1.8. PRINTF() WITH SEVERAL ARGUMENTS
Press F8 (step over).
We see the following output in the console:
a=1; b=2; c=3
Let’s see how the registers and stack state have changed:
Figure 1.10:OllyDbg afterprintf()executionRegisterEAXnow contains0xD(13). That is correct, sinceprintf()returns the number of characters
printed. The value ofEIPhas changed: indeed, now it contains the address of the instruction coming
afterCALL printf.ECXandEDXvalueshavechangedaswell. Apparently, theprintf()function’shidden
machinery used them for its own needs.
A very important fact is that neither theESPvalue, nor the stack state have been changed! We clearly
see that the format string and corresponding 3 values are still there. This is indeed thecdeclcalling
convention behavior:calleedoes not returnESPback to its previous value. Thecalleris responsible to do
so.