x86-32 and x86-64 Assembly (Part 2) (I know Kung-Fu !) Emmanuel - - PowerPoint PPT Presentation

x86 32 and x86 64 assembly part 2
SMART_READER_LITE
LIVE PREVIEW

x86-32 and x86-64 Assembly (Part 2) (I know Kung-Fu !) Emmanuel - - PowerPoint PPT Presentation

Aug 03, 2023 183 likes •1.14k views

x86-32 and x86-64 Assembly (Part 2) (I know Kung-Fu !) Emmanuel Fleury <emmanuel.fleury@u-bordeaux.fr> LaBRI, Universit de Bordeaux, France October 8, 2019 Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October

slide-1
SLIDE 1

x86-32 and x86-64 Assembly (Part 2)

(I know Kung-Fu !) Emmanuel Fleury

<emmanuel.fleury@u-bordeaux.fr> LaBRI, Université de Bordeaux, France

October 8, 2019

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 1 / 32

slide-2
SLIDE 2

Overview

1

Stack Management

2

Application Binary Interfaces

3

References

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 2 / 32

slide-3
SLIDE 3

Overview

1

Stack Management

2

Application Binary Interfaces

3

References

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 3 / 32

slide-4
SLIDE 4

Program Overview

argument2 argument1 –––––––––––- var1 var2 var3 var4 var5 var6 var7 var8 main() instr1 instr2 foo() ... SP PC GPR0 GPR1 GPR2

Registers Address-space

Highest Address Lowest Address Stack Heap Data Code

Registers

SP (Stack Pointer); PC (Program Counter); GPR (General Purpose Register).

Address-space

Stack Heap Data Code

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 4 / 32

slide-5
SLIDE 5

Program Overview

argument2 argument1 –––––––––––- var1 var2 var3 var4 var5 var6 var7 var8 main() instr1 instr2 foo() ... SP PC GPR0 GPR1 GPR2

Registers Address-space

Highest Address Lowest Address Stack Heap Data Code

Registers

SP (Stack Pointer); PC (Program Counter); GPR (General Purpose Register).

Address-space

Stack Heap Data Code

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 4 / 32

slide-6
SLIDE 6

Stack Instructions Managing Stack Data

Mnemonic Operand Operation push src Push the content of ’src’ on the stack pop dst Pop the content from the stack to ’dst’

Managing Stack Frames

Mnemonic Operation enter Create a new stack-frame leave Restore the previous stack-frame

Managing Call Stack

Mnemonic Operand Operation call addr Save eip and jump to a function at ’addr’ ret – Restore saved eip and return from a function

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 5 / 32

slide-7
SLIDE 7

Stack (Basic Principle) 17 6 11 21

Last In First Out (LIFO)

Only two operations:

push

Push an item on the stack.

pop

Pop an item from the stack.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 6 / 32

slide-8
SLIDE 8

Stack (Basic Principle) 34 17 6 11 21

Last In First Out (LIFO)

Only two operations:

push

Push an item on the stack.

pop

Pop an item from the stack.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 6 / 32

slide-9
SLIDE 9

Stack (Basic Principle) 34 34 17 6 11 21 push

Last In First Out (LIFO)

Only two operations:

push

Push an item on the stack.

pop

Pop an item from the stack.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 6 / 32

slide-10
SLIDE 10

Stack (Basic Principle) 34 17 6 11 21

Last In First Out (LIFO)

Only two operations:

push

Push an item on the stack.

pop

Pop an item from the stack.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 6 / 32

slide-11
SLIDE 11

Stack (Basic Principle) 34 34 17 6 11 21 pop

Last In First Out (LIFO)

Only two operations:

push

Push an item on the stack.

pop

Pop an item from the stack.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 6 / 32

slide-12
SLIDE 12

Stack (Basic Principle) 34 17 6 11 21

Last In First Out (LIFO)

Only two operations:

push

Push an item on the stack.

