Preliminary study on x64 parameter variables and stack space layout

Article CRACK_QS[4ST][PDG]

Compilation mode: Debug

Test platform: Winodws 7 x64

Compilation environment: Microsoft Visual Studio Ultimate (12.0.30723.00) Update 3

About the x64 forum has other brother analysis, I have to tidy up their records. Non-dry science text, do not like to spray.

If there is a missing part of this article please refer to the following post, if found error please feedback to me, thank you very much.

Study on the rules of x64 transfer

Http://bbs.chinapyg.com/thread-74565-1-1.html

Re-analysis of x64 and its parameters

Http://bbs.chinapyg.com/thread-74910-1-1.html

Study on the rules of X64 parameters

Http://bbs.chinapyg.com/thread-75685-1-1.html

//////////////////////////////////////////////////////////////////////////////

The compiler will open functions for the function of its own stack frame, empty functions (no parameters, no variables) The source code is as follows:

int Fun ()
{
return 1;
}

Assembly:

000000013f421120 RDI Push//Save environment
000000013f421122 B8 (XX) MOV eax,1//This shows x64 the return value is still outgoing from the Rax register
000000013f421127 5F Pop RDI//Recovery Environment
000000013f421128 C3 ret//Return to previous layer call

After a brief look at the function framework, explore how the variables are stored:

int Fun ()
{
int nTest1 = 16;
int nTest2 = 16;
int nTest3 = 16;
int nTest4 = 16;
int nTest5 = 16;
return 1;
}

Assembly:

000000013F7F33E0 RDI Push/ /Save Environment
000000013f7f33e2-EC-rsp,20h//local variable stack Space Size (aligned with 0x10 growth)
000000013f7f33e6 8B FC mov rdi,rsp//and x8 6 the same as in the initialization of the local variable stack space
000000013f7f33e9 B9 the counter of mov ecx,8//stos of XX , STOs 4 bytes per fill, number immediately here = Stack space Size/4
000000013f7f33ee B8 cc cc CC CC MOV EAX,0CCCCCCCCH
000000013F7F33F3 F3 AB Rep stos dword ptr [RDI]

000000013f7f33f5 C7, XX, mov dword ptr [rsp],10h///First variable
000000013F7F33FC C7, XX, mov dword ptr [rsp+0x4],10h//second variable
000000013f7f3404 C7-xx-XX mov dword ptr [rsp+0x8],10h//Third variable
000000013f7f340c C7 0C (XX) mov dword ptr [rsp+0xc],10h//Fourth variable
000000013f7f3414 C7 (rsp+0x10],10h///fifth variable) for MOV DWORD ptr
000000013f7f341c B8, xx eax,1//return 1
000000013f7f3421 C4 Add rsp,20h
000000013f7f3425 5F Pop Rdi Recovery Environment
000000013f7f3426 C3 RET Return to the previous layer call

Ps: RSP is incremented with 0x8 bytes because the x64 relationship variable is a pointer

x64 rules for the transfer of parameters:

In x64, the first 4 parameter parameters of the function are passed using the Register RCX (XMM0), RDX (XMM1), R8 (xmm2), R9 (XMM3) to pass the parameters, in addition to using the stack for delivery, in-memory%8 aligned, starting from rsp+0x20.

int fun (int nArg1, short hArg2, Char CArg3, Long LArg4, int. NARG5, Short HArg6, Char CArg7)

{

Long nTest1 = 16;

return 1;

}

000000013f9f3451 C6, mov byte ptr [rsp+30h],7 The seventh parameter consists of rsp+0x30

000000013f9f3456 C7-XX mov word ptr [rsp+28h],6//Sixth Parameters by rsp+0x28
000000013f9f345d C7, XX, mov dword ptr [rsp+20h],5//fifth parameter by R sp+0x20
000000013f9f3465 B9-XX, mov r9d,4 The fourth parameter consists of r9d
000000013F9F346B B0 mov r8b,3 The third parameter consists of the r8b
000000013f9f346e-BA-dx,2 mov The second parameter consists of the RDX
000000013f9f3472 B9, XX, mov ecx,1 The first parameter consists of the RCX
000000013f9f3477 E8 B1 DB FF FF call 000000013f9f102d// The call command pushes the virtual address of the next instruction into the stack space for return, and the x64 's addressing capacity is 8 bytes, so it is no longer esp-0x4, but rsp-0x8

This shows that if the function parameter that is called is greater than 4, it will open up a temporary position in the caller's function stack space, and the memory is%8 aligned.

000000013ffa33e0 4C mov dword ptr [rsp+20h],r9d///Because the call command Relationship RSP changes, so here is still rsp+0x20

000000013ffa33e5-----------+ mov byte ptr [rsp+18h],r8b
000000013FFA33EA Ten mov word ptr [rsp+10h],dx
000000013FFA33EF 4C mov dword ptr [RSP+8],ECX
000000013FFA33F3 RDI Push Personal understanding (for reference only): Rdi equivalent to EBP in x86
000000013ffa33f4 EC Ten Sub rsp,10h
000000013ffa33f8 8B FC mov rdi,rsp
000000013FFA33FB B9-XX, mov ecx,4
000000013ffa3400 B8 cc cc CC CC MOV EAX,0CCCCCCCCH
000000013ffa3405 F3 AB Rep stos dword ptr [RDI]
000000013ffa3407 8B 4C x mov ecx,dword ptr [rsp+20h]//default take first parameter
000000013ffa340b C7, XX, mov dword ptr [rsp],10h
000000013ffa3412 B8, XX, mov eax,1
000000013ffa3417 C4 Add rsp,10h//flat stack
000000013ffa341b 5F Pop Rdi Recovery Environment
000000013ffa341c C3 RET RET RIP via stack space returns to the upper call

As for why starting with rsp+0x20, the first 4 parameters of the function need to be in the stack inside the function, while 4 * 8 byte is 0x20

Stack Space layout:

0x000000000020fdd0 cc cc CC cc ...???? <-local variable space

0X000000000020FDD8 cc cc CC???????? cc cc CC CC

0x000000000020fde0 20 00 00 00 00 00 0? ..... <-Push EDI

0x000000000020fde8 7c FA 3f 01 00 00 00 |4?? .... <-ret RIP

0X000000000020FDF0-CC cc CC CC ...???? <-parameter list header

0x000000000020fdf8 (cc cc):?????? <-

0x000000000020fe00 cc CC CC CC CC CC.??????? <-

0X000000000020FE08-CC cc CC CC ...???? <-

0x000000000020fe10-CC cc CC CC ...???? <-

0x000000000020fe18 cc CC, CC cc cc:?????? <-

0X000000000020FE20 cc CC CC CC CC CC.??????? <-parameter list trailer

Preliminary study on x64 parameter variables and stack space layout