Menu
I have a "c" program, which gives following arguments for external x86 function:
extern "C" int fun(unsigned char *par1, unsigned char *par2, unsigned int par3);
The length of par1 is defined.
How to determine addresses in which the arguments starts?
I know that par1 starts at [ebp+8] and e.g. par2 starts at [ebp+16]
I don't know how to determine where par3 starts?
462
The caller pushes the arguments in reverse order, according to the x86 ABI, then calls fun. The call instruction pushes eip onto the stack before jumping to fun. Then, you set up your stack frame, making ebp the top of the stack, so arg1 must be 8 bytes up from the stack frame:
higher mem
+----------+---------+
| arg 3 | 4 bytes | push arg 3
+----------+---------+ (ebp + 16)
| arg 2 | 4 bytes | push arg 2
+----------+---------+ (ebp + 12)
| arg 1 | 4 bytes | push arg 1
+----------+---------+ (ebp + 8)
| ret addr | 4 bytes | call fun
+----------+---------+ (ebp + 4)
| old ebp | 4 bytes | push ebp; mov ebp, esp
+----------+---------+ <-------- (ebp + 0) STACK FRAME START
lower mem
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