pop

Pop an item from the stack.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 6 / 32

slide-13
SLIDE 13

Stack (In Memory)

esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

Memory area is managed as a stack. It grows toward lower addresses. Register esp (stack-pointer) contains:

Address of the stack’s top element. Lowest address of the memory area.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 7 / 32

slide-14
SLIDE 14

push

0x804842 src esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

push <src> Actions performed:

1 Fetch operand from src; 2 esp = esp-4 (32 bits)

esp = esp-8 (64 bits);

3 Write operand to (esp). Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 8 / 32

slide-15
SLIDE 15

push

0x804842 src esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

push push <src> Actions performed:

1 Fetch operand from src; 2 esp = esp-4 (32 bits)

esp = esp-8 (64 bits);

3 Write operand to (esp). Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 8 / 32

slide-16
SLIDE 16

push

0x804842 src esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

push

−4

push <src> Actions performed:

1 Fetch operand from src; 2 esp = esp-4 (32 bits)

esp = esp-8 (64 bits);

3 Write operand to (esp). Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 8 / 32

slide-17
SLIDE 17

push

0x804842 src esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

push

−4

push <src> Actions performed:

1 Fetch operand from src; 2 esp = esp-4 (32 bits)

esp = esp-8 (64 bits);

3 Write operand to (esp). Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 8 / 32

slide-18
SLIDE 18

push

0x804842 src esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8 0x804842

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

push push <src> Actions performed:

1 Fetch operand from src; 2 esp = esp-4 (32 bits)

esp = esp-8 (64 bits);

3 Write operand to (esp). Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 8 / 32

slide-19
SLIDE 19

push

esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8 0x804842

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

push <src> Actions performed:

1 Fetch operand from src; 2 esp = esp-4 (32 bits)

esp = esp-8 (64 bits);

3 Write operand to (esp). Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 8 / 32

slide-20
SLIDE 20

pop

esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8 0x804842

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

pop <dst> Actions performed:

1 Fetch operand from esp; 2 Write operand to dst. 3 esp = esp+4 (32 bits)

esp = esp+8 (64 bits);

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 9 / 32

slide-21
SLIDE 21

pop

esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8 0x804842

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

pop pop <dst> Actions performed:

1 Fetch operand from esp; 2 Write operand to dst. 3 esp = esp+4 (32 bits)

esp = esp+8 (64 bits);

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 9 / 32

slide-22
SLIDE 22

pop

0x804842 dst esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8 0x804842

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

pop pop <dst> Actions performed:

1 Fetch operand from esp; 2 Write operand to dst. 3 esp = esp+4 (32 bits)

esp = esp+8 (64 bits);

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 9 / 32

slide-23
SLIDE 23

pop

0x804842 dst esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8 0x804842

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

pop

+4

pop <dst> Actions performed:

1 Fetch operand from esp; 2 Write operand to dst. 3 esp = esp+4 (32 bits)

esp = esp+8 (64 bits);

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 9 / 32

slide-24
SLIDE 24

pop

0x804842 dst esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8 0x804842

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

pop

+4

pop <dst> Actions performed:

1 Fetch operand from esp; 2 Write operand to dst. 3 esp = esp+4 (32 bits)

esp = esp+8 (64 bits);

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 9 / 32

slide-25
SLIDE 25

pop

0x804842 dst esp

Bottom of the Stack

0x145fea 0x6970db 0xffd474 0xffd3c8 0x804842

Top of the Stack

Higher Memory Addresses 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Lower Memory Addresses

pop <dst> Actions performed:

1 Fetch operand from esp; 2 Write operand to dst. 3 esp = esp+4 (32 bits)

esp = esp+8 (64 bits);

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 9 / 32

slide-26
SLIDE 26

Stack Frame

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Previous Stack-frame Current Stack-frame

A stack-frame is represented by the couple: (esp, ebp) Register esp (stack-pointer) contains:

Address of the stack’s top element. Lowest address of the stack-frame.

