Functions and assembly

Document directory

• 1. Function Parameters
• 3. Reference

This article is based on Win32 compilation.

1. Function Parameters

The growth direction of function stack is opposite to that of address, from high address to low address. ESP points to the top of the function stack, and EBP points to the bottom of the function stack.

Sub esp xxx pushes memory blocks of XXX length into the stack

Add esp xxx to bring up a stack of memory blocks of XXX Length

Example of parameter pressure stack Sequence

Int param1 = 1; 00c939df mov dword ptr [param1], 1 int param2 = 3; 00c939e6 mov dword ptr [param2], 3 int sum = pushparametersorderapp (param1, param2 ); # The pressure stack sequence is the opposite to the parameter Declaration Order! 00c939f0 mov eax, dword ptr [param2] # Put the param2 value into eax00c939f6 push eax # Pressure stack eax00c939f7 mov ECx, dword ptr [param1] # Put the param1 value into ecx00c939fa push ECx # Pressure stack ecx00c939fb call pushparametersorderapp (0c911f9h) # function call 00c93a00 add ESP, 8 # Remove the eax and ECx values of the previous stack. The pop operation adds ESP to 8, indicating that the stack growth direction is from high address to low address. 00c93a03 mov dword ptr [Sum], eax # function return value stored in eax in the sum variable # function call field int pushparametersorderapp (INT param1, int param2) {00e41f80 push EBP # Save the previous EBP pointer, esp + = 400e41f81 mov EBP, esp # assign the new ESP to EBP and direct it to 00e41f83 sub ESP at the bottom of the current function stack, 0d8h # reserve 216 (0d8) bytes for the current function stack frame, store the automatic variable 00e41f89 push EBX 00e41f8a push ESI 00e41f8b push EDI 00e41f8c Lea EDI, [ebp-0D8h] # stack top pointer address stored in edi00e41f92 mov ECx, 36 h #54 (36 h) integers on the stack, that is, 216 (0d8) bytes 00e41f97 mov eax, 0 cccccccch # initialized value 00e41f9c rep STOs dword ptr es: [EDI] # initialized stack space int temp1 = param1; 00e41f9e mov eax, dword ptr [param1] # storing the value of param1 into eax00e41fa1 mov dword ptr [temp1], eax # storing the value of eax in temp1 int temp2 = param2; 00e41fa4 mov eax, dword ptr [param2] # Similarly, 00e41fa7 mov dword ptr [temp2], eax return temp1 + temp2; 00e41faa mov eax, dword ptr [temp1] # Save the temp1 value to eax00e41fad add eax, dword ptr [temp2] # The sum result is stored in eax, which corresponds to the 00c93a03 row operation after the function is returned. The function result is in eax} 00fe1fb0 pop EDI 00fe1fb1 pop ESI 00fe1fb2 pop EBX 00fe1fb3 mov, EBP # restore esp00fe1fb5 pop EBP # restore EBP while ESP-= 400fe1fb6 RET

Pushparametersorderapp:

The code is relatively simple. sum the two variables and return the result. Several points are described through the compilation source code:

1) function parameter pressure stack sequence in C/C ++: opposite to declarative order

2) function stack frame definition: memory block between ESP and EBP

3) automatic variable Initialization on the stack, using 0 cccccccc

4) The function parameters are outside the function stack frame. For details, see the 00c939f6 and 00c939fa lines. The function partial variable parameters are defined on the stack.

Copy Value

Struct testitem {int A; int B; int arr [10] ;}; int passvalueapp (testitem item) {int value = item. a; int value1 = item. b; return value;} int passreferenceapp (testitem & item) {int value = item. a; int valu1 = item. b; return value;} int passpointerapp (testitem * Item) {int value = item-> A; int value1 = item-> B; return value;} testitem item = {1, 4, {1, 2, 3 }}; 00fe3948 mov dword ptr [item], 1 # & item. A = item, a set to 100fe394f mov dword ptr [ebp-30h], 4 # ebp-48 access b00fe3956 mov dword ptr [ebp-2Ch] Through EBP pointer, 1 # ebp-4400FE395D mov dword ptr [ebp-28h], 2 # ebp-4000FE3964 mov dword ptr [ebp-24h], 3 # ebp-3600FE396B XOR eax, eax # Set eax to zero 00fe1_d mov dword ptr [ebp-20h], eax # ebp-3200FE3970 mov dword ptr [ebp-1Ch], eax # ebp-2800FE3973 mov dword ptr [ebp-18h], eax # ebp-2400FE3976 mov dword ptr [ebp-14h], eax # ebp-2000FE3979 mov dword ptr [ebp-10h], eax # ebp-1600FE397C mov dword ptr [ebp-0Ch], eax # ebp-1200FE397F mov dword ptr [ebp-8], eax # ebp-8passValueApp (item); ###### transfer struct function ###### 00fe3982 sub ESP, 30 h # copy the parameter value, esp minus 48 (30 h) exactly the size of sizeof testitem 00fe3985 mov ECx, 0ch # specifies the number of copies, 0ch is 12 integers, and 48byte00fe398a Lea ESI, [item] # obtains the item address 00fe398d mov EDI, ESP # Copy Base Address: 00fe398f rep movs dword ptr es: [EDI], dword ptr [esi] # rep 12 times copy 00fe3991 call passvalue (0fe11e5h) #00fe3996 add ESP, 30 h # copy the parameter to the pop-up stack space, esp + = 48 passpointerapp (& item); ####### pointer passing function ##### 00fe3999 Lea eax, [item] # Get the item address and save it to eax00fe399c push eax # copy the parameter value, pressure stack eax ESP-= 400fe399d call passpointerapp (0fe11efh) #00fe39a2 add ESP, 4 # copy the parameter to the pop-up stack space, esp + = 4 passreferenceapp (item); 00fe39a5 Lea eax, [item] # The reference version and pointer at the Assembly layer are the same as 00fe39a8 push eax 00fe39a9 call passreferenceapp (0fe11eah) 00fe39ae add ESP, 4

