Understanding the Difference between ‘ret’ and ‘ret 0’

I’m doing a binary challenge from pwnable.kr and I’m examining a some ROP gadget.

Until now I’ve always used gadget ending with ret or syscall/int 0x80, but now ROPgadget gave me a gadget ending with ret 0.

This is not strictly a security question but the short answer is that there is no functional difference between ret and ret 0. In-fact, this notation is often compiler independent for some bizarre reason.

The reason for your notation is being displayed as ret 0 is likely due to a ret imm16=0 instruction. MSVC for example emits ret as ret 0. However, these are exactly the same instruction in terms of operation. If you want to visualise the difference, compile a simple:

xor eax, eax
ret 0

in MASM and then compile the same program in NASM. NASM will likely optimize the above to

xor eax, eax
ret

whereas MASM will display it as the former with the ret 0.

Leave a Reply

Your email address will not be published. Required fields are marked *