Details about the stack registers EBP and ESP after C ++ code Disassembly

Reproduced in: http://www.cnblogs.com/pugang/archive/2012/05/25/2518499.html

Recently, we are analyzing a serious problem of process crash. Some process analysis requires a clear understanding of EBP and ESP, And I believe everyone is familiar with EBP and ESP, but to make this article self-contained, I will explain it.

EBP-stack bottom pointer

Esp -- stack top pointer

 

 

The simplified code calling process is as follows:

Void layer02 ()

{

Int B = 2;

}

 

Void layer01 ()

{

Int A = 1;

Layer02 ();

}

 

How does EBP and ESP change during function execution? The code after disassembly is as follows:

Void layer02 ()

{

00413700 push EBP

00413701 mov EBP, ESP

00413703 sub ESP, 0cch

00413709 push EBX

0041370a push ESI

0041370b push EDI

0041370c Lea EDI, [ebp-0CCh]

00413712 mov ECx, 33 H

00413717 mov eax, 0 cccccccch

0041371c rep STOs dword ptr es: [EDI]

Int B = 2;

0041371e mov dword ptr [B], 2

}

00413725 pop EDI

00413726 pop ESI

00413727 pop EBX

00413728 mov ESP, EBP

0041372a pop EBP

0041372b RET

We can see that the function call starts to execute the following two lines of code:

00413700 push EBP

00413701 mov EBP, ESP

 

Run the following code before returning:

00413728 mov ESP, EBP

0041372a pop EBP

0041372b RET

So what exactly do these lines of code mean? First, as shown above:

The first two lines of code mean to first press the ebp1 stack, and then use the current top esp1 of the stack as the bottom of the stack for function calling. Therefore, the following statement is executed:

00413701 mov EBP, ESP

 

So what does the previous statements mean?

As you may have guessed, when the function call execution ends, we need to execute the opposite process:

00413728 mov ESP, EBP

 

Restore stack top pointer

 

0041372a pop EBP

 

Restore the bottom pointer of the stack

 

0041372b RET

Return the command before the function call to continue execution. To be continued...