Learning C ++ & lt; 1 & gt; parameter transfer from disassembly -- constant

Preface

There are already a lot of books in this field, but most of them focus on reverse analysis. I wrote this series to better understand some concepts in C ++ through disassembly.

I will briefly explain the Assembly commands that appear for the first time in this article, so that people who are not familiar with assembly and want to know about assembly can view them. However, most of the commands in the Assembly involve direct addressing, indirect addressing, and register indirect addressing. A detailed introduction is beyond the topic of this article, you can also view relevant information by yourself.

Let's get started.

Body

Transfer Constant

First, let's take a look at how simple parameter transfer is implemented.

Void testInt (int I) {I = 10;} int main () {testInt (1); // pass the Constant return 0 ;}

Disassembly:

The main function has done these things.

00A813CE  push        100A813D0  call        testInt (0A81082h)00A813D5  add         esp,4

Assembly instruction explanation:

Push data is four bytes of data. This command pushes data into the stack, and then the stack pointer ESP minus 4

Call addr is the function address. This command pushes the address of the next command of the current command into the stack. Go to the addr command and continue to run the command.

Add ptr, data ptr points to the data plus data, stored in the space pointed to by ptr

Next let's take a look at what the testInt function looks like after disassembly. Note: The address values shown below may be different from those mentioned above. This is because the function address changes every time you re-debug the program.

009B1380  push        ebp009B1381  mov         ebp,esp009B1383  sub         esp,0C0h009B1389  push        ebx009B138A  push        esi009B138B  push        edi009B138C  lea         edi,[ebp+FFFFFF40h]009B1392  mov         ecx,30h009B1397  mov         eax,0CCCCCCCCh009B139C  rep stos    dword ptr es:[edi]009B139E  mov         dword ptr [ebp+8],0Ah009B13A5  pop         edi009B13A6  pop         esi009B13A7  pop         ebx009B13A8  mov         esp,ebp009B13AA  pop         ebp009B13AB  ret

Assembly instruction explanation:

Mov ptr1 and ptr2 store the data directed to ptr2 in the space directed to ptr1

Sub ptr1, ptr2 ptr1 points to the data minus ptr2 points to the data, the results are stored in the space ptr1 points.

Lea ptr stores data in the space pointed to by ptr. Note that data is not the data that data points.

The rep stos ptr command is executed in this way: repeat to determine whether ecx is 0. If the value is 0, the command is terminated. Otherwise, the content in the eax register is stored in the space pointed to by ptr. For each cycle, ecx minus 1. If direction flag is set, edi minus 1; otherwise, 1 is added. Usually, ptr is an expression composed of edi. Otherwise, it makes no sense to put the eax value in the same place after multiple cycles.

The pop ptr command is opposite to the push command. First, a four-byte data on the top of the stack is popped up, stored in the space pointed to by ptr, and then added 4 to esp.

Ret is opposite to call. A four-byte data on the top of the stack is displayed and stored in the EIP register. Implement function return.

Line 1-10 contains almost all functions. It stores the values of the ebp, ebx, esi, and edi registers so that these four registers can be used freely in this function, this does not affect function calling. To balance the stack, the esp register value must also be saved.

The values of the ebp, ebx, esi, edi, and esp registers are restored in row 12-16.

There are only a dozen lines of commands in 11th rows that are written in the function I = 10; the result of disassembly.

What is ebp + 8?

First, we can see that 3-11 rows do not change the value of ebp. Then, we will list the commands that affect the stack before the second row in the execution order.

Push 1

Call testInt

Push ebp

Mov ebp, esp

After these four commands are executed, the stack is as follows:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/1930113F1-0.png "title =" Capture. PNG "alt =" 214204715.png"/>

Then we can know that esp + 8 is the address of the first parameter. In the 11th line command, 0Ah exists in the space pointed to by this address, that is, I = 10 is executed;

Of course, this series of operations is meaningless. After the function is returned, all the stack space except the parameter occupied is released. After the function is returned, add 4 to esp immediately. Then, the stack space occupied by the parameter is released.

This article from the "Three Take Tiger" blog, please be sure to keep this source http://darhx.blog.51cto.com/7920146/1304242