当前位置:网站首页>[C language] twenty two steps to understand the function stack frame (pressing the stack, passing parameters, returning, bouncing the stack)
[C language] twenty two steps to understand the function stack frame (pressing the stack, passing parameters, returning, bouncing the stack)
2022-07-06 15:16:00 【iluo12】
What you need to master to read this article
Skillfully use ——c Language functions
Get to the point
First of all, why should we learn the stack frame of functions ?
The simple answer is : Increase internal skill
Learn the underlying code of function calls , Understand how functions pass parameters 、 How to return
This is very helpful for the use of functions You will know something about the problems that will arise in the futureColumns such as :
When a function passes parameters , Variables will be created inside the function a,
And thenaThe address of was sent back ,
Function astestCall complete Will be destroyed
It was sent back at this timeaThe address of ispReceiving will cause wild pointer , Using wild pointers will cause illegal access and other problems
If you don't know the function stack frame , There may be some trouble in understanding The display code is as followsint* test() { int a = 10; int *pa = &a; return pa; } int main() { int* p = test();// here p Points to a nonexistent Or the address that does not belong to the current function }Used at this time
pThe pointer does some other operations , There will be problems , So it is important to understand the function stack frame
Preparation :
The function stack frame is roughly divided into the following steps : A simple understanding will not persuade you to retreat .
1.main Function creates in the stack area , And pass it on
2. The called function is created in the stack , Calculated value , And bring back the return value
3. All the above operations are in The stack area Finish in , So there is pressure stack 、 Bomb stack
We will explain the function stack frame around the following code
This code passes Add Function implementation a+b Bring the return value to c The process of
#include <stdio.h>
int Add(int x, int y)
{
int z = 0;
z = x + y;
return z;
}
int main()
{
int a = 10;
int b = 20;
int c = 0;
c = Add(a, b);
printf("%d\n", c);
return 0;
}
Problems solved by the creation and destruction of function stack frames
Finally, I will answer these questions , It's okay not to remember
How local variables are created ?
Why is the value of a local variable a random value ?
How functions pass parameters ?
What is the order of passing parameters ?
What is the relationship between formal parameters and arguments ?
How do function calls do ?
How to return after the function call is completed ?
Software required for this process
The software I use is Visual Studio 2019
Use VS2013 It's fine too , There may be a slight difference
Software preparation
Write the code in VS2019 in , Press F10 Start debugging
And click disassembly
perhaps F10 after , Right click in the blank and turn to disassembly
Open memory And monitoring
Arrange like this for observation
also
Memory monitoring Column to 4Because the code we wrote was int type int yes 4 byte
Ready to finish , Interpreting disassembly code , You need to know this !
In disassembly , You see the following code
It's a long time however Don't be afraid
Just take a look at the following code for the time being , It doesn't matter if you don't understand , Next I'll say one sentence explain You will soon understand
int main()
{
002918B0 push ebp
002918B1 mov ebp,esp
002918B3 sub esp,0E4h
002918B9 push ebx
002918BA push esi
002918BB push edi
002918BC lea edi,[ebp-24h]
002918BF mov ecx,9
002918C4 mov eax,0CCCCCCCCh
002918C9 rep stos dword ptr es:[edi]
002918CB mov ecx,29C003h
002918D0 call 0029131B
int a = 10;
002918D5 mov dword ptr [ebp-8],0Ah
int b = 20;
002918DC mov dword ptr [ebp-14h],14h
int c = 0;
002918E3 mov dword ptr [ebp-20h],0
c = Add(a, b);
002918EA mov eax,dword ptr [ebp-14h]
002918ED push eax
002918EE mov ecx,dword ptr [ebp-8]
002918F1 push ecx
002918F2 call 002910B4
002918F7 add esp,8
002918FA mov dword ptr [ebp-20h],eax
printf("%d\n", c);
002918FD mov eax,dword ptr [ebp-20h]
00291900 push eax
00291901 push 297B30h
00291906 call 002910D2
0029190B add esp,8
return 0;
0029190E xor eax,eax
}
00291910 pop edi
00291911 pop esi
00291912 pop ebx
00291913 add esp,0E4h
00291919 cmp ebp,esp
0029191B call 00291244
00291920 mov esp,ebp
00291922 pop ebp
00291923 ret
After reading the code above , If you haven't been dissuaded , Then keep looking down with me !
