derived from "x86 assembly registers and the stack" by rodney beederodney beede x86...
TRANSCRIPT
![Page 1: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/1.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
x86 Assembly Registersand the Stack
Nov 2009
![Page 2: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/2.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
x86 Registers• 16-bit has 14
– General• AX• BX• CX• DX
– Segment• CS• DS• SS• ES
– Pointer• SP• BP
– Array Indexing• SI• DI
– FLAGS (single register)• Carry• Overflow• …
– Code• IP
• 32-bit has 16– General
• EAX• EBX• ECX• EDX
– Segment (16-bit)• CS• DS• SS• ES• FS• GS
– Pointer• ESP• EBP
– Array Indexing• ESI• EDI
– EFLAGS (single register)• Carry• Overflow• …
– Code• EIP
• 64-bit has 24– General
• RAX• RBX• RCX• RDX
– Segment (16-bit)• CS• DS• SS• ES• FS• GS
– Pointer• RSP• RBP
– Array Indexing• RSI• RDI
– RFLAGS (single)• Carry• Overflow• …
– Code• EIP
– Addt. General• R8• R9• R10• R11• R12• R13• R14• R15
![Page 3: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/3.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
x86 Registers (Special)For all x86 processors
• Control Registers– CR0– CR1– CR2– CR3– CR4
• Debug Registers– DR0– DR1– DR2– DR3– DR6– DR7
• Test Registers– TR4– TR5– TR6– TR7
• Descriptor Registers– GDTR– LDTR– IDTR
• Task Register– TR
![Page 4: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/4.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
x86 Registers (common use)
• EAX – accumulator• EBX – base index (ex: arrays)• ECX – counter• EDX – data
• ESI – source index for string ops• EDI – destination index for string ops
• EBP – stack base pointer (of stack frame)• ESP – stack top pointer (current stack position)
• EIP – current code instruction pointer
![Page 5: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/5.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
x86 Registers (Caller and Callee)
In relation to preserving register values:• Caller (calling method saves)
– eax– edx– ecx
• Callee (called method must preserve)– ebx– esi– edi– ebp– esp
• Must point to returned address in stack at end of method when returning
![Page 6: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/6.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Memoryargc/argv/envpReturn Address
STACK
…
HEAP(dynamic memory)
DATA(non-constant data
defined in code)
TEXT(code, constants)
HIGH ADDR
LOW ADDR
Memory allocation is configured so that the beginning of the stack is towards the very end of the allocated memory for the program at run time.
The stack grows downwards in memory use.
The heap grows upwards.
The program code, constants, and predefined data are loaded in the lower memory at startup.
Environment and command line arguments are at the top (end) of the memory.
The x86 architecture is little endian.
![Page 7: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/7.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Initial State
0x400 (1024)
0x0 (0)
One possible memory layout.
Free memory on the stack ending at 0x400 (address first 4 free bytes starting at 0x3FC).
argc/argv/envp program args consume an unknown amount of memory until run time.
TEXT, DATA consume a fixed block of memory.
HEAP can grow as needed pending sufficient memory.
0x3FC (1020)
0x3F8 (1016)
0x3F4 (1012)
0x3F0 (1008)
0x3EC (1004)
…
argc/argv/envpReturn Address
STACK (Start)
…TEXT, DATA, HEAP(code, constants)
![Page 8: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/8.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Initial State (Registers)After the code has been loaded but before execution has begun our registers look like:
Register Value (Hex)
EAX ?@$Ω∆
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP ?@$Ω∆
ESP 0x400
EIP 0x0
argc/argv/envpReturn Address
STACK (Start)
…TEXT, DATA, HEAP(code, constants)
0x400 (1024)
0x0 (0)
0x3FC (1020)
0x3F8 (1016)
0x3F4 (1012)
0x3F0 (1008)
0x3EC (1004)
…
![Page 9: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/9.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Initial State (Registers)After the code has been loaded but before execution has begun our registers look like:
Register Value (Hex)
EAX ?@$Ω∆
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP ?@$Ω∆
ESP 0x400
EIP 0x0
argc/argv/envpReturn Address
STACK (Start)
…TEXT, DATA, HEAP(code, constants)
0x400 (1024)
0x0 (0)
0x3FC (1020)
0x3F8 (1016)
0x3F4 (1012)
0x3F0 (1008)
0x3EC (1004)
…
This garbled text is a reminder that the value is
random data because it hasn’t been set to
anything yet
![Page 10: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/10.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Sample C Program// Note that envp is not standard to C but is allowedint main(const int argc, const char * argv[], const char * envp[])
// argc is usually 1 or greater as argv[0] = pathname of program
return argc;
Compile with:gcc -S program.c
This will generate a program.s file which contains the assembly code
![Page 11: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/11.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Sample GNU Assembly.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
![Page 12: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/12.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
These are used for debugging by debugger tools.
They are optional.
![Page 13: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/13.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Indicates start of code section.
