Results 1 to 5 of 5
  1. #1
    kibbles18's Avatar
    Join Date
    Oct 2008
    Gender
    male
    Location
    US
    Posts
    860
    Reputation
    5
    Thanks
    127

    asm stack related registers

    i have a few questions about the stack registers esp and ebp.
    Code:
    mov ebp, esp
    what does this do? why are we moving the stack pointer into the stack base pointer?

  2. #2
    .::SCHiM::.'s Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    733
    Reputation
    180
    Thanks
    880
    My Mood
    Twisted
    Quote Originally Posted by kibbles18 View Post
    i have a few questions about the stack registers esp and ebp.
    Code:
    mov ebp, esp
    what does this do? why are we moving the stack pointer into the stack base pointer?
    This often happens at the beginning of a stdcall function. As you know arguments are pushed to the stack before a call is made. When the function is then called and the stack pointer is moved into the base pointer the functions sees the stack as if it hasn't been used yet. Because for as far as the function can see, the stack begins where it ended for the caller.

    This is often how stdcall functions are compiled:

    Code:
    push ebp
    mov ebp, esp
    
    ...
    ...
    
    mov esp, ebp          ;; restore the original stack pointer
    pop ebp                ;; restore the original base pointer
    Since the ebp register normally remains unused by the function the stack pointer can be moved back when the function is done executing. This way the function removes all but 4 bytes from the stack, the return statement (ret) removes even this (it's the return address) Now it is as though nothing has used the stack from the callers perspective, all is as it was before the call.

    I hope this answers your question, but you should keep in mind that this is the Cpp section, you can also post your question in the asm forum and vm/pm someone to look at it.

    I'm SCHiM

    Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.

    Polymorphic engine
    Interprocess callback class
    SIN
    Infinite-precision arithmetic
    Hooking dynamic linkage
    (sloppy)Kernel mode Disassembler!!!

    Semi debugger




  3. The Following User Says Thank You to .::SCHiM::. For This Useful Post:

    kibbles18 (07-09-2011)

  4. #3
    Void's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Inline.
    Posts
    3,198
    Reputation
    205
    Thanks
    1,445
    My Mood
    Mellow
    The simplest way I can say it would be.. the stack is always changing so you store the stack pointer at it's current state when the function is called into ebp so you can use it the way it was.

  5. The Following User Says Thank You to Void For This Useful Post:

    kibbles18 (07-09-2011)

  6. #4
    kibbles18's Avatar
    Join Date
    Oct 2008
    Gender
    male
    Location
    US
    Posts
    860
    Reputation
    5
    Thanks
    127
    in an stdcall function, does the following psuedocode access the first or second or either variable passed to the function?
    Code:
    push ebp
    mov ebp, esp
    inc [ebp + 8h] ; variable 1? or 2?
    also, does the esp register point to the current data on the stack, or 4 bytes below it?

    one more thing: if i call an stdcall function from an injected DLL, do i need to adjust the stack by using RET (arguments size)?

    im trying to grasp the concept i found here: https://www.dotnetmonster.com/Uwe/For...ing-convention
    Last edited by kibbles18; 07-09-2011 at 04:19 PM.

  7. #5
    open|Fire's Avatar
    Join Date
    Jan 2011
    Gender
    male
    Location
    fs:[0]
    Posts
    62
    Reputation
    18
    Thanks
    36
    Quote Originally Posted by kibbles18 View Post
    in an stdcall function, does the following psuedocode access the first or second or either variable passed to the function?
    Code:
    push ebp
    mov ebp, esp
    inc [ebp + 8h] ; variable 1? or 2?
    1 argument.

    Quote Originally Posted by kibbles18 View Post
    also, does the esp register point to the current data on the stack, or 4 bytes below it?
    ESP register always point to the current data on the stack.

    Quote Originally Posted by kibbles18 View Post
    one more thing: if i call an stdcall function from an injected DLL, do i need to adjust the stack by using RET (arguments size)?
    No if you use
    Code:
    LEAVE or 
    mov esp,ebp 
    pop ebp

Similar Threads

  1. Google Related Posts
    By Dave84311 in forum General
    Replies: 3
    Last Post: 10-26-2010, 09:56 AM
  2. ASM Tutorial Link
    By SpiderByte in forum Assembly
    Replies: 4
    Last Post: 08-19-2008, 12:35 PM
  3. Hacking Warrock - Server Related - BLOG
    By Dave84311 in forum WarRock - International Hacks
    Replies: 8
    Last Post: 01-08-2006, 11:07 PM