Let me introduce you Some English registers of the above code are temporarily
It's okay not to remember, I will explain it when I use it
eax - register Will not be destroyed Integrated into the cpu Upper
ebx
ecx
edxesp - Top pointer of stack
remember
ebp - Pointer at the bottom of the stackremember
These two registers contain addresses
These two addresses are used to maintain the function stack frame
Here you can learn about it eaxespebp That's all right. It doesn't matter if you can't remember , It will be explained later
First of all, understand main() When the function is executed, it is also called __tmainCRTStartup Function called
So first give __tmainCRTStartup Open up space in the stack area
This is the bottom call of the compilerNo discussion for the time being Just know
See below Add esp、ebp Check the address
esp、ebp Are two pointers that maintain function space
For the above Low address , The following is High address
Top pointer of stack esp 0x008ff99c
Pointer at the bottom of the stack ebp 0x008ff9b8
First allocate a space to __tmainCRTStartup
The stack area :
| | Low address
| |
| |
| |
| |\ esp 0x008ff99c To the top of the stack
| | \
| | __tmainCRTStartup
| | /
| |/ ebp 0x008ff9b8 At the bottom of the stack
| | High address
As can be seen from the above code
The stack areaUse the high address first , Then use low address
Top pointer of stack esp 0x008ff99c( Hexadecimal ) —— 9,435,548 ( Decimal system )
Pointer at the bottom of the stack ebp 0x008ff9b8( Hexadecimal ) —— 9,435,576 ( Decimal system )
8ff99c - 8ff9b8 calculated Stack area is __tmainCRTStartup Opens the 28 Byte space
Reading Disassembly Statements begin
One 、 by main Function opens up space
1.002918B0 push ebp
Press down F11 Perform statement by statement operation , All the following operations are F11 complete
pushIt means pressing stack This line of code means take ebpPressing stack
The yellow arrow points to the second statement It indicates that the first statement has been executed
At this timeespebpIt's maintenance__tmainCRTStartupFunctional
Code display
Illustration shows
push Pressing stack ebp
hold ebp Press the address of to the top of the stack esp Automatically point to the top address
And because the stack uses the high address first After using the low address
therefore esp The address of decreases 4 esp = 0x008ff998
| | Low address
| |
| |
| ebp | esp 0x008ff998
| |\ ↑↑↑ Move up 4 byte ~~0x008ff99c~~
| | \
| | __tmainCRTStartup
| | /
| |/ ebp 0x008ff9b8
| | High address
2. 002918B1 mov ebp,esp
movIt can be understood as assignment , This code means :ebp = esp
Now it'sespebpThe process of moving up To maintainmainfunction
hold esp The value is assigned to ebp
here ebp Point to esp Point to
ebp = 0x008ff998
| |
| |
| |
| |
| | Low address
| |
| |
| ebp | ebp 0x008ff998 esp 0x008ff998
| |\
| | \
| | __tmainCRTStartup
| | /
| |/
| | High address
3. 002918B3 sub esp,0E4h
subIt means subtractespreduce0E4h,esp The pointer points to the low address
This operation willesp( Top pointer of stack ) Move up , by main Functions open up space and maintain
002918B3 sub esp,0E4h
esp subtract 0E4h 0E4h == 228
esp = 0x008ff8b4
Low address
| |\ esp 0x008ff8b4
| | \
| | \
| | main
| | /
| | /
| |/
| ebp | ebp 0x008ff998
| |\
| | \
| | __tmainCRTStartup
| | /
| |/
| | High address
main Function space
Two 、 Pressing stack
002918B9 push ebx
