Reversing : The Hacker's Guide to Reverse Engineering

Figure C.1 Layout of the stack and of a stack frame.

ENTERis a highly complex instruction that performs the work of quite a few

instructions. Internally, it is implemented using a fairly lengthy piece of

microcode, which creates some performance problems. For this reason most

compilers seem to avoid using ENTER, even if they support nested code blocks

Stack Layout

Lowest Memory

Address

Hi

ghest Memory

Address

CurrentValue ofESP CurrentValue ofEBP

PreviousFunction(Caller)

Stack Frame Layout

Hi

ghest Memory

Address

Local Variable 1Local Variable 2 Return AddressParameter 1

Old EBP

Local Variable 3 Parameter 2Parameter 3Local Variable 1Local Variable 2

Pushed by CALL Instructio

n,

Pushed by function prolopopped by RET instruction.Pushed by caller,popped by RETinstruction (instdcall functions) orby caller (in cdeclfunctions).

gue,

popped by function epilo

gue.

Lowest MemoryAddress

Unused SpaceCurrently Runnin

g

Function’s Stack Frame

Be

ginnin

g o

f Stack

Caller’s Stack FrameCaller’s Stack FrameCaller’s Stack Frame

Deciphering Program Data 539

23_574817 appc.qxd 3/16/05 8:45 PM Page 539