Register ebp (base-pointer) contains:

Address of the stack’s bottom element. Highest address of the stack-frame.

Stack’s bottom element is always the saved ebp from the previous stack-frame. Created on ‘enter’ and discarded on ‘leave’.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 10 / 32

slide-27
SLIDE 27

Stack Frame

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

saved ebp 0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Previous Stack-frame Current Stack-frame

A stack-frame is represented by the couple: (esp, ebp) Register esp (stack-pointer) contains:

Address of the stack’s top element. Lowest address of the stack-frame.

Register ebp (base-pointer) contains:

Address of the stack’s bottom element. Highest address of the stack-frame.

Stack’s bottom element is always the saved ebp from the previous stack-frame. Created on ‘enter’ and discarded on ‘leave’.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 10 / 32

slide-28
SLIDE 28

enter

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

enter

(save previous stack-frame and create a fresh one)

Actions performed:

1 push %ebp 2 mov %esp, %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 11 / 32

slide-29
SLIDE 29

enter

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving ebp.

enter

(save previous stack-frame and create a fresh one)

Actions performed:

1 push %ebp 2 mov %esp, %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 11 / 32

slide-30
SLIDE 30

enter

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving ebp.

enter

(save previous stack-frame and create a fresh one)

Actions performed:

1 push %ebp 2 mov %esp, %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 11 / 32

slide-31
SLIDE 31

enter

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

saved ebp 0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving ebp.

enter

(save previous stack-frame and create a fresh one)

Actions performed:

1 push %ebp 2 mov %esp, %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 11 / 32

slide-32
SLIDE 32

enter

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Starting a new stack-frame.

enter

(save previous stack-frame and create a fresh one)

Actions performed:

1 push %ebp 2 mov %esp, %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 11 / 32

slide-33
SLIDE 33

enter

ebp=esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Starting a new stack-frame.

enter

(save previous stack-frame and create a fresh one)

Actions performed:

1 push %ebp 2 mov %esp, %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 11 / 32

slide-34
SLIDE 34

enter

ebp=esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

enter

(save previous stack-frame and create a fresh one)

Actions performed:

1 push %ebp 2 mov %esp, %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 11 / 32

slide-35
SLIDE 35

leave

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

leave

(exit current stack-frame and restore previous one)

Actions performed:

1 mov %ebp, %esp 2 pop %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 12 / 32

slide-36
SLIDE 36

leave

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Cleaning the stack-frame

leave

(exit current stack-frame and restore previous one)

Actions performed:

1 mov %ebp, %esp 2 pop %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 12 / 32

slide-37
SLIDE 37

leave

ebp=esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Cleaning the stack-frame

leave

(exit current stack-frame and restore previous one)

Actions performed:

1 mov %ebp, %esp 2 pop %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 12 / 32

slide-38
SLIDE 38

leave

ebp=esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Restoring ebp register

leave

(exit current stack-frame and restore previous one)

Actions performed:

1 mov %ebp, %esp 2 pop %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 12 / 32

slide-39
SLIDE 39

leave

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Restoring ebp register

leave

(exit current stack-frame and restore previous one)

Actions performed:

1 mov %ebp, %esp 2 pop %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 12 / 32

slide-40
SLIDE 40

leave

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

leave

(exit current stack-frame and restore previous one)

Actions performed:

1 mov %ebp, %esp 2 pop %ebp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 12 / 32

slide-41
SLIDE 41

Call Stack

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Previous Function Current Function

When calling a function, one need to save the context of the current function (next instruction to execute). The register eip (instruction-pointer) of the current function is pushed on the stack before leaving to the next function. Stack-frame top element is always the saved eip before leaving to another function. eip is saved on ‘call’ and restored on ‘ret’.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 13 / 32

slide-42
SLIDE 42

Call Stack

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

saved ebp saved eip 0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Previous Function Current Function