![Page 14: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/14.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Indicates “_main” is a global label.
Linker uses this label for startup.
![Page 15: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/15.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Again for the debugger. Optional.
![Page 16: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/16.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
The “_main” label where the startup code beings.
![Page 17: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/17.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Preserve previous stack frame.
For main may seem redundant but good practice says have it and useful if program needs to provide an exit code at the end.
![Page 18: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/18.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Set current stack pointer as base reference.
Useful for addressing passed in arguments to method.
![Page 19: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/19.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Reserve 8 bytes on the stack
Why?
![Page 20: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/20.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Reserve 8 bytes on the stack
The space is for preparation for the __alloc and __main calls for C library setup
![Page 21: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/21.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Align the stack pointer with the next lowest 16-byte boundary by
AND esp with 0xFFFFFFF0.
Useful for SIMD instructions and faster floating point operations.
![Page 22: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/22.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
This whole section is preparation for C library setup for __alloca and __main.
End result will have eax equal to …
![Page 23: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/23.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Set eax to 0.
![Page 24: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/24.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
eax = eax + 15
eax = 15
![Page 25: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/25.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
eax = eax + 15
eax = 30
![Page 26: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/26.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
eax = eax >> 4
Logical shift right 4
30 = 00000000 00000000 00000000 00011110
eax = 00000000 00000000 00000000 00000001
![Page 27: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/27.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
eax = eax << 4
Arithmetic shift left 4
Before eax: = 00000000 00000000 00000000 00000001
After eax: = 00000000 00000000 00000000 00010000
![Page 28: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/28.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Set data in memory at offset ebp – 4 to the value of eax
-4(%ebp) = 16
![Page 29: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/29.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Set eax back to the same value in that memory location
eax = 16
![Page 30: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/30.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
End result will have eax equal to 16
This is unoptimized code which is why it didn’t use a simple movl $16, %eax.
Try gcc –O2 –S program.c as well.
The value in eax can be used by the __alloca and __main calls made later.
![Page 31: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/31.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Inserted by the GNU compiler to setup global constructors (see libgcc2.c).
![Page 32: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/32.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Place the value of argc into register eax so it is returned as the exit code.
![Page 33: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/33.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
leave is the same as:mov %ebp, %esp
pop %ebp
It simply restores ebp to the previous frame it originally pointed to before entering the
function.
![Page 34: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/34.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
leave is the same as:mov %ebp, %esp
pop %ebp
Move the stack pointer back to the start of the frame for this function.
![Page 35: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/35.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
leave is the same as:mov %ebp, %esp
pop %ebp
Take the current value at the top of the stack frame, which is the original ebp we saved,
and restore it to ebp.
![Page 36: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/36.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s.file “program.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
Pop the value at the top of the stack to get the return address and return.
Note that the value in register eax is the return value for the method.
![Page 37: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/37.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – Stepping through.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
0x400
0x0 (0)
0x3FC
0x3F8
0x3F4
0x3F0
0x3EC
…
argc/argv/envpReturn Address
STACK (Start)
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX ?@$Ω∆
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP ?@$Ω∆
ESP 0x400
EIP 0x0
Initial setup before code execution
![Page 38: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/38.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – argc/argv/envp details.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
envp and argv strings
0 (null)
envp[n-1] (pointer)
…
envp[0] (pointer)
0 (null)
argv[argc-1] (pointer)
…
argv[0] (pointer)
argc
Return Address
STACK (Start)
…
TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX ?@$Ω∆
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP ?@$Ω∆
ESP 0x400
EIP 0x0 ESP
![Page 39: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/39.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret
0x400
0x0 (0)
0x3FC (ESP)
0x3F8
0x3F4
0x3F0
0x3EC
…
argc/argv/envpReturn Address
value of caller’s ebp
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX ?@$Ω∆
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP ?@$Ω∆
ESP 0x3FC
EIP instr addr
![Page 40: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/40.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX ?@$Ω∆
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3FC
EIP instr addr
0x400
0x3FC (ESP)
0x3F8
0x3F4
0x3F0
0x3EC
…
![Page 41: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/41.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX ?@$Ω∆
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F4
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4 (ESP)
0x3F0
0x3EC
…
![Page 42: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/42.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX ?@$Ω∆
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4
0x3F0 (ESP)
0x3EC
…
![Page 43: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/43.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x000
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4
0x3F0 (ESP)
0x3EC
…
![Page 44: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/44.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x00F
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4
0x3F0 (ESP)
0x3EC
…