002918BA push esi
002918BB push edi
espEach time after pressing the stack, it will automatically point to the lowest addressEBXyes " Base address "(base) register , Store base address in memory addressing .ESI/EDInamed " Source / Target index register "It doesn't matter if I don't understand for the moment , Look directly at three
Low address
| edi | esp 0x008ff8a8
| esi | ↑ 0x008ff8ac
| ebx | ↑ 0x008ff8b0
| |\ ↑ 0x008ff8b4
| | \
| | \
| | main
| | /
| | /
| | /
| | /
| |/
| ebp | ebp 0x008ff998
| |\
| | \
| | __tmainCRTStartup
| | /
| |/
| | High address
3、 ... and 、 initialization main function
002918BC lea edi,[ebp-24h]
002918BF mov ecx,9
002918C4 mov eax,0CCCCCCCCh
002918C9 rep stos dword ptr es:[edi]
ediStorageebp reduce 24hThe location of ,24hyesmainSize of function spaceecxStorage9eaxStorage0CCCCCCCCh
takeebpToediStorage locationecx(9) All positions Initialize toeax(0CCCCCCCCh)
Talking about people is : takemainThe contents of the space are initialized tocc cc cc cc
Low address
| edi | esp 0x008ff8a8
| esi | ↑ 0x008ff8ac
| ebx | ↑ 0x008ff8b0
|cc cc cc cc|\ ↑ 0x008ff8b4
|cc cc cc cc| \
|cc cc cc cc| \
|cc cc cc cc| main
|cc cc cc cc| /
|cc cc cc cc| /
|cc cc cc cc| /
|cc cc cc cc| /
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | \
| | __tmainCRTStartup
| | /
| |/
| | High address
002918BC lea edi,[ebp-24h]
[ebp-24h] Load into edi
002918BF mov ecx,9
hold 9 Put it in ecx in
002918C4 mov eax,0CCCCCCCCh
eax The assignment is 0CCCCCCCCh
002918C9 rep stos dword ptr es:[edi]
from edi The position of starts downward eax So many dword(4byte) All changed eax Value
Four 、 stay main Create variables in a And store
int a = 10;
002918D5 mov dword ptr [ebp-8],0Ah
take
aThe value of the variable is stored inmainIn the open space , Location is ([ebp-8]) The location of
In memory|0a 00 00 00|MediumaHexadecimal stands for10yes a The value of , It's not a variable a
Low address
| edi | esp 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|cc cc cc cc| \
|cc cc cc cc| \
|cc cc cc cc| main
|cc cc cc cc| /
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | \
| | __tmainCRTStartup
| | /
| |/
| | High address
int a = 10;
002918D5 mov dword ptr [ebp-8],0Ah
ebp - 8 Position of One 10 go in 0Ah == 10
5、 ... and 、 stay main Create variables in b And store
int b = 20;
002918DC mov dword ptr [ebp-14h],14h
take
bThe value of the variable is stored inmainIn the open space , Location is ([ebp-14h]) The location of
In memory|14 00 00 00|Medium14Hexadecimal stands for20
Low address
| edi | esp 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|cc cc cc cc| \
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| b / ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | \
| | __tmainCRTStartup
| | /
| |/
| | High address
int b = 20;
002918DC mov dword ptr [ebp-14h],14h
hold b Put it in ebp-20 The location of 14h == 20
6、 ... and 、 stay main Create variables in c And store
int c = 0;
002918E3 mov dword ptr [ebp-20h],0
take
cThe value of the variable is stored inmainIn the open space , Location is ([ebp-20h]) The location of
Low address
| edi | esp 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | \
| | __tmainCRTStartup
| | /
| |/
| | High address
int c = 0;
002918E3 mov dword ptr [ebp-20h],0
take ebp-20h To store in c
here : It's done main function The opening up of , int a = 10;int b = 20;int c = 0; The creation of .
