2


I try to call windows function inside my custom assembly function
The pseudocode would be something like:

MYFUNC
PUSH EBP
PUSH WINDOWSFUNCTIONPARAMETER
CALL [IMPORTEDWINDOWSFUNCTION]
POP EBP
RET

So I know its safe to leave this like this if I call only one function inside,
because thie stack will be restored anyway.
The problem is- why can't i add esp, 0x04 after this? - The app crashes
Im not sure if i even need to do this but imo its safer to do it after function
calls, and somehow i cant get this working inside a function
I'm gratefull for any help :)

Pavulonix
  • 21
  • 2

1 Answers1

0

I am not sure what you mean by "after this". Basically:

  • On a x86 architecture, the stack grows downwards.
  • Depending on your calling convention, either the caller or the callee cleans up the stack.

You are calling a windows function, therefore i assume the called function cleans up the stack parameters. This leads me to the following conclusion:

If you execute "add esp, 0x04" after your API call, "pop ebp" will receive the return address instead of the previously saved ebp register. Therefore, the final "ret" will fail and not return to the caller of MYFUNC.

If you want to perform "add esp, 0x04" to remove the function parameter: thats not necessary because the windows API has removed it already.

EDIT:

If you have a simple example like the one above, I recommend to use a debugger like ollydbg, x64dbg, etc. They are free and show you the registers, stack, etc. while your app is running.

Christian Ammann
  • 888
  • 8
  • 19