C + + code disassembly after stack register EBP and ESP

Recently in the analysis of a process crash serious problem, some of the process analysis needs to have a clear understanding of EBP, ESP, for ebp and esp believe that everyone is familiar with, but in order to make this article self-system, I would like to explain.

ebp-- Stack Bottom pointer

esp-- stack top pointer

, the simplified code call process is as follows:

void Layer02 ()

{

int b = 2;

}

void Layer01 ()

{

int a = 1;

Layer02 ();

}

So how did EBP and ESP change during the execution of the function? The following is the disassembly code :

void Layer02 ()

{

00413700 Push EBP

00413701 mov Ebp,esp

00413703 Sub Esp,0cch

00413709 push EBX

0041370A push ESI

0041370B Push EDI

0041370C Lea EDI,[EBP-0CCH]

00413712 mov ecx,33h

00413717 mov eax,0cccccccch

0041371C Rep STOs dword ptr Es:[edi]

int b = 2;

0041371E mov dword ptr [b],2

}

00413725 Pop EDI

00413726 pop ESI

00413727 pop ebx

00413728 mov esp,ebp

0041372A Pop EBP

0041372B ret

We see that the function call begins with the following two lines of code:

00413700 Push EBP

00413701 mov Ebp,esp

Execute the following code before returning:

00413728 mov esp,ebp

0041372A Pop EBP

0041372B ret

So what do these lines of code mean? First, the above shows:

The beginning of two lines of code means that the EBP1 stack , and then the current stack top esp1 as a function call at the bottom of the stack, so the following statements are executed:

00413701 mov Ebp,esp

So what does it mean to return a few statements before returning?

I think we have guessed that when the function call executes, we are going to perform the opposite process :

00413728 mov esp,ebp

Restore stack top pointer

0041372A Pop EBP

Restore the stack bottom pointer

0041372B ret

Return to the instruction before the function call to continue execution. To Be continued ...