Function Call with register EBP and ESP in x86
本文主要介绍stack中的EBP、ESP寄存器以及enter
、leave
、call
、和ret
这四个指令。
本文多数内容转载自:对寄存器ESP和EBP的一些理解。
1. 基本概念
1.1 structure
push
时,地址减小;pop
时,地址增大。
1.2 Stack-Frame
The stack is typically divided into frames. Each stack frame can then contain local variables, parameters to be passed to another procedure, and procedure linking information.
1.3 EBP and ESP
In x86 architecure, register EBP means base pointer which always pointing to the base address of a stack frame. And register ESP means stack pointer which always pointing to the top of the stack frame. EIP as a program counter, storing the address of next instruction should be executed.
ESP has a special function, which is to act as the stack pointer, and it gets implicitly modified by certain instructions (e.g. push
, pop
, call
).
2. example
下面是caller调用函数test(int p1,int p2)
的汇编代码
假设caller前堆栈指针ESP为0xAAAAAAA ;EBP为0xAAAAAB0.1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16push p2 ;参数2入栈,ESP-=4h,ESP=0xAAAAAA6
push p1 ;参数1入栈,ESP-=4h,ESP=0xAAAAAA2
call test ;压入caller的EIP,ESP-=4h,ESP=0xAAAAA9E
;//进入函数内
{
push ebp ;保存caller的EBP指针,EBP入栈(即0xAAAAAB0入栈),ESP-=4h,ESP=0xAAAAA9A
mov ebp, esp ;设置EBP指针指向栈顶,EBP=0xAAAAA9A
mov eax, dword ptr [ebp+0ch] ;ebp+0ch为0xAAAAAA6即参数2的位置
mov ebx, dword ptr [ebp+08h] ;ebp+08h为0xAAAAAA2,即参数1的位置
sub esp, 8 ;局部变量所占空间ESP-=8h,ESP=0xAAAAA92
...
add esp, 8 ;释放局部变量,ESP+=8h,ESP=0xAAAAA9A
pop ebp ;出栈,恢复EBP,ESP+=4h,ESP=0xAAAAA9E,EBP=0xAAAAAB0
ret 8 ;ret返回,弹出EIP,ESP+=4h,ESP=0xAAAAAA2
add esp, 8 ;ESP+=8h,ESP=0xAAAAAAA,恢复caller进入test函数前的堆栈.
}
3. enter
、leave
、call
、和ret
In AT&T x86 assembly, there’re four instructions: call
, ret
, enter
and leave
participated in function call.
call
and ret
equal to the following logics respectively:1
2
3
4
5
6CALL: push %eip #store the return address on stack frame
mov f, %eip #reset the value of EIP for safety
jmp LABEL #jump to subroutine
RET: pop %eip #restore the return address to EIP
jmp %eip #jump back to where the subroutine call ends
enter
and leave
equal to the following instructions respectively:1
2
3
4
5ENTER: push %ebp #store the old EBP
mov %esp, %ebp #set new EBP pointing to current ESP
LEAVE: mov %ebp, %esp #set ESP pointing to current EBP (return to the point before function call happened)
pop %ebp #restore the old EBP
参考资料:
- sdm vol1 Chapter6
- 对寄存器ESP和EBP的一些理解
- Function Call with register EBP and ESP in x86