When calling a function, one need to save the context of the current function (next instruction to execute). The register eip (instruction-pointer) of the current function is pushed on the stack before leaving to the next function. Stack-frame top element is always the saved eip before leaving to another function. eip is saved on ‘call’ and restored on ‘ret’.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 13 / 32

slide-43
SLIDE 43

call

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x4456ea 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

call <addr>

(save current eip and continue execution at addr)

Actions performed:

1 push %eip 2 mov addr, %eip Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 14 / 32

slide-44
SLIDE 44

call

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x4456ea 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving eip.

call <addr>

(save current eip and continue execution at addr)

Actions performed:

1 push %eip 2 mov addr, %eip Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 14 / 32

slide-45
SLIDE 45

call

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving eip.

call <addr>

(save current eip and continue execution at addr)

Actions performed:

1 push %eip 2 mov addr, %eip Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 14 / 32

slide-46
SLIDE 46

call

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

saved eip 0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving eip.

call <addr>

(save current eip and continue execution at addr)

Actions performed:

1 push %eip 2 mov addr, %eip Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 14 / 32

slide-47
SLIDE 47

call

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving eip.

call <addr>

(save current eip and continue execution at addr)

Actions performed:

1 push %eip 2 mov addr, %eip Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 14 / 32

slide-48
SLIDE 48

call

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Setting eip to new address.

call <addr>

(save current eip and continue execution at addr)

Actions performed:

1 push %eip 2 mov addr, %eip Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 14 / 32

slide-49
SLIDE 49

call

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

call <addr>

(save current eip and continue execution at addr)

Actions performed:

1 push %eip 2 mov addr, %eip

Warning

In x86-32 eip cannot be addressed as an operand. So, these actions cannot really be executed. Note that this is not anymore the case in x86-64.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 14 / 32

slide-50
SLIDE 50

ret

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

ret (restore previous execution) Actions performed:

1 pop %eip Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 15 / 32

slide-51
SLIDE 51

ret

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Restoring eip register

ret (restore previous execution) Actions performed:

1 pop %eip Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 15 / 32

slide-52
SLIDE 52

ret

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Restoring eip register

ret (restore previous execution) Actions performed:

1 pop %eip Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 15 / 32

slide-53
SLIDE 53

ret

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

ret (restore previous execution) Actions performed:

1 pop %eip Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 15 / 32

slide-54
SLIDE 54

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x4456ea 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-55
SLIDE 55

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x4456ea 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving eip and setting it.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-56
SLIDE 56

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving eip and setting it.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-57
SLIDE 57

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

saved eip 0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving eip and setting it.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-58
SLIDE 58

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving eip and setting it.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-59
SLIDE 59

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0x80f9af 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving ebp.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-60
SLIDE 60

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving ebp.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-61
SLIDE 61

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

saved ebp 0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving ebp.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-62
SLIDE 62

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Saving ebp.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-63
SLIDE 63

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Starting a new stack-frame.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-64
SLIDE 64

A Full Example (Entering a function)

ebp=esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Starting a new stack-frame.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-65
SLIDE 65

A Full Example (Entering a function)

ebp=esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Aligning data for efficiency.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-66
SLIDE 66

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Aligning data for efficiency.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-67
SLIDE 67

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Memory allocation for local variables.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-68
SLIDE 68

A Full Example (Entering a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Memory allocation for local variables.