Next : Yes, it will a and b Make a temporary copy of the value of , by Add function Open up space .
7、 ... and 、 Function arguments : take b Pressing stack
c = Add(a, b);
002918EA mov eax,dword ptr [ebp-14h]
002918ED push eax
take
[ebp-14h]The value of the position (b) Store ineaxin
takeeaxStack
.
Call for Add Function to prepare Because the transmission parameter isabSo willabPress the stack to the stack area first In order to callEAXRegisters are also called accumulatorspushStack pressing operation
Low address
| |
|14 00 00 00| b esp 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
c = Add(a, b);
002918EA mov eax,dword ptr [ebp-14h]
002918ED push eax
take [ebp-14h] The value is placed in eax Register then eax Pressing stack
8、 ... and 、 Function arguments : take a Pressing stack
002918EE mov ecx,dword ptr [ebp-8]
002918F1 push ecx
take
[ebp-8](a) Value of existsecxin
takeecxStackECXIs the counter (counter), It's repetition (REP) Prefix instruction and LOOP The internal counter of the instruction .
Low address
|0a 00 00 00| ecx(a) esp 0x008ff8a0
|14 00 00 00| eax(b) 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
002918EE mov ecx,dword ptr [ebp-8]
002918F1 push ecx
take ebp-8(a) The value of is stored in ecx take ecx Pressing stack
Nine 、 Pressing stack call The address of the next instruction
002918F2 call 002910B4
002918F7 add esp,8
Pressing stack
callInstructions The address of the next instruction To continue executing code on return
Because this statement is finished Will enterAddfunction
First of all, remember youcallThe address of the next instruction
here
002918F7For a while , It will be stored in the position pointed by the arrow on the way
At this time, the stack pressing is successful Jump into the function You can see002918F7Stored in memory in the form of small endSmall end storage: Store the low order bytes at the low address
002918F2 call 002910B4
002918F7 add esp,8
call After execution The address of the next instruction will be pressed on the stack
Low address
|f7 18 29 00| call Next instruction for esp 0x008FF89C
|0a 00 00 00| ecx(a) 0x008ff8a0
|14 00 00 00| eax(b) 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
Disassembly code at this time : yes VS2019 The meaning of the bottom logic jump Jump to address 00291770 The location of
Continue to press F11 Will jump to the following interface
( Borrow it , Figure of the following statement , Now you see
Add function, You can read onDisassemblyInstructions )
Ten 、 Inside the function
At this time, you see a lot of Disassembly code
good heavens Did you almost persuade me to quit
So far we have done45%
The following codeIt is good to look at , Don't understandIt's also very simple. Watch it with meヾ(◍°∇°◍)ノ゙
int Add(int x, int y)
{
00291770 push ebp
00291771 mov ebp,esp
00291773 sub esp,0CCh
00291779 push ebx
0029177A push esi
0029177B push edi
0029177C lea edi,[ebp-0Ch]
0029177F mov ecx,3
00291784 mov eax,0CCCCCCCCh
00291789 rep stos dword ptr es:[edi]
0029178B mov ecx,29C003h
00291790 call 0029131B
int z = 0;
00291795 mov dword ptr [ebp-8],0
z = x + y;
0029179C mov eax,dword ptr [ebp+8]
0029179F add eax,dword ptr [ebp+0Ch]
002917A2 mov dword ptr [ebp-8],eax
return z;
002917A5 mov eax,dword ptr [ebp-8]
}
002917A8 pop edi
002917A9 pop esi
002917AA pop ebx
002917AB add esp,0CCh
002917B1 cmp ebp,esp
002917B3 call 00291244
002917B8 mov esp,ebp
002917BA pop ebp
002917BB ret
11、 ... and 、 Pressing stack ebp The address of
00291770 push ebp
ebpIt's the bottom of the stack pointer maintain main function Now to maintain Add function So move up
This code means : take ebp Stack the address of
You can see in memory|98 f9 8f 00|NamelyebpThe address of
Low address
|98 f9 8f 00| ebp(main) esp 0x008ff898
|f7 18 29 00| call Next instruction for 0x008FF89C
|0a 00 00 00| ecx(a) 0x008ff8a0
|14 00 00 00| eax(b) 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
Twelve 、 Give Way ebp( Pointer at the bottom of the stack ) Point to esp( Top pointer of stack ) The location of
00291771 mov ebp,esp
This statement means :
ebp = espmov( Assembly instruction )Put a byte 、 Word or doubleword operands are transferred from the source location to the destination location , The contents of the source operand remain unchanged .
