CHAPTER 8. ACCESSING PASSED ARGUMENTS CHAPTER 8. ACCESSING PASSED ARGUMENTS
call _printf
add esp, 8
; return 0
xor eax, eax
pop ebp
ret 0
_main ENDP
What we see is that themain()function pushes 3 numbers onto the stack and callsf(int,int,int). Argument access
insidef()is organized with the help of macros like:_a$ = 8, in the same way as local variables, but with positive offsets
(addressed withplus). So, we are addressing theouterside of thestack frameby adding the_a$macro to the value in the
EBPregister.
Then the value ofais stored intoEAX. AfterIMULinstruction execution, the value inEAXis aproductof the value inEAX
and the content of_b. After that,ADDadds the value in_ctoEAX. The value inEAXdoes not need to be moved: it is
already where it must be. On returning tocaller, it takes theEAXvalue and use it as an argument toprintf().
8.1.2 MSVC + OllyDbg
Let’s illustrate this in OllyDbg. When we trace to the first instruction inf()that uses one of the arguments (first one), we
see thatEBPis pointing to thestack frame, which is marked with a red rectangle. The first element of thestack frameis
the saved value ofEBP, the second one isRA, the third is the first function argument, then the second and third ones. To
access the first function argument, one needs to add exactly 8 (2 32-bit words) toEBP.
OllyDbg is aware about this, so it has added comments to the stack elements like “RETURN from” and “Arg1 = ...”, etc.
N.B.: Function arguments are not members of the function’s stack frame, they are rather members of the stack frame of the
callerfunction. Hence, OllyDbg marked “Arg” elements as members of another stack frame.
Figure 8.1:OllyDbg: inside off()function8.1.3 GCC
Let’s compile the same in GCC 4.4.1 and see the results inIDA:
Listing 8.3: GCC 4.4.1
public f
f proc near
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0] ; 1st argument