Reverse learning notes-EBP-based stack Frames

The OEP of the program starts with the push ebp and mov ebp esp statements. Cause: the beginning of the c program is a main function main (), and the most important thing in the function access process is to ensure the balance of the stack, in the win32 environment, the method to maintain a balance is as follows: 1. let EBP Save the ESP value. 2. call mov esp, ebp pop ebp retn, or leaveretn to save the ESP value before running the program through EBP. No matter how many times the ESP is pushed or Pop, in the end, you can use EBP to restore the initial value. The following uses the stackframe function compiled by gcc as an example: void stackframe (int a, int B, int c) {int x = c; char buffer [64]; int y = B; int z = 10; buffer [0] = 'a'; bar (z, y);} The disassembly code for this function is as follows :. text: 0040153C; ================== s u B r o u t I N E ====================== =======================================. text: 0040153C. text: 0040153C; Attributes: bp-based frame. text: 0040153C. text: 0040153C _ text_40153C proc near; code xref: _ text_40157A. text: 0040153C. t Ext: 0040153C var_60 = dword ptr-60 h; z. text: 0040153C var_5C = dword ptr-5Ch; y. text: 0040153C var_58 = dword ptr-58 h; buffer. text: 0040153C var_C = dword ptr-0Ch; x. text: 0040153C arg_4 = dword ptr 0Ch; B. text: 0040153C arg_8 = dword ptr 10 h; c. text: 0040153C. text: 0040153C push ebp. text: 0040153D mov ebp, esp. text: 0040153F sub esp, 78 h. text: 00401542 mov eax, [ebp + arg_8]. text: 00401549 mov [ebp + va R_C], eax. text: 0040154B mov eax, [ebp + arg_4]. text: 0040154F mov [ebp + var_5C], eax. text: 00401551 mov [ebp + var_60], 0Ah. text: 00401554 mov [ebp + var_58], 41 h. text: 00401557 mov eax, [ebp + var_5C]. text: 0040155A mov [esp + 4], eax; y. text: 0040155D mov eax, [ebp + var_60]. text: 00401561 mov [esp], eax; z inbound stack starting from var_60 = dword ptr-60h, IDA provides a summary stack view, the offset distance between the EBP and the pointer is negative, which represents four local variables x, buffer, y, and z. The offset distance is positive, which represents the two parameters B and c used in the stack. Then, the values are assigned to the push ebp, mov ebp esp, and function bodies. The last note is that bar (z, y) is called at the end of the function body. Here, we need to stack z and y to esp. Because z is in front, [esp] Stores z, [esp + 4] Stores y, followed by the push ebp and mov ebp esp operations before the bar function starts.