1.9. SCANF()
Here is a typicalstack framelayout in 32-bit environment:
... ...
EBP-8 local variable #2, marked inIDAasvar_8
EBP-4 local variable #1, marked inIDAasvar_4
EBP saved value ofEBP
EBP+4 return address
EBP+8 argument#1, marked inIDAasarg_0
EBP+0xC argument#2, marked inIDAasarg_4
EBP+0x10 argument#3, marked inIDAasarg_8
... ...
Thescanf()function in our example has two arguments.
The first one is a pointer to the string containing%dand the second is the address of thexvariable.
First, thexvariable’s address is loaded into theEAXregister by the
lea eax, DWORD PTR _x$[ebp]instruction.
LEAstands forload effective address, and is often used for forming an address (.1.6 on page 1028).
We could say that in this caseLEAsimply stores the sum of theEBPregister value and the_x$macro in
theEAXregister.
This is the same aslea eax, [ebp-4].
So, 4 is being subtracted from theEBPregister value and the result is loaded in theEAXregister. Next the
EAXregister value is pushed into the stack andscanf()is being called.
printf()isbeingcalledafterthatwithitsfirstargument—apointertothestring:You entered %d...\n.
The second argument is prepared with:mov ecx, [ebp-4]. The instruction stores thexvariable value
and not its address, in theECXregister.
Next the value in theECXis stored on the stack and the lastprintf()is being called.