Compilation 1----C language functions 1

Construct the following C program and insert the breakpoints in the appropriate location

In Visual Studio CTP6 it is disassembled.

below to analyze

z = Add (1, 2);

009c170e 6A 2

???? int z;

???? z = Add (1, 2);

009c1710 6A Push 1

009c1712 E8 8D FA FF FF Call 009C11A4

009c1717 C4 Add esp,8

009C171A F8 mov dword ptr [Ebp-8],eax

The 12th line will be the parameters of the stack, thus proving that the C function parameters in the stack sequence is from right to left. Stepping through push 1 and push 2 to observe the value of the register, we can see that each parameter is pressed into the stack and the ESP value is reduced by 4. View the value of the memory that ESP refers to when you execute push 1.

You can see that just pressing in 2 and 1,ESP is the register used to store the top pointer of the stack.

Next, analyze the next line E8 8D FA FF FF

E8 is the call instruction machine code, which is stored by the small end machine, the value of E8 is FF FF FA 8d.

Call Destination Address =call instruction current address + 5 bytes (call instruction takes up space)-complement of E8 instruction. namely 009C11A4

When the call command finishes executing, jump to the body part of the function. Records return address 009c1717. So how does the function return? After stepping through the call command, I find that the value of ESP is changed from 00acf744 to 00acf664, because ESP varies greatly, I guess the function might use a private stack. And the content of the 00acf664 is not related to the return address. We will directly reduce the address of the ESP before call minus 4 and view its contents

Exactly the return address of the function, that is, after the call instruction executes, the stack top pointer changes, and the return address is pressed into the stack before the function executes.

The call instruction function is equivalent to 1. Stack return address 2. Jump to the target instruction.

Instructions in Intel's official manual:

Prior to branching to the first instruction of the called procedure, the "Call instruction pushes" The address in the EIP

Register onto the current stack. This address was then called the return-instruction pointer and it points to the

instruction where execution of the calling procedure should resume following a return from the called procedure.

Upon returning from a called procedure, the RET instruction pops the return-instruction pointer from the stack

Back into the EIP register. Execution of the calling procedure then resumes.

and the preparation of call and RET instructions

Near call

When executing a, the processor does the following (see Figure 6-2):

1. Pushes the current value of the EIP register on the stack.

2. Loads the offset of the called procedure in the EIP register.

3. Begins execution of the called procedure.

When executing a near return, the processor performs these actions:

1. Pops the Top-of-stack value (the return instruction pointer) into the EIP register.

2. If The RET instruction has a optional n argument, increments the stack pointer by the number of bytes

specified with the n operand to release parameters from the stack.

3. Resumes execution of the calling procedure.

Far call

1. Pushes the current value of the CS register on the stack.

2. Pushes the current value of the EIP register on the stack.

3. Loads the segment selector of the segment that contains the called procedure in the CS register.

4. Loads the offset of the called procedure in the EIP register.

5. Begins execution of the called procedure.

When executing a far return, the processor does the following:

1. Pops the Top-of-stack value (the return instruction pointer) into the EIP register.

2. Pops the Top-of-stack value (the segment selector for the code segment being returned to) into the CS register.

3. If The RET instruction has a optional n argument, increments the stack pointer by the number of bytes

specified with the n operand to release parameters from the stack.

4. Resumes execution of the calling procedure.

It is not difficult to see that far call is a jump with segment, using the CS register.

(not to be continued)

Compilation 1----C language functions 1