Actions performed:

1 call addr 2 push %ebp 3 mov %esp, %ebp 4 and $0xfffff0, %esp 5 sub $0x8, %esp Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 16 / 32

slide-69
SLIDE 69

A Full Example (Exiting a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Actions performed:

1 mov %ebp, %esp 2 pop %ebp 3 ret Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 17 / 32

slide-70
SLIDE 70

A Full Example (Exiting a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Cleaning the stack-frame

Actions performed:

1 mov %ebp, %esp 2 pop %ebp 3 ret Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 17 / 32

slide-71
SLIDE 71

A Full Example (Exiting a function)

ebp=esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Cleaning the stack-frame

Actions performed:

1 mov %ebp, %esp 2 pop %ebp 3 ret Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 17 / 32

slide-72
SLIDE 72

A Full Example (Exiting a function)

ebp=esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Restoring ebp register

Actions performed:

1 mov %ebp, %esp 2 pop %ebp 3 ret Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 17 / 32

slide-73
SLIDE 73

A Full Example (Exiting a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Restoring ebp register

Actions performed:

1 mov %ebp, %esp 2 pop %ebp 3 ret Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 17 / 32

slide-74
SLIDE 74

A Full Example (Exiting a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Restoring eip register

Actions performed:

1 mov %ebp, %esp 2 pop %ebp 3 ret Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 17 / 32

slide-75
SLIDE 75

A Full Example (Exiting a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Restoring eip register

Actions performed:

1 mov %ebp, %esp 2 pop %ebp 3 ret Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 17 / 32

slide-76
SLIDE 76

A Full Example (Exiting a function)

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8

Actions performed:

1 mov %ebp, %esp 2 pop %ebp 3 ret Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 17 / 32

slide-77
SLIDE 77

Code Examples (1/2)

.glob main main: movl $20, %eax pushl %eax # Push in the stack popl %ebx # Pop from the stack movl $15, -4(%ebp) # Push in the stack movl 4(%ebp), %ebx # Pop from the stack ret

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 18 / 32

slide-78
SLIDE 78

Code Examples (2/2)

.glob main main: # Prelude pushl %ebp # Save base pointer movl %esp, %ebp # Set stack pointer at base pointer subl $8, %esp # Allocate memory space for two words # Data manipulations pushl $10 # Push 10 in the stack pushl $15 # Push 15 in the stack popl %eax # Pop 15 from the stack popl %ebx # Pop 10 from the stack # Epilog movl %ebp, %esp # Restore previous stack-pointer popl %ebp # Restore the old base pointer ret # Restore previous execution flow

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 19 / 32

slide-79
SLIDE 79

Overview

1

Stack Management

2

Application Binary Interfaces

3

References

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 20 / 32

slide-80
SLIDE 80

Application Binary Interface

An ABI defines a system interface for compiled application programs. It is composed of two parts:

A generic high-level description of the system at an application level; A processor-specific low-level description for each processor family.

The ABI provides the conventions to implement various features for each specific processor:

Functions calling conventions (how to implement function calls); Return value (how to pass the return value to the caller); Stack-frame (how to manage properly the stack); Exceptions (how to implement exceptions).

Unix systems (Linux, BSD, MacOS) usually follow the System V ABI with two x86 processor-specific supplements:

SystemV i386 ABI supplement SystemV amd64 ABI supplement

Microsoft Windows systems follow the Microsoft ABI with two x86 processor-specific specifications:

Microsoft x32 ABI specification Microsoft x64 ABI specification

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 21 / 32

slide-81
SLIDE 81

Register Usages

Volatile/Non-volatile Registers

A register is said volatile if it can be overwritten by the callee with no harm for the caller. On the contrary, a register is said non-volatile if the content of the register may be used by the caller. They must be saved before use and restored before leaving the callee.

Specific usage of pointers

eax: Contains the integer return code if any; st(0): Contains the floating-point return code if any; esi, edi: Non-volatile registers (callee must preserve these registers). ecx, edx: Volatile registers (callee can use freely these registers). ebx: Global offset table base register for position-independent code. For absolute code, it serves as a local register and has no specified role in the function calling

  • sequence. Non-volatile registers (callee must preserve these registers).

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 22 / 32

slide-82
SLIDE 82

Function Calls (A Few Vocabulary)

Function call: foo() is a function calling the function bar():

foo() is the caller function; bar() is the callee function.