00291771 mov ebp,esp
hold esp The value is assigned to ebp
Give Way ebp Point to the present esp
Low address
|98 f9 8f 00| main-ebp ebp esp 0x008ff898
|f7 18 29 00| call Next instruction for 0x008FF89C
|0a 00 00 00| ecx(a) 0x008ff8a0
|14 00 00 00| eax(b) 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | *ebp* 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
13、 ... and 、 by Add Function opens up space
00291773 sub esp,0CCh
espsubtract0cchA numerical This operation will esp Up ( Low address ) Move , And open up Maintenance space
00291773 sub esp,0CCh
take esp - 0CCH
esp Move to low address by Add Function opens up space
Low address
| |
| |
| |
| |\ esp 0x008ff7cc
| | \
| | \
| | \
| | \
| | \
| | Add
| | /
| | /
| | /
| | /
| | /
| |/
|98 f9 8f 00| main-ebp ebp 0x008ff898
|f7 18 29 00| call Next instruction for 0x008FF89C
|0a 00 00 00| ecx(a) 0x008ff8a0
|14 00 00 00| eax(b) 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | *ebp* 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
Forget the screenshot Follow up
mainThe function opens up space is the same
fourteen 、 Pressing stack
00291779 push ebx
0029177A push esi
0029177B push edi
Remember seeing these registers above So the operation is the same
Don't understand these registers for the time beingespAutomatically point to the lowest address ( To the top of the stack )
Low address
|98 f9 8f 00| edi esp 0x008ff7c0
|23 10 29 00| esi
|00 70 75 00| ebx
| |\ 0x008ff7cc
| | \
| | \
| | \
| | \
| | \
| | Add
| | /
| | /
| | /
| | /
| | /
| |/
|98 f9 8f 00| main-ebp ebp 0x008ff898
|f7 18 29 00| call Next instruction for 0x008FF89C
|0a 00 00 00| ecx(a) 0x008ff8a0
|14 00 00 00| eax(b) 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | *ebp* 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
00291779 push ebx
0029177A push esi
0029177B push edi
Pressing stack ebx esi edi
15、 ... and 、 initialization Add function
0029177C lea edi,[ebp-0Ch]
0029177F mov ecx,3
00291784 mov eax,0CCCCCCCCh
00291789 rep stos dword ptr es:[edi]
Are you familiar withIf you don't remember It doesn't matter. Let's talk about it again
.
take[ebp-0Ch]Such space is placed inediin
take3Store inecxin
take0CCCCCCCChStore ineaxin
takeebp( Pointer at the bottom of the stack ) Downecx(3) Positions are initialized toeax(cc cc cc cc) Value
.
