asm stack related registers

Printable View

07-09-2011
kibbles18

asm stack related registers

i have a few questions about the stack registers esp and ebp.

Code:

mov ebp, esp

what does this do? why are we moving the stack pointer into the stack base pointer?
07-09-2011
.::SCHiM::.

Quote:

Originally Posted by kibbles18

i have a few questions about the stack registers esp and ebp.

Code:

mov ebp, esp

what does this do? why are we moving the stack pointer into the stack base pointer?

This often happens at the beginning of a stdcall function. As you know arguments are pushed to the stack before a call is made. When the function is then called and the stack pointer is moved into the base pointer the functions sees the stack as if it hasn't been used yet. Because for as far as the function can see, the stack begins where it ended for the caller.

This is often how stdcall functions are compiled:

Code:

push ebp mov ebp, esp ... ... mov esp, ebp ;; restore the original stack pointer pop ebp ;; restore the original base pointer

Since the ebp register normally remains unused by the function the stack pointer can be moved back when the function is done executing. This way the function removes all but 4 bytes from the stack, the return statement (ret) removes even this (it's the return address) Now it is as though nothing has used the stack from the callers perspective, all is as it was before the call.

I hope this answers your question, but you should keep in mind that this is the Cpp section, you can also post your question in the asm forum and vm/pm someone to look at it.
07-09-2011
Void

The simplest way I can say it would be.. the stack is always changing so you store the stack pointer at it's current state when the function is called into ebp so you can use it the way it was.
07-09-2011
kibbles18

in an stdcall function, does the following psuedocode access the first or second or either variable passed to the function?

Code:

push ebp mov ebp, esp inc [ebp + 8h] ; variable 1? or 2?

also, does the esp register point to the current data on the stack, or 4 bytes below it?

one more thing: if i call an stdcall function from an injected DLL, do i need to adjust the stack by using RET (arguments size)?

im trying to grasp the concept i found here: https://www.dotnetmonster.com/Uwe/For...ing-convention
07-09-2011
open|Fire

Quote:

Originally Posted by kibbles18

in an stdcall function, does the following psuedocode access the first or second or either variable passed to the function?

Code:

push ebp mov ebp, esp inc [ebp + 8h] ; variable 1? or 2?

1 argument.

Quote:

Originally Posted by kibbles18

also, does the esp register point to the current data on the stack, or 4 bytes below it?

ESP register always point to the current data on the stack.

Quote:

Originally Posted by kibbles18

one more thing: if i call an stdcall function from an injected DLL, do i need to adjust the stack by using RET (arguments size)?

No if you use

Code:

LEAVE or mov esp,ebp pop ebp