What is the code after this code Disassembly?
# Include <stdio. h>
Long test (int a, int B)
{
A = a + 3;
B = B + 5;
Return a + B;
}
Int main (int argc, char * argv [])
{
Printf ("% d", test (10, 90 ));
Return 0;
}
Let's look at an overview.
16: int main (int argc, char * argv [])
17 :{
00401070 push ebp
00401071 mov ebp, esp
00401073 sub esp, 40 h
00401076 push ebx
00401077 push esi
00401078 push edi
00401079 lea edi, [ebp-40h]
00401_c mov ecx, 10 h
00401081 mov eax, 0 CCCCCCCCh
00401086 rep stos dword ptr [edi]
18: printf ("% d", test (10, 90 ));
00401088 push 5Ah
0040108A push 0Ah
00401_c call @ ILT + 0 (test) (00401005)
00401091 add esp, 8
00401094 push eax
00401095 push offset string "% d" (0042201c)
0040109A call printf (004010d0)
0040366f add esp, 8
19: return 0;
004010A2 xor eax, eax
20 :}
The following is an explanation.
Start to Enter Main function esp = 0x12FF84 ebp = 0x12FFC0
Complete the section in the oval box
00401070 push the value of ebp into the stack and save the site (call the site, from the test function, as shown in the red line, that is, the stored 0x12FF80 is used to return the value from the test function stack to the main function)
00401071 mov ebp, esp at this time ebp = 0x12FF80 at this time ebp is the base address of the "current function stack" to access the information in the stack; also, return from the top of the current function stack to the bottom of the stack
00401073 sub esp, 40 h
The stack used by the function. The default value is 64 bytes. The stack contains 16 horizontal bars (dense lines). At this time, esp = 0x12FF40.
In, the above dense line is the test function Stack space, and below is the Main Stack space (Supplement, in fact, this is called the Stack Frame)
00401076 push ebx
00401077 push esi
00401078 push edi into Stack
00401079 lea edi, [ebp-40h]
00401_c mov ecx, 10 h
00401081 mov eax, 0 CCCCCCCCh
00401086 rep stos dword ptr [edi]
Initialize the stack space for this function to 0 XCCCCCCCC, that is, from 0x12FF40 ~ 0x12FF80 all values are 0 xCCCCCCCC
18: printf ("% d", test (10, 90 ));
00401088 push 5Ah
0040108A push 0Ah
00401_c call @ ILT + 0 (test) (00401005)
Function call, turning to eip 00401005
Note: At this time, it is still in the stack. The next command in the stack is the address of the call test command. The second command is add esp, 8.
@ ILT + 0 (? Test @ YAJHH @ Z ):
00401005 jmp test (00401020)
Turn to the called function test
8: long test (int a, int B)
9 :{
00401020 push ebp
00401021 mov ebp, esp
00401023 sub esp, 40 h
00401026 push ebx
00401027 push esi
00401028 push edi
00401029 lea edi, [ebp-40h]
0040102C mov ecx, 10 h
00401031 mov eax, 0 CCCCCCCCh
00401036 rep stos dword ptr [edi] // These are the same as above
10: a = a + 3;
00401038 mov eax, dword ptr [ebp + 8] // ebp = 0x12FF24 and 8 [0x12FF30] Get the parameter 10
0040103B add eax, 3
0040103E mov dword ptr [ebp + 8], eax
11: B = B + 5;
00401041 mov ecx, dword ptr [ebp + 0Ch]
00401044 add ecx, 5
00401047 mov dword ptr [ebp + 0Ch], ecx
12: return a + B;
0040104A mov eax, dword ptr [ebp + 8]
0040104D add eax, dword ptr [ebp + 0Ch] // the final result is stored in eax, and the result is returned.
13 :}
00401050 pop edi
00401051 pop esi
00401052 pop ebx
00401053 mov esp, ebp // esp points to 0x12FF24. The stack space of the test function is abandoned and returned from the top of the current function stack to the bottom of the stack.