Talk is talk take Add function 3 Spaces are initialized to cc cc cc cc
The first three sentences are storage , The last round is executed
Low address
|98 f9 8f 00| edi esp 0x008ff7c0
|23 10 29 00| esi
|00 70 75 00| ebx
| |\ 0x008ff7cc
| | \
| | \
| | \
| | \
| | \
| | Add
| | /
| | /
| | /
|cc cc cc cc| /
|cc cc cc cc| /
|cc cc cc cc|/
|98 f9 8f 00| main-ebp ebp 0x008ff898
|f7 18 29 00| call Next instruction for 0x008FF89C
|0a 00 00 00| ecx(a) 0x008ff8a0
|14 00 00 00| eax(b) 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | *ebp* 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
Take a look back. Add The code inside the function
int Add(int x, int y)
{
int z = 0;
z = x + y;
return z;
}
sixteen 、 Create... In function z And the assignment 0
int z = 0;
00291795 mov dword ptr [ebp-8],0
take
0Put it in[ebp-8]Locationhere vs2019 It may jump Don't worry about it for the time being continue F11 Jump back
Low address
|98 f9 8f 00| edi esp 0x008ff7c0
|23 10 29 00| esi
|00 70 75 00| ebx
| |\ 0x008ff7cc
| | \
| | \
| | \
| | \
| | \
| | Add
| | /
| | /
| | /
|cc cc cc cc| /
|00 00 00 00| / z (ebp-8) 0x008FF890
|cc cc cc cc|/
|98 f9 8f 00| main-ebp ebp 0x008ff898
|f7 18 29 00| call Next instruction for 0x008FF89C
|0a 00 00 00| ecx(a`) ebp+8 0x008ff8a0
|14 00 00 00| eax(b`) ebp+c 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | *ebp* 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
int z = 0;
00291795 mov dword ptr [ebp-8],0
establish z The variable is assigned to 0
here vs2019 It may jump Don't worry about it for the time being continue F11 Jump back
seventeen 、 Calculate in function z = a+b
z = x + y;
0029179C mov eax,dword ptr [ebp+8]
0029179F add eax,dword ptr [ebp+0Ch]
002917A2 mov dword ptr [ebp-8],eax
Read
ebp+8The value is assigned toeaxeax = 10
takeebp+0chThe value of is added toeaxeax = 10+20
takeeaxValue Assign a value toebp-8The location of z = 30
.1eHexadecimal to decimal equals30
Low address
|98 f9 8f 00| edi esp 0x008ff7c0
|23 10 29 00| esi
|00 70 75 00| ebx
| |\ 0x008ff7cc
| | \
| | \
| | \
| | \
| | \
| | Add
| | /
| | /
| | /
|cc cc cc cc| /
|1e 00 00 00| / z (ebp-8) 0x008FF890
|cc cc cc cc|/
|98 f9 8f 00| main-ebp ebp 0x008ff898
|f7 18 29 00| call Next instruction for 0x008FF89C
|0a 00 00 00| ecx(a`) ebp+8 0x008ff8a0
|14 00 00 00| eax(b`) ebp+c 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | *ebp* 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
eighteen 、 Will return z The value of is stored in the register 、 Then play the stack
return z;
002917A5 mov eax,dword ptr [ebp-8]
take
[ebp-8]The value of the position Store ineaxineaxIt's a register , The register is not on the stack , So it won't be destroyed when playing the stack Can bring the value back smoothly
.