This example illustrates how to copy the value of a function:

1) The passvalueapp function call needs to reserve 48 bytes of space on the stack frame. 00fe398d and 00fe398f copy the item struct. After the function is executed, the ESP is added with 48 bytes to copy the parameters to the stack.

2) The passpointerapp function transfers the pointer. Row 00fe399c copies the pointer variable to the stack. The function call completes the copy of ESP + 4 parameters to the stack.

3) The transfer principle of passreferenceapp is the same as that of pointer passing.

It can be seen that the big data structure must pass pointers or references.

2. function return value

# Function internal stack field testitem returnstructapp () {00ec3850 push EBP 00ec3851 mov EBP, esp 00ec3853 sub ESP, 0f8h 00ec3859 push EBX 00ec385a push ESI 00ec0000b push EDI 00ec385c Lea EDI, [ebp-0F8h] 00ec3862 mov ECx, 3eh 00ec3867 mov eax, 0 cccccccch 00ec20.c rep STOs dword ptr es: [EDI] testitem item = {1, 2, {3, 4, 5 }}; 00ec0000e mov dword ptr [item], 1 00ec3875 mov dword ptr [ebp-30h], 2 00ec387c mov dword ptr [ebp-2Ch], 3 00ec3883 mov dword ptr [ebp-28h], 4 00ec388a mov dword ptr [ebp-24h], 5 00ec3891 XOR eax, eax 00ec3893 mov dword ptr [ebp-20h], eax 00ec3896 mov dword ptr [ebp-1Ch], eax 00ec3899 mov dword ptr [ebp-18h], eax 00ec389c mov dword ptr [ebp-14h], eax 00ec389f mov dword ptr [ebp-10h], eax 00ec38a2 mov dword ptr [ebp-0Ch], eax 00ec38a5 mov dword ptr [ebp-8], eax return item; 00ec38a8 mov ECx, 0ch # copy length 12 integers 00ec38ad Lea ESI, [item] # obtain the item address 00ec38b0 mov EDI, dword ptr [EBP + 8] # temporary object 1 address 00ec38b3 rep movs dword ptr es: [EDI], dword ptr [esi] # copy the item content to EDI and point it to the memory zone. EDI is changed to 00ec38b5 mov eax, dword ptr [EBP + 8] # Save the temporary object 1 Address to the eax register, outgoing Function !} 00ec38b8 push edX 00ec38b9 mov ECx, EBP 00ec38bb push eax 00ec38bc Lea edX, [(bytes)] 00ec38c2 call @ ILT + 135 (@ _ rtc_checkstackvars @ 8) (0ec108ch) 00ec38c7 pop eax 00ec38c8 pop edX 00ec38c9 pop EDI 00ec38ca pop ESI 00ec38cb pop EBX 00ec38cc mov ESP, EBP 00ec38ce pop EBP 00ec38cf RET # function call stack field testitem Item1 = timeout (); 00ec39b1 Lea eax, [ebp-188h] 00ec39b7 push eax # returnstructapp is a non-argument function, but it will also press eax into the stack 00ec39b8 call returnstructapp (0ec11f4h) 00ec39bd add ESP, 4 # eax00ec39c0 mov ECx, 0ch # copy length 12 integer 00ec39c5 mov ESI, eax # eax points to the temporary object data area returned by the function, and is modified within the returnstructapp function 00ec39c7 Lea EDI, [ebp-1C0h] # temporary object 2 memory block address 00ec39cd rep movs dword ptr es: [EDI], dword ptr [esi] # execute data copy cyclically, from the temporary object 1 in the function to the temporary object 200ec39cf mov ECx, 0ch # copy length 12 integer 00ec39d4 Lea ESI, [ebp-1C0h] # temporary object 2 memory block address 00ec39da Lea EDI, [Item1] # target Item1 data zone 00ec39dd rep movs dword ptr es: [EDI], dword ptr [esi] # perform data copying cyclically, from temporary object 2 to Item1

In the code above, a struct object is returned in the function, and the return value of the function is assigned to Item1. Two temporary objects are constructed during the function return process, and a total of three data copies are executed. Therefore, the efficiency is relatively low. Avoid directly returning structure objects.

3. Reference

1. http://blog.csdn.net/ENO_REZ/article/details/2158682

2. http://blog.csdn.net/vagrxie/article/details/2501238