Win32 compilation [18]: Push and pop

Because the "stack" is used from high to low, the newly pushed data has a lower position.
The pointer in ESP will always point to this new location, so the address data in ESP is dynamic.

Push each time, esp = ESP-X; pop each time, esp = ESP + X;
X can only be 4 or 2, because Win32 push can only be pushed to 32-bit (default) or 16-bit data.

ESP has a name called "Stack top". In fact, it points to the data at the lowest position in the stack.

View ESP changes on the instance:

; Test18_1.asm.386.model flat, stdcallinclude windows. incinclude kernel32.incinclude masm32.incinclude debug. incincludelib kernel32.libincludelib masm32.libincludelib debug. lib. data ddval1 DD 1 ddval DD 2 dwval1 DW 3 dwval2 DW 4. codemain proc printhex ESP; 0012ffa4 Push Pull printhex ESP; 0012ffa0 push ddval printhex ESP; pull push dwval1 printhex ESP; 0012ff9a push dwval2 printhex ESP; 0012ff98 pop dwval2 printhex ESP; 0012ff9a pop dwval1 printhex ESP; 0012ff9c pop ddval printhex ESP; 0012ffa0 pop ddval1 printhex ESP; 0012ffa4 retmain endpend main

  
 

Call functions using parameter pressure stacks and reveal the essence of invoke:

; ‑Flat, windows. incinclude kernel32.inc; Include masm32.inc; include debug. incincludelib kernel32.lib; includelib masm32.lib; includelib Debug. libinclude incluuser32.lib. Data szmsg dB 'Hello world! ', 0 szcaption dB 'hi', 0. codemain proc; invoke MessageBox, null, ADDR szmsg, ADDR szcaption, mb_ OK; call the MessageBox function using the method of pressure stack; originally, invoke simply simplifies this step to push mb_ OK; the order in which C and system functions read parameters is from right to left. For the leftmost parameters, push offset szcaption push offset szmsg push null first; A constant is pushed into call MessageBox pop edX as 32-bit data by default. It is useless to exit the stack to a place. It is equivalent to pop edX in the recycle bin. Even if it is useless, it cannot be used, because pop edX should appear in pairs for push and pop; invoke exitprocess, null; call the exitprocess function to push null call exitprocess pop edxmain endpend main

  
 

As shown in the preceding example, the stack (push) parameter is required for function calls;

Another important role of push is to protect data. Before calling a function, the EIP must be protected first. This is the address of the next instruction after the function is executed.
The call command First transmits the EIP to the ESP. the RET command finally restores the ESP to the EIP. Therefore, the stack-out protection is ESP.
However, because ESP is dynamic, mov EBP and ESP are usually used first, and then EBP is pushed... like this:

 
MoV EBP, esppush EBP;... function or sub-process pop ebpmov ESP, EBP; leave; you can use the Leave command to replace the above two rows, which simplifies the above two rows

  
 

View the protected ESP file added by the compiler from the debuggerCode:

; Test18_3.asm; this is an example for debugging. 386. model flat, stdcallinclude windows. incinclude kernel32.incinclude masm32.incinclude debug. incincludelib kernel32.libincludelib masm32.libincludelib debug. lib. code; sum function sumproc proc V1: DWORD, V2: DWORD, V3: DWORD mov eax, V1 add eax, V2 add eax, V3 retsumproc endp; main proc invoke sumproc, 11, 22, 33 printdec eax; 66 retmain endpend main; ------------------------; Ctrl + T is to set or cancel the breakpoint; Ctrl + D is to debug and run; the Code of the sumproc function is changed from the debugger: push ebpmov EBP, espmov eax, dword ptr ss: [EBP + 8] add eax, dword ptr ss: [EBP + C] add eax, dword ptr ss: [EBP + 10] Leave; it seems that the protection of ESP is done by the compiler. From here, we can see that the main purpose of the EBP register is to transfer data in ESP.

  
 

Use the ESP address offset to read data in the stack:

; Test18_4.asm.386.model flat, stdcallinclude windows. incinclude kernel32.incinclude masm32.incinclude debug. incincludelib kernel32.libincludelib masm32.libincludelib debug. lib. codemain proc push 111 push 222 push 333 push 444 mov eax, [esp] printdec eax; 444 mov eax, [esp + 4] printdec eax; 333 mov eax, [esp + 12] printdec eax; 111 pop edX retmain endpend main

  
 

Summarize the main functions of push and POP: 1. Save and restore data; 2. process function parameters.

Stack pressure and output commands:

 
Push (pushw, pushd)/pop; the number of incoming and outgoing 16-bit or 32-bit operations. The default value is 32-bit pushad/popad; eax, ECx, EDX, EBX, ESP, EBP, ESI, edipusha/Popa; ax, CX, dx, BX, SP, BP, Si, dipushfd/popfd; inbound and Outbound eflagspushf/popf; low 16-bit eflags