Here we will run the stack togetherespAutomatically move to high address
The popular science
Stack area usage , First
Pressing stack, When used up, it willBomb stack,
The position that pops up after bouncing the stack will not belong to the current program
But the value is reserved , In principle, you can't visit
When this space is not used again
But you can also access the value here when you cross the boundary
That reminds meData recoverytechnology
return z;
002917A5 mov eax,dword ptr [ebp-8]
Function is about to return The destruction To preserve z
take z Value Save to register eax in
002917A8 pop edi
002917A9 pop esi
002917AA pop ebx
eject esi esi ebx
--|98 f9 8f 00| edi 0x008ff7c0
--|23 10 29 00| esi
--|00 70 75 00| ebx
| |\ esp 0x008ff7cc
| | \
| | \
| | \
| | \
| | \
| | Add
| | /
| | /
| | /
|cc cc cc cc| /
|1e 00 00 00| / z (ebp-8) 0x008FF890
|cc cc cc cc|/
|98 f9 8f 00| main-ebp ebp 0x008ff898
|f7 18 29 00| call Next instruction for 0x008FF89C
|0a 00 00 00| ecx(a`) ebp+8 0x008ff8a0
|14 00 00 00| eax(b`) ebp+c 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | *ebp* 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
1
2
It's almost finished ! hold one's own O(∩_∩)O ha-ha ~( Completed 86%)
nineteen 、 Bomb stack 、 The destruction Add function
002917AB add esp,0CCh
002917B1 cmp ebp,esp
002917B3 call 00291244
take
espadd0cchhereespPoint to the bottom of the stack (ebp) The location of
takeespThe value in the position pointed to Assign a value toebpYou can see|98 f9 8f 00|It's maintenancemainThe position at the bottom of the function stack , Now do you understand why you want to store this location
Don't read the third sentence for the time being
002917B8 mov esp,ebp
take
ebpAssign a value toespAlso is to letespmaintainebpThe location of ,ebpIt has pointed tomainFunction space stack bottom
002917AB add esp,0CCh
002917B1 cmp ebp,esp
002917B3 call 00291244
002917B8 mov esp,ebp
take ebp Assign a value to esp
| |\ 0x008ff7cc
| | \
| | \
| | \
| | \
| | \
| | Add
| | /
| | /
| | /
|cc cc cc cc| /
|1e 00 00 00| / z (ebp-8) 0x008FF890
|cc cc cc cc|/
|98 f9 8f 00| main-ebp esp ebp 0x008ff898
|f7 18 29 00| call Next instruction for 0x008FF89C
|0a 00 00 00| ecx(a`) ebp+8 0x008ff8a0
|14 00 00 00| eax(b`) ebp+c 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | *ebp* 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
002917BA pop ebp
take
ebpPlay stack on the position , And jump toebpGo to the address stored in (main Function stack bottom )
002917BA pop ebp
take ebp eject take ebp Function pointed to main-ebp Assign a value to ebp
--|98 f9 8f 00| main-ebp 0x008ff898
|f7 18 29 00| call Next instruction for esp 0x008FF89C
|0a 00 00 00| ecx(a`) ebp+8 0x008ff8a0
|14 00 00 00| eax(b`) ebp+c 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
twenty 、ret return
002917BB ret
Jump back To call Next instruction for
Remember what was stored before call Your next order , At this point, the bomb stack will be found call Next instruction for
002917BB ret
Jump back To call Next instruction for
--|f7 18 29 00| call Next instruction for 0x008FF89C
|0a 00 00 00| ecx(a`) ebp+8 esp 0x008ff8a0
|14 00 00 00| eax(b`) ebp+c 0x008ff8a4
| edi | 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
The 21st 、 Bomb stack a、b Temporary copy of variables
002918F7 add esp,8
This means :
esp+8esp Go to the high address
That is thea、bAnd the operating system , No more maintenance
002918F7 add esp,8
esp + 8 That is the a` b` And the operating system
--|0a 00 00 00| ecx(a`) ebp+8 0x008ff8a0
--|14 00 00 00| eax(b`) ebp+c 0x008ff8a4
| edi | esp 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|00 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
Twenty-two 、 Bring back the return value of the function
002918FA mov dword ptr [ebp-20h],eax
take
eaxThe value of is assigned to[ebp-20h]( c ) ineaxIs when the function returnszStored in30
002918FA mov dword ptr [ebp-20h],eax
take eax The value of is assigned to [ebp-20h](c) in
eax Is when the function returns z Stored in 30
| edi | esp 0x008ff8a8
| esi |
| ebx |
|cc cc cc cc|\
|1e 00 00 00| \ c ebp-20h 0x008FF978
|cc cc cc cc| \
|cc cc cc cc| main
|14 00 00 00| /b ebp-14h 0x008FF984
|cc cc cc cc| /
|cc cc cc cc| /
|0a 00 00 00| / a ebp-8 0x008FF990
|cc cc cc cc|/
| ebp | ebp 0x008ff998
| |\
| | __tmainCRTStartup
| |/
| | High address
The stack frame of this function is finished , Sort out !
