0

I am learning x86 through the book Practical Malware Analysis, and I often see things like:

lea   edx, [esp+24Ch+name]
push  edx
push  ...
call ds:bind

I understand how LEA works, and that this is basically storing the value of esp+24C+name in edx. Which is probably a pointer to the front of a string.

What I don't understand is how the compiler came up with this. Where is this storage at? Is this somewhere in the stack? If not why is esp being used?

I think the programmer in me is having a difficult time with what feels like "magic numbers" from the compiler.

Michael Petch
  • 46,082
  • 8
  • 107
  • 198
Jordan Hanna
  • 145
  • 2
  • 7
  • Am I the only one that thinks this x86-lea tag that was created is a total waste and that the x86 tag captures it already? – Michael Petch Apr 16 '18 at 03:35

1 Answers1

1

The compiler doesn't have to use ebp as a base register. It can decide to calculate the stack individually, and then use the stack pointer directly. In GCC you can use -fomit-frame-pointer to achieve this optimization. The compiler can then generate code that either keeps a fixed size stack, or by keeping count of it. Depends on the function.

Devolus
  • 21,661
  • 13
  • 66
  • 113
  • Why so far down the stack, 24C just seems so random to me. Does this mean this value was pushed onto the stack at some point ago, and the compiler just hard-coded that it is 24C offset? Thank you. – Jordan Hanna Mar 18 '14 at 19:27
  • The instruction looks like a structure access, so it could be that the structure is so big, that the offset of the member is at this position. – Devolus Mar 18 '14 at 21:25