The essence of function call in C language from the perspective of Assembly

Write a blog this afternoon, analysis and analysis of the nature of the function call in C, first we know that the essence of the function in C is a piece of code, but give the code a name, this name is his code of the beginning of the address

This is also the essence of the function name, in fact, the label in the assembly. Below we will be exposed to some things such as the EIP is what we often say the program counter, as well as EBP and ESP (here are two pointers, remember that we used to learn 8086 is an SP stack pointer), respectively, EBP is a pointer to the bottom of the stack, is not changed in the procedure call, also known as the frame pointer. ESP points to the top of the stack, the program executes when it moves, esp decreases the allocation space, ESP increases the free space, and ESP is called the stack pointer. Of course it doesn't matter now (the variable distribution in the stack is from high address to low address distribution).

All right, let's get to the formal topic:

1. Look at the picture first, I'll post a call code.

# include <stdio.h>int fun (int a, int b) {int c = 0;c= A + b;return C;} int main (void) {int a = 1;int B = 3;fun (b); return 0;}

Post-Disassembly code

   ---assembly code-----------------------------------------------------------------------__cxxunhandledexceptionfilter:0 0a51113 jmp __cxxunhandledexceptionfilter (0a525e0h) ___cxxsetunhandledexceptionfilter:00a51118 jmp __C  Xxsetunhandledexceptionfilter (0a52660h) [email protected]:00a5111d jmp [email protected] (0A53BB0h)         _fun: Pay attention to the fun here 00a51122 jmp Fun (0a513c0h); You can see the fun and jump to 0a513c0h__unlock:00a51127 jmp. __unlock (0a536f4h) [email protected]:00a5112c jmp [email protected] (0a53bb6h) @[email  protected]:00a51131 jmp _rtc_checkstackvars2 (0a51490h) ___set_app_type:00a51136 jmp ___set_app_type (0 A5269EH)---The real address of the tuned function-----------------------------------------1: # include <stdio.h> 2:3: int Fun ( int a, int b) 4: {00a513c0 push ebp; stack ebp protect EBP00A513C1 mov ebp,esp; give EBP the current ESP address in other words E                        BP is pointing here now.          In fact, the bottom of the stack frame 00A513C3 sub esp,0cch 00a513c9 push ebx 00a513ca push esi 00A513CB push EDI 00a513cc Lea EDI,[EBP-0CCH] 00A513D2 mov ecx,33h 00A513D7 mov eax,0cccccccch 00 A513DC Rep STOs dword ptr Es:[edi] 5:int c = 0;00a513de mov dword ptr [c],0 6:c= a + b;       00A513E5 mov Eax,dword ptr [a] 00a513e8 add Eax,dword ptr [b] 00a513eb mov dword ptr [C],eax         7:return c;00a513ee mov eax,dword ptr [c] 8:9:}00a513f1 pop edi 00a513f2 pop ESI 00a513f3 pop ebx 00a513f4 mov esp,ebp 00a513f6 pop EBP 00A513F7 ret---keynote function-         ----------------------------------------------------------------------10:int Main (void) One: {00A51A11 mov  Ebp,esp 00a51a13 Sub esp,0d8h 00a51a19 push ebx 00A51A1A push esi 00a51a1b push EDI 00a51a1c Lea EDI,[EBP-0D8H] 00A51A22 mov ecx,36h 00a51a27 mov eax,0cccccccch 00A51A2C rep stos dword ptr es:[ed I] 12:int a = 1;00a51a2e mov dword ptr [a],1; define variable a 13:int b = 3;00a51a35 mov DWORD p                tr [b],3; define variable b 14:fun (A, a); 00A51A3C mov Eax,dword ptr [b]; assign variable B to eax00a51a3f push EAX EAX pressure stack also on B-Stack 00a51a40 mov ecx,dword ptr [a]; ibid 00a51a43 push ecx 00a51a44 call _fun (0a511       22H); Assembly begins to call, in the assembly before the function name is underlined when the label processing; address is 0a51122h, now where are we going 00a51a49 add esp,8         15:16:17:return 0;00a51a4c xor eax,eax:}00a51a4e pop edi 00a51a4f pop        ESI 00a51a50 pop ebx 00a51a51 add esp,0d8h 00a51a57 cmp ebp,esp 00a51a59 Call __rtc_checkesp (0A5113BH) 00a51a5e mov esp,ebp 00a51a60 pop EBP 00a51a61 ret---passive file------------ ----------------------------------------------------------- 

2. It's okay to look at the above already, let me introduce

Above I was in the anti-assembly in VS, originally prepared GCC under, and later lazy toss. First of all, the function call process, the function call is actually the assembly of the address of the jump, the assembly in the jump from the label address. In fact, this is good understanding, do not know the address, you let me how to find you. But in the beginning, we need to record the home address, some of the current register state (this is because the call to the inside may also use these registers) note also to press some function call parameters. Let's see a picture.

As we can see from the above figure, the function calls are pressed sequentially from right to left. Called Call when the stack is finished. Call has two functions, that is, the pressure stack return value, and then modify the program counter EIP, the implementation of the program to jump to the function. Then press the contents of the EBP (what we don't say first) and assign the ESP to EBP. That is, the content of the EBP is changed into the current ESP content, ESP is not the top of the stack, which means that now all point to the top of the stack, and then the end of the stack or perhaps some other parameters, such as our recursive call, the following is the next function parameters, return address, and so on. Now we're talking about what EBP is for: it's the EBP that points to the bottom of a stack frame in one of the stacks. and ESP points to the top. We can use the offset of EBP to implement the access of local variables and parameters. The next thing we're going to talk about is how to return. In fact is the parameters in turn out of the stack, the last old Ebp pop up to now EBP. EBP refers to the bottom of the stack frame after the last. But we ask how the parameters are out of the stack, is it pop-up? What is the use of pop-up, because the local variables are useless after use, there is no need to pop to register, in fact, EBP will give the value to ESP,ESP from the previous stack top point to the bottom is the place of EBP. Then the old ebp pops up to EBP. The EBP was attributed to the previous EBP. ESP minus 4. The ESP returns to the return address, and then changes the EIP back. Then the ESP minus 4, back to the new stack top. And the returned instruction originates from Ret.

In fact, this process is not very difficult, is cumbersome. Need to analyze the stack diagram. It is necessary to understand that the abandonment of local variables originates from EBP's modification of ESP.

The essence of function call in C language from the perspective of Assembly