1.10. ACCESSING PASSED ARGUMENTS
After that,ADDadds the value in_ctoEAX.
The value inEAXdoes not need to be moved: it is already where it must be. On returning tocaller, it takes
theEAXvalue and use it as an argument toprintf().
MSVC + OllyDbg
Let’s illustrate this in OllyDbg. When we trace to the first instruction inf()that uses one of the arguments
(first one), we see thatEBPis pointing to thestack frame, which is marked with a red rectangle.
The first element of thestack frameis the saved value ofEBP, the second one isRA, the third is the first
function argument, then the second and third ones.
To access the first function argument, one needs to add exactly 8 (2 32-bit words) toEBP.
OllyDbg is aware about this, so it has added comments to the stack elements like
“RETURN from” and “Arg1 = ...”, etc.
N.B.: Function arguments are not members of the function’s stack frame, they are rather members of the
stack frame of thecallerfunction.
Hence, OllyDbg marked “Arg” elements as members of another stack frame.
Figure 1.23:OllyDbg: inside off()function
GCC
Let’s compile the same in GCC 4.4.1 and see the results inIDA:
Listing 1.88: GCC 4.4.1
public f
f proc near
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0] ; 1st argument
imul eax, [ebp+arg_4] ; 2nd argument
add eax, [ebp+arg_8] ; 3rd argument
pop ebp