Function call stack changes

int goo(int a, int b){return a + b;}void foo(){int a[] = {1, 2, 3};int result = goo(a[1], a[2]);printf("result: %d", result);}

Compile in vs2010

Foo function assembly:

00EB3890  push        ebp  00EB3891  mov         ebp,esp  00EB3893  sub         esp,0E4h  00EB3899  push        ebx  00EB389A  push        esi  00EB389B  push        edi  00EB389C  lea         edi,[ebp-0E4h]  00EB38A2  mov         ecx,39h  00EB38A7  mov         eax,0CCCCCCCCh  00EB38AC  rep stos    dword ptr es:[edi]  00EB38AE  mov         eax,dword ptr [___security_cookie (0EB7000h)]  00EB38B3  xor         eax,ebp  00EB38B5  mov         dword ptr [ebp-4],eax  int a[] = {1, 2, 3};00EB38B8  mov         dword ptr [ebp-14h],1  00EB38BF  mov         dword ptr [ebp-10h],2  00EB38C6  mov         dword ptr [ebp-0Ch],3  int result = goo(a[1], a[2]);00EB38CD  mov         eax,dword ptr [ebp-0Ch]  00EB38D0  push        eax  00EB38D1  mov         ecx,dword ptr [ebp-10h]  00EB38D4  push        ecx  00EB38D5  call        goo (0EB11E5h)  00EB38DA  add         esp,8  

Complete Collection of goo functions:

00EB1580  push        ebp  00EB1581  mov         ebp,esp  00EB1583  sub         esp,0C0h  00EB1589  push        ebx  00EB158A  push        esi  00EB158B  push        edi  00EB158C  lea         edi,[ebp-0C0h]  00EB1592  mov         ecx,30h  00EB1597  mov         eax,0CCCCCCCCh  00EB159C  rep stos    dword ptr es:[edi]  return a + b;00EB159E  mov         eax,dword ptr [a]  00EB15A1  add         eax,dword ptr [b]  }00EB15A4  pop         edi  00EB15A5  pop         esi  00EB15A6  pop         ebx  00EB15A7  mov         esp,ebp  00EB15A9  pop         ebp  00EB15AA  ret  

Foo function after push EBP, mov EBP, ESP

Save the original EBP and set the new EBP to the current ESP location.

Sub ESP, 0e4h

Allocate sufficient stack space to local variables

Save some original register values. Push and ESP continue to move down each time.

Assign a value to the local variable array.

Call the two parameters before goo, and ESP continues to move down

When calling the goo function, the CPU automatically pushes the next instruction address, and ESP continues to move down

In the goo function, the EBP value in the foo function is also saved, and new EBP and ESP values are set.

When executing the last few commands of the goo function, EDI, ESI, and EBX are restored. ESP is also programmed with the EBP position in goo, and EBP is restored to the original position of the foo function (pop ebp)

The next command also loads the IP address (Ret command). ESP continues to the next step.

Add ESP, 8 in the foo function to continue the ESP value (clear function parameters)

To clear function parameters, you can also set them when the goo function returns (in this case, you do not need to add ESP to each call point. The X command shortens the size of the compiled file, however, clearing the sub-function will not be able to achieve the number of variable parameters such as printf, because the sub-function does not know how many parameters need to be entered, and only the call is known)