00401055 pop ebp // at this time, ebp = 0x12FF80, recovery site esp = 0x12FF28
00401056 ret is responsible for pushing the top 0x12ff28 value 00401091 to the instruction register, esp = 0x12FF30
Because win32 Assembly generally uses eax to return results, if the final result is not in eax, put it in eax.
Note: When the function is returned from the called function, the EBP is displayed, the address before the function call is restored, and the return address to the EIP is displayed to continue executing the program.
Return from the test function and execute
00401091 add esp, 8
Clear the stack, clear the parameters of the two pressure stacks 10 90 caller main is responsible
(The so-called _ cdecl call is called by the caller to recover the stack. The caller is only responsible for clearing the parameters of the stack. When the test function returns its stack space, it is cleared by itself! Always understand the error)
00401094 push eax into the stack, and the calculation result is 108 into the stack, that is, one of the parameters of the printf function into the stack
00401095 push offset string "% d" (0042201c) into the stack. The parameter "% d" is actually the address of % d.
The 0040109A call printf (004010d0) function calls printf ("% d", 108) because of the printf function
00400000f add esp, 8 clear stack, clear parameters ("% d", 108)
19: return 0;
004010A2 xor eax, eax cleared
20 :}
When the main function is executed, esp = 0x12FF34 ebp = 0x12FF80
004010A4 pop edi
004010A5 pop esi
004010A6 pop ebx
004010A7 add esp, 40 h // Why not use mov esp, ebp? For the following comparison
004010AA cmp ebp, esp // comparison. If different, chkesp is called and an exception is thrown.
004010AC call _ chkesp (00401150)
004010B1 mov esp, ebp
004010B3 pop ebp // ESP = 0X12FF84 EBP = 0x12FFC0 Dust dust soil all restore the initial calm :)
004010B4 ret
Another
1. If the function call method is _ stdcall, the difference is that
Add esp, 8
The last sentence of the test function is ret 8 (the test function clears the stack. ret 8 means esp + 8 after ret is executed)
2. How is command address 00401091 saved in 0x12FF28 during running?
Each stack space stores 4 bytes (4 bytes in granularity). For example, the next stack space 0x12FF2C stores 10 parameters.
Therefore
0x12FF28 0x12FF29 0x12FF2A 0x12FF2B
91 10 40 00
Little-endian considers the first byte it reads as the number of the smallest one.
3. char a [] = "abcde"
Assign a value to the local character array variable (stack variable), which is used to copy the string "abcde" from the global data memory area to the stack memory.
4. int szNum [5] = {1, 2, 3, 4, 5}; how is the stack distributed?
00401798 mov dword ptr [ebp-14h], 1
0040179F mov dword ptr [ebp-10h], 2
004017A6 mov dword ptr [ebp-0Ch], 3
004017AD mov dword ptr [ebp-8], 4
004017B4 mov dword ptr [ebp-4], 5
It can be seen that the stack is written from the right, so the stack is 5 4 3 2 1.
Int * ptrA = (int *) (& szNum + 1 );
Int * ptrB = (int *) (int) szNum + 1 );
Std: cout <ptrA [-1] <* ptrB <std: endl;
What are the results?
28: int * ptrA = (int *) (& szNum + 1 );
004017BB lea eax, [ebp]
004017BE mov dword ptr [ebp-18h], eax
& SzNum refers to the array pointer; plus 1 is to add an array width; & szNum + 1 points to the place after moving five int units, which is to assign the EBP address to the pointer
PtrA [-1] is to roll back an int * width, that is, the ebp-4.
29: int * ptrB = (int *) (int) szNum + 1 );
004017C1 lea ecx, [ebp-13h]
004017C4 mov dword ptr [ebp-1Ch], ecx
If the above is Pointer arithmetic, It is address arithmetic, just the first address + 1 byte offset, that is, the ebp-13h to the pointer
The actual storage is like this
01 00 00 00 02 00 00 00
Ebp-14h ebp-13h ebp-10h
Note that the int * type is used, and the last result is 00 00 02.
Because of Little-endian, the actual logical number is 02000000 to 33554432 in decimal format.
Output 533554432
From the trace