 0x00000000 0x00000000 0x00000000 | | 0xffffd298 | | | | +--------------------------------------+ +------------+ | | +---------------------------------------------------------+ | +-------------------- main stack frame -------------------+ | | +-saved eip -+ +---- function params ---+ | 0xffffd274: | | | 0x565561dd | | 0x00000001 0x00000002 | 0x00000001 | | | +------------+ +------------------------+ | ``` If a buffer overflow occur within the function, it might be possible to overwrite the saved registers ``` address | values ---------------+------------------------------------------------------------------ | +---------------- Function stack frame -------------------+ | | +------------- stack vars -------------+ +-saved ebp -+ | 0xffffd264 | | | 0x41414141 0x41414141 0x41414141 | | 0x41414141 | | | | +--------------------------------------+ +------------+ | | +---------------------------------------------------------+ | +-------------------- main stack frame -------------------+ | | +-saved eip -+ +---- function params ---+ | 0xffffd274: | | | 0x41414141 | | 0x00000001 0x00000002 | 0x00000001 | | | +------------+ +------------------------+ | ``` {% hint style="info" %} In this example, a buffer overflow occur at the variable stored at `0xffffd264` . 20 'A' have been send to entirely overwrite the saved `EIP` register {% endhint %}