Local variable: A variable whose scope is not getting outside of the function (also called automatic variable). Parameters: Data set by the caller function for the callee before start (also called arguments). Return code: Data set by the callee for the caller at the end of execution of the callee. Call stack: The chain of functions that have been currently called (e.g. main() → foo() → bar()).

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 23 / 32

slide-83
SLIDE 83

Function Calling Conventions

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 Function Arguments Current Function

There are several possible calling conventions for SystemV i386 ABI: cdecl, stdcall, fastcall, . . . cdecl is mostly used and, anyway, all arguments go through the stack. Argument words are pushed onto the stack in reverse order; Arguments are referred through:

8(%ebp) (first), 12(%ebp) (second), . . . , 4n+8(%ebp) (n-th).

Argument’s size can be more than a

  • word. To make it a multiple of a word,

tail padding is used. In fact, the ‘saved ebp’ from the previous stack-frame is optional

(‘–fomit-frame-pointer’ gcc option).

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 24 / 32

slide-84
SLIDE 84

Function Calling Conventions

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 saved ebp

(optional)

saved eip Function Arguments Current Function

There are several possible calling conventions for SystemV i386 ABI: cdecl, stdcall, fastcall, . . . cdecl is mostly used and, anyway, all arguments go through the stack. Argument words are pushed onto the stack in reverse order; Arguments are referred through:

8(%ebp) (first), 12(%ebp) (second), . . . , 4n+8(%ebp) (n-th).

Argument’s size can be more than a

  • word. To make it a multiple of a word,

tail padding is used. In fact, the ‘saved ebp’ from the previous stack-frame is optional

(‘–fomit-frame-pointer’ gcc option).

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 24 / 32

slide-85
SLIDE 85

Function Calling Conventions

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 saved ebp

(optional)

saved eip First Argument Function Arguments Current Function

There are several possible calling conventions for SystemV i386 ABI: cdecl, stdcall, fastcall, . . . cdecl is mostly used and, anyway, all arguments go through the stack. Argument words are pushed onto the stack in reverse order; Arguments are referred through:

8(%ebp) (first), 12(%ebp) (second), . . . , 4n+8(%ebp) (n-th).

Argument’s size can be more than a

  • word. To make it a multiple of a word,

tail padding is used. In fact, the ‘saved ebp’ from the previous stack-frame is optional

(‘–fomit-frame-pointer’ gcc option).

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 24 / 32

slide-86
SLIDE 86

Function Calling Conventions

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 saved ebp

(optional)

saved eip First Argument Second Argument Function Arguments Current Function

There are several possible calling conventions for SystemV i386 ABI: cdecl, stdcall, fastcall, . . . cdecl is mostly used and, anyway, all arguments go through the stack. Argument words are pushed onto the stack in reverse order; Arguments are referred through:

8(%ebp) (first), 12(%ebp) (second), . . . , 4n+8(%ebp) (n-th).

Argument’s size can be more than a

  • word. To make it a multiple of a word,

tail padding is used. In fact, the ‘saved ebp’ from the previous stack-frame is optional

(‘–fomit-frame-pointer’ gcc option).

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 24 / 32

slide-87
SLIDE 87

Function Calling Conventions

ebp esp

0xffd4c0 0xf7fb6f 0xfbeaf5 0x11823f 0x145fea 0x6970db 0xffd4cc 0xffd474 0xffd3c8 0x804842

0xffd4cc 0xffd4c8 0xffd4c4 0xffd4c0 0xffd4bc 0xffd4b8 0xffd4b4 0xffd4b0 0xffd4ac 0xffd4a8 saved ebp

(optional)

saved eip First Argument Second Argument Third Argument Function Arguments Current Function

There are several possible calling conventions for SystemV i386 ABI: cdecl, stdcall, fastcall, . . . cdecl is mostly used and, anyway, all arguments go through the stack. Argument words are pushed onto the stack in reverse order; Arguments are referred through:

8(%ebp) (first), 12(%ebp) (second), . . . , 4n+8(%ebp) (n-th).