1.esp、ebp maintain __tmainCRTStartup()
2. Stack area is main Function opens up space , And initialization 、 establish a、b
3. Copy a、b Stack ( That is, pass reference —— Value passed )
4.Add Function opens up space in the stack area , And calculate z The value is stored in the register eax in
5. Because registers will not be destroyed , After playing the stack eax Assign a value to c, This brings back the return value of the function
Here we are The following code and Add The return process is the same, so don't explain too much !
How local variables are created ?
answer : In the stack main Function space creation . Why is the value of a local variable a random value ?
answer : Because it is initialized as cc cc cc cc It's a random value . How functions pass parameters ?
answer : Value transfer call —— Is to temporarily copy a parameter in the stack , So changing the formal parameter will not affect the argument . What is the order of passing parameters ?
answer :Add(a,b); First press the parameters on the right side of the stack b. What is the relationship between formal parameters and arguments ?
answer : A formal parameter is a temporary copy of an argument . How do function calls do ?
answer : Press the stack when calling , Destroy the bomb stack when returning . How to return after the function call is completed ?
answer : End of function call , The return value exists eax In the register , Then play the stack , use eax Take the value back .
At this point, the function is created 、 The ginseng 、 return It's all done The stack frame of the function is completed main Return of a function and Add equal Let's try it by ourselves !
If you read it carefully What don't you understand Sure Comment on 、 Direct messages or Add penguins
边栏推荐
- 150 common interview questions for software testing in large factories. Serious thinking is very valuable for your interview
- Global and Chinese market of RF shielding room 2022-2028: Research Report on technology, participants, trends, market size and share
- MySQL数据库(一)
- 自动化测试中敏捷测试怎么做?
- ucore lab5用户进程管理 实验报告
- ucore lab2 物理内存管理 实验报告
- 遇到程序员不修改bug时怎么办?我教你
- Cadence physical library lef file syntax learning [continuous update]
- With 27K successful entry ByteDance, this "software testing interview notes" has benefited me for life
- ArrayList集合
猜你喜欢
Build your own application based on Google's open source tensorflow object detection API video object recognition system (I)
線程及線程池
Rearrange spaces between words in leetcode simple questions
CSAPP家庭作業答案7 8 9章
Pedestrian re identification (Reid) - Overview
软件测试面试要问的性能测试术语你知道吗?
MySQL数据库(四)事务和函数
Sleep quality today 81 points
Servlet
UCORE lab2 physical memory management experiment report
随机推荐
软件测试需求分析之什么是“试纸测试”
想跳槽?面试软件测试需要掌握的7个技能你知道吗
Heap, stack, queue
全网最详细的postman接口测试教程,一篇文章满足你
How to solve the poor sound quality of Vos?
Description of Vos storage space, bandwidth occupation and PPS requirements
[pytorch] simple use of interpolate
With 27K successful entry ByteDance, this "software testing interview notes" has benefited me for life
Automated testing problems you must understand, boutique summary
Pedestrian re identification (Reid) - Overview
Practical cases, hand-in-hand teaching you to build e-commerce user portraits | with code
What to do when programmers don't modify bugs? I teach you
C language do while loop classic Level 2 questions
Global and Chinese markets of MPV ACC ECU 2022-2028: Research Report on technology, participants, trends, market size and share
The latest query tracks the express logistics and analyzes the method of delivery timeliness
How to do agile testing in automated testing?
线程及线程池
What are the commonly used SQL statements in software testing?
Global and Chinese market for antiviral coatings 2022-2028: Research Report on technology, participants, trends, market size and share
ucore lab8 文件系统 实验报告