1

I encountered the following assembly version of a C code (Practical Malware Analysis by Michael Sikorski, Chapter 5). I simply do not understand how it accesses the command line parameters.

cmp [ebp+argc], 3
...
mov eax, [ebp+argv]

I understand what this code does:

mov ecx, [esp+4] ; argc
mov edx, [esp+8] ; argv

Function arguments are put on the top on stack, and they are accessed with their address relative to the top of stack. But what means ebp+argc and ebp+argv?

hjpotter92
  • 78,589
  • 36
  • 144
  • 183
robert
  • 3,539
  • 3
  • 35
  • 56
  • 4
    They would have to be defined for that assembler as `4, 8` or `8, 16` (x86_64). Are there any include files used? Which assembler? – David C. Rankin Nov 23 '15 at 08:46
  • @DavidC.Rankin, the book only says that is a C code in compiled form. – robert Nov 23 '15 at 12:34
  • 2
    You need to read the section in the book before it about call functions and the stack layout (including what EBP is for). There is a diagram with how the stack frame is layed out. You'll notice in the diagram that the first argument passed is at EBP+8 and second parameter is EBP+12. Although the book doesn't explicitly say it `argc` = 8 and `argv` = 12 . They are just constants for the purpose of making the disassembly more readable. – Michael Petch Nov 23 '15 at 15:41
  • 2
    In a 32-bit environment, If you are curious what is at EBP+0, it is the previous value of EBP that was pushed on the stack. EBP+4 is the return address that was put on the stack (will be popped of when we do a `ret`). EBP+8 and above are the arguments that were passed to our function. – Michael Petch Nov 23 '15 at 16:28

0 Answers0