CHAPTER 6.PRINTF()WITH SEVERAL ARGUMENTS CHAPTER 6.PRINTF()WITH SEVERAL ARGUMENTS
Press F8 (step over).
We see the following output in the console:
Figure 6.4:printf()function executed
Let’s see how the registers and stack state have changed:
Figure 6.5:OllyDbg afterprintf()execution
RegisterEAXnow contains0xD(13). That is correct, sinceprintf()returns the number of characters printed. The value
ofEIPhas changed: indeed, now it contains the address of the instruction coming afterCALL printf. ECXandEDX
values have changed as well. Apparently, theprintf()function’s hidden machinery used them for its own needs.
A very important fact is that neither theESPvalue, nor the stack state have been changed! We clearly see that the format
string and corresponding 3 values are still there. This is indeed thecdeclcalling convention behaviour:calleedoes not
returnESPback to its previous value. Thecalleris responsible to do so.