1

There is this mov instuction:

        0040064e 89 7d dc        MOV        dword ptr [RBP + local_2c],EDI

EDI stores argc from main function. I wanted to check its value by looking at rbp - 0x2c:

(gdb) x/x $rbp-0x2C
0x7ffffffee1c4: 0x00000000

As you can see, there is nothing there. The thing is - the argc value is 8 bytes farther:

(gdb) x/x $rbp-0x2C+0x8
0x7ffffffee1cc: 0x00000002

My question is - why does that happen?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
erzis
  • 29
  • 2
  • 3
    Well, the machine code you've posted doesn't correspond to `MOV dword ptr [RBP - 0x2c],EDI`. It corresponds to `MOV dword ptr [RBP - 0x24],EDI`. You can see this by looking at the `disp8` byte, which has the value `0xDC`, which is -0x24. – Michael Apr 06 '20 at 17:14
  • read https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention?view=vs-2019 – Szabolcs Dombi Apr 06 '20 at 17:36
  • I think it's 0x2c below the top of the stack frame (the return address), which is at RBP+8. – Peter Cordes Apr 06 '20 at 17:36
  • @SzabolcsDombi: the calling convention docs don't say anything about where a function should spill its register args inside its own stack frame. And that's not even the right calling convention: with the first arg in EDI this is the x86-64 System V calling convention, used on everything *other than* Windows. Anyway, the question is the naming scheme used by the OP's disassembler, not the calling convention. – Peter Cordes Apr 06 '20 at 17:38
  • 1
    You're asking why the disassembler prints `+ local_2c`, when the offset it uses in the instruction is `- 0x24`? – Erik Eidt Apr 06 '20 at 17:52

0 Answers0