Skip to content
Reverse Engineering

Instructions

x86-64

PUSH / POP

Pushes a value onto the stack (decrements RSP, then writes) or pops one off (reads, then increments RSP).

PUSH and POP are the primary instructions for manipulating the call stack. In 64-bit mode the default operand size is 64 bits (8 bytes).

Operation

asm
push rax      ; RSP -= 8 ; [RSP] = rax
pop  rbx      ; rbx = [RSP] ; RSP += 8
push 0x1234   ; immediate push — sign-extended to 64 bits

PUSH first decrements RSP by the operand size, then writes the value. POP first reads the value at [RSP], then increments RSP.

Neither instruction modifies EFLAGS (except POPF/POPFD/POPFQ, which restore flags from the stack).

Function prologue/epilogue pattern

asm
; Prologue — save callee-saved registers
push rbp
mov  rbp, rsp
push rbx
push r12

; ... body ...

; Epilogue — restore in reverse order
pop  r12
pop  rbx
pop  rbp
ret

The push rbp / mov rbp, rsp pair creates a stack frame that debuggers and unwinders use to walk the call chain.

Reverse-engineering notes

  • A string of push instructions at the start of a function usually saves callee-saved registers; the matching pops at the end are the epilogue.
  • Some compilers replace push reg with sub rsp, 8 / mov [rsp], reg — functionally identical but slightly larger code; common with -O2.
  • push imm is a compact way to pass a constant argument on the stack (32-bit sign-extended) when stack-based argument passing is needed.
  • Spotting mismatched push/pop counts is an easy way to identify stack-cleanup bugs or intentional obfuscation.

Try it — Virtual CPU

open full playground →
  1. 1 mov rax, 0x1111
  2. 2 mov rbx, 0x2222
  3. 3 push rax
  4. 4 push rbx
  5. 5 pop rcx
  6. 6 pop rdx
  7. 7
step 0
Loading emulator…