Does the ret instruction add 4 to esp register?

Does the ret instruction cause开发者_运维知识库 "esp" register to be increased by 4?

Yes, it performs

pop eip

You can use

mov eax, [esp]
jmp eax

to avoid it.

EDIT: It's exactly what ret does. For example, jmp rel_offet is nothing than a hidden add eip, offset, or jmp absolute_offset is mov eip, absolute_offset. Sure there are differences in the way the processor treats them, but from programmer's point of view it's all that happens.

Also, there is a special form of ret : ret imm8 that also adds this imm8 value to esp : for example a __stdcall function uses it to discard its parameters from the stack. Not to mention retf version, used in 16bit mode, that also pops the cs from the stack.

EDIT2:

pop register

means:

mov register, [esp]
add esp, 4

yes, because on the stack there is (well, there should be, see buffer overflow) the address to where resume the execution of the program. So ret means

pop ret_addr           ; pop deletes ret_addr from stack by adding 4 to esp
mov eip, ret_addr

which is

pop eip

just as ruslik said

Yes, when the processor is running in 32-bit protected mode. In Real mode or 16-bit protected mode RET does a POP IP, which will cause an ADD ESP, 2 (instead of 4).