![Page 45: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/45.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x01E
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4
0x3F0 (ESP)
0x3EC
…
![Page 46: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/46.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x001
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4
0x3F0 (ESP)
0x3EC
…
![Page 47: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/47.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x010
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4
0x3F0 (ESP)
0x3EC
…
![Page 48: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/48.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
0X010
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x010
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4
0x3F0 (ESP)
0x3EC
…
![Page 49: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/49.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
0X010
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x010
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4
0x3F0 (ESP)
0x3EC
…
![Page 50: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/50.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
0X010
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x010
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4
0x3F0 (ESP)
0x3EC
… Register values may change based on library
![Page 51: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/51.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
argc/argv/envpReturn Address
value of caller’s ebp
0X010
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x010
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
0x400
0x3FC
0x3F8
0x3F4
0x3F0 (ESP)
0x3EC
… Register values may change based on library
![Page 52: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/52.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
envp[]
argv[]
argc
Return Address
value of caller’s ebp
0X010
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x001
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3F0
EIP instr addr
…
0x408
0x404
0x400
0x3FC
0x3F8
… Value of argc varies based on cmd line
![Page 53: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/53.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
envp[]
argv[]
argc
Return Address
value of caller’s ebp
0X010
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x001
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP 0x3FC
ESP 0x3FC
EIP instr addr
…
0x408
0x404
0x400
0x3FC
0x3F8
… mov %ebp, %esp
![Page 54: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/54.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
envp[]
argv[]
argc
Return Address
value of caller’s ebp
0X010
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x001
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP caller’s ebp
ESP 0x400
EIP instr addr
…
0x408
0x404
0x400
0x3FC
0x3F8
… pop %ebp
![Page 55: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/55.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
program.s – line by line.file “program.c".def ___main; .scl.text
.globl _main.def _main; .scl
_main:pushl%ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxleaveret 0x0 (0)
envp[]
argv[]
argc
Return Address
value of caller’s ebp
0X010
…TEXT, DATA, HEAP(code, constants)
Register Value (Hex)
EAX 0x001
EBX ?@$Ω∆
ECX ?@$Ω∆
EDX ?@$Ω∆
ESI ?@$Ω∆
EDI ?@$Ω∆
EBP caller’s ebp
ESP 0x404
EIP return addr
…
0x408
0x404
0x400
0x3FC
0x3F8
…
![Page 56: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/56.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Sample C Program # 2
int main(int argc, char *argv[ ]) // argc is usually 1 or greater as argv[0] = pathname of programreturn argc++;
This time we are incrementing argc before returning it.
![Page 57: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/57.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Sample GNU Assembly # 2.file "register_example_2.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl %ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxincl 8(%ebp)leaveret
![Page 58: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/58.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Sample # 2 - Differences.file "register_example_2.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl %ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxincl 8(%ebp)leaveret
Still storing the current value of argc (before increment) into eax so it will be the return
value.
![Page 59: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/59.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Sample # 2 - Differences.file "register_example_2.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl %ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___mainmovl 8(%ebp), %eaxincl 8(%ebp)leaveret
This instruction increments the value of argc in memory (which isn’t returned).
![Page 60: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/60.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Sample C Program # 3
int main(int argc, char *argv[ ]) // argc is usually 1 or greater as argv[0] = pathname of programreturn ++argc;
This time we are incrementing argc before returning it.
![Page 61: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/61.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Sample GNU Assembly # 3.file "register_example_3.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl %ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___main incl 8(%ebp) movl 8(%ebp), %eax leaveret
![Page 62: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/62.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Sample # 3 - Differences.file "register_example_3.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl %ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___main incl 8(%ebp) movl 8(%ebp), %eax leaveret
This instruction increments the value of argc in memory first.
![Page 63: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/63.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Sample # 3 - Differences.file "register_example_3.c".def ___main; .scl 2; .type 32; .endef.text
.globl _main.def _main; .scl 2; .type 32; .endef
_main:pushl %ebpmovl %esp, %ebpsubl $8, %espandl $-16, %espmovl $0, %eaxaddl $15, %eaxaddl $15, %eaxshrl $4, %eaxsall $4, %eaxmovl %eax, -4(%ebp)movl -4(%ebp), %eaxcall __allocacall ___main incl 8(%ebp) movl 8(%ebp), %eax leaveret
This instructions sets eax to the newly modified value of argc.
This incremented value will be returned.
![Page 64: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/64.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
References
• http://en.wikipedia.org/wiki/X86• http://en.wikibooks.org/wiki/X86_Assembly/X86_
Architecture• http://en.wikibooks.org/wiki/X86_Assembly/GAS_
Syntax• http://scr.csc.noctrl.edu/courses/csc220/asm/Gnu
FTPl.htm• http://www.governmentsecurity.org/forum/index
.php?showtopic=32146• http://blogs.embarcadero.com/eboling/2009/10/
13/5620• http://gcc.gnu.org/onlinedocs/gccint/Initialization
.html• gcc version - gcc (GCC) 3.4.5 (mingw-vista special
r3)
![Page 65: Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f255503460f94c3c32d/html5/thumbnails/65.jpg)
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede
Copyright
x86 Assembly Registers and the Stack by Rodney Beede is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
Any slides you copy/modify into your own work must retain the following on each slide/page where the work appears:
Derived from "x86 Assembly Registers and the Stack" by Rodney Beede