Function calling process of an advanced language disassembly Program
Jim Chan
After a high-level language is compiled into an assembly program, the function calling procedure in the advanced language is as follows:
1. Add function parameters to the stack. The first parameter is at the top of the stack, and the last parameter is at the bottom of the stack.
2. Execute the call command, call the function, and enter the function code space.
A. Execute the call command and add the address of the next code line of the Call command to the stack.
B. after entering the function code space, put the base address pointer EBP into the stack, then let the base address pointer EBP point to the top of the current stack, and use it to access function input parameters in the stack and other data in the stack.
C. The stack pointer ESP reduces a value, such as 44 h, and moves up a distance to leave a space for the function as a temporary storage area.
{
// After the above preparations are completed, the function is officially executed, as shown below.
D. import values from other pointers or registers into the stack so that these registers can be used in functions.
E. Run the code.
F. Execute return () to return the execution result and store the returned value to eax.
G. in step 2. D, the pointer goes out of the stack.
}
H. Pass the EBP value to the stack pointer ESP so that the ESP is restored to the value before 2.c. The value of EBP is at the top of the stack.
I. The base address pointer EBP goes out of the stack and is restored to the EBP value before 2. B.
J. Execute the RET command. The address of the "call function" goes out of the stack. This function returns to the next line of the Call Command.
3. The function returns to the next line of the Call Command and adds a value to the stack pointer to restore the stack pointer to the value before step 1 is executed. This value is the total length of the first entry stack parameter.
Note:
1. The stack pointer ESP points to the cursor bit of the new incoming stack data at the top of the stack.
2. The offset pointer in the MOV command points to the cursor bit of the data that is "MOV. The following command uploads the ebp + 8 to ebp + 11 four bytes to the eax register.
00402048 mov eax, dword ptr [ebp + 8]
An example is as follows:
Function calls in advanced language code are as follows:
117: bR = t1 (p );
The Assembly Code is as follows:
00401FB8 mov ecx, dword ptr [ebp-8]; add parameters to ecx registers
00401FBB push ecx; parameter into Stack
00401FBC call @ ILT + 10 (t1) (0040100f); function call, next line address 00401FC1 into Stack
00401fc1 add ESP, 4; function return, stack pointer plus 4, restore to the value of 00401fb8
00401fc4 mov dword ptr [ebp-10h], eax; extract the function return value in advanced language from eax and put it in the BR variable
The T1 function is as follows:
125: bool T1 (void * P)
126 :{
00402030 push EBP; EBP into Stack
00402031 mov EBP, esp; EBP points to the top of the stack at this time
00402033 sub ESP, 44 h; esp reduces a value and leaves a storage Zone
00402036 push EBX; Add the values of the three registers to the stack so that they can be used in functions.
00402037 push ESI;
00402038 push EDI;
00402039 Lea EDI, [ebp-44h];
0040203C mov ecx, 11 h;
00402041 mov eax, 0 CCCCCCCCh;
00402046 rep stos dword ptr [edi];
127: int * q = (int *) p ;;
00402048 mov eax, dword ptr [ebp + 8]; ebp + 8 points to the bitwise address of the function input parameter;
If it is ebp + 4, it points to the second bit of the return address 00401FC1 of the function, and the value is C1.
0040204B mov dword ptr [ebp-4], eax;
128: Return 0 ;;
0040204e XOR eax, eax; the returned values are put into the eax register.
129 :}
00402050 pop EDI; three register output stacks
00402051 pop ESI;
00402052 pop ebx;
00402053 mov ESP, EBP; esp Restoration
00402055 pop EBP; EBP goes out of the stack, and its value is restored.
00402056 ret; return the Code address stored on the top of the stack: 00401fc1
If the return address is modified unfortunately, the program will encounter an accident.
The above assembly code is compiled by VC ++ 6.0.
After the EBP stack is added to the stack:
Low Level
Zookeeper
Memory Address Stack
Zookeeper
0012f600 ├ ── ─ ┤ ← EDI = 0012f600
│
0012f604 ├ ── ┄ ─ ── ┤
│
│
Memory size of 44h
Zookeeper
│
│
0012F640 0000-000000000000000000000000-0000
│
0012F644 ├ ── ─ ┤ ← ebp points to this unit after being assigned a value. At this time, ebp = 0012F644
│ AC F6 12 00 │ ebp value is the value before esp
0012F648 ├ ── ─ ──
│ C1 1F 40 00 │ return address
0012F64C ├ ── ─ ┤ %ebp + 8
│ A0 F6 12 00 │ value of the real parameter p of the Function
0012F650 ├ ── ─ ──
│ |
├ ── ─ ┤
Zookeeper
Note: memory storage space stacks are arranged from high to low. The addresses marked on the left are the two-digit addresses of the lower right storage unit. For example, 0012F644 points to the AC byte of 0012F6AC, And the AC is at the top of the stack. In the figure, the content in the memory is written from low to high. "AC F6 12 00" = 0x0012F6AC