Argument’s size can be more than a

  • word. To make it a multiple of a word,

tail padding is used. In fact, the ‘saved ebp’ from the previous stack-frame is optional

(‘–fomit-frame-pointer’ gcc option).

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 24 / 32

slide-88
SLIDE 88

Function Calling Conventions (Examples)

Integral and Pointer Arguments int foo(int a, int b, int* c, int &d) %eax foo(8(%ebp), 12(%ebp), 16(%ebp), 20(%ebp)) Floating-point Arguments float bar(float a, int b, float c) %st(0) bar(8(%ebp), 16(%ebp), 20(%ebp)) Struct Arguments int fuz(int a, struct b, struct c) %eax fuz(8(%ebp), 12(%ebp), 20(%ebp))

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 25 / 32

slide-89
SLIDE 89

Struct/Object Arguments

struct mystruct foo(int a, float b) When a function return a structure, the caller is in charge to provide the memory space of the struct. First argument of such function is always the memory location of the struct memory space. The callee sets %eax to the value of the original address of the caller’s area before it returns. The callee must remove this address from the stack before returning.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 26 / 32

slide-90
SLIDE 90

Function Calling Conventions & Registers

Two calling conventions for x86-64 (both inspired by fastcall):

Microsoft x64 calling convention (Windows); SystemV AMD64 calling convention (Linux, BSD, MacOS).

Calling convention through registers

6 registers for integer arguments: rdi, rsi, rdx, rcx, r8, r9; 8 registers for float/double arguments: xmm0–xmm7; First available register for the parameter type is used; No overlap, so you could have 14 parameters stored in registers; struct parameters are splitted between registers; Everything else goes on the stack; rax holds number of vector registers (xmmX).

(Non)-Volatile Registers

Volatile registers: rax, rcx, rdx, rsi, rdi, r8–r11, xmm0–xmm15, st0–st7; Non-volatile registers: rbx, rbp, rsp, r12–r15.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 27 / 32

slide-91
SLIDE 91

Function Calling Conventions (Examples)

Integral and Pointer Arguments int func1(int a, float b, int c) rax func1(rdi, xmm0, rsi) Floating-point Arguments (1) float func2(float a, int b, float c) xmm0 func2(xmm0, rdi, xmm1) Floating-point Arguments (2) float func3(float a, int b, int c) xmm0 func3(xmm0, rdi, rsi)

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 28 / 32

slide-92
SLIDE 92

Function Calling Conventions

typedef struct { int a, b; double d; } structparm; structparm s; int e,f,g,h,i,j,k; long double ld; double m, n; __m256 y; extern void func (int e, int f, structparm s, int g, int h, long double ld, double m, __m256 y, double n, int i, int j, int k); func (e, f, s, g, h, ld, m, y, n, i, j, k);

%rdi:e %xmm0:s.d (%rbp):ld %rsi:f %xmm1:m 16(%rbp):j %rdx:s.a,s.b %ymm2:y 24(%rbp):k %rcx:g %xmm3:n %r8:h %r9:i

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 29 / 32

slide-93
SLIDE 93

Overview

1

Stack Management

2

Application Binary Interfaces

3

References

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 30 / 32

slide-94
SLIDE 94

References I

Michael Matz, Jan Hubicka, Andreas Jaeger, and Mark Mitchell. System V Application Binary Interface: AMD64 Architecture Processor Supplement, September 2010. Version 0.99.5. Santa Cruz Operation, Inc. System V Application Binary Interface: i386 Architecture Processor Supplement, fourth edition, March 1997.

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 31 / 32

slide-95
SLIDE 95

Next Time. . .

Executable Files

Emmanuel Fleury (LaBRI, France) x86-32 and x86-64 Assembly (Part 2) October 8, 2019 32 / 32