x86 Args and local vars
Cheatsheet - x86 Args and local vars Link to heading
Source code Link to heading
int func(char a, char b, char c, char d, char e){
char f = 6, g = 7, h =8 ;
printf("%d %d %d %d %d\n", a,b,c,d,e);
return 0xC0FEE ;
}
int main(void){
printf("%d",func(1,2,3,4,5));
return 0;
}
Gdb view Link to heading
(gdb) disass main
...
0x00001238 <+29>: push 0x5
0x0000123a <+31>: push 0x4
0x0000123c <+33>: push 0x3
0x0000123e <+35>: push 0x2
0x00001240 <+37>: push 0x1
0x00001242 <+39>: call 0x1199 <func>
...
(gdb) disass func
0x56199 <+0>: push ebp
0x5619a <+1>: mov ebp,esp
0x5619c <+3>: push edi
0x5619d <+4>: push esi
0x5619e <+5>: push ebx
0x5619f <+6>: sub esp,0x3c
0x561a2 <+9>: call 0x5655626c <__x86.get_pc_thunk.ax>
0x561a7 <+14>: add eax,0x2e59
<-- Breakpoint -->
0x561ac <+19>: mov edi,DWORD PTR [ebp+0x8] ;fetch arg1
0x561af <+22>: mov esi,DWORD PTR [ebp+0xc] ;fetch arg2
0x561b2 <+25>: mov ebx,DWORD PTR [ebp+0x10] ;fetch arg3
0x561b5 <+28>: mov ecx,DWORD PTR [ebp+0x14] ;fetch arg4
0x561b8 <+31>: mov edx,DWORD PTR [ebp+0x18] ;fetch arg5
0x561bb <+34>: mov DWORD PTR [ebp-0x40],edx
0x561be <+37>: mov edx,edi
0x561c0 <+39>: mov BYTE PTR [ebp-0x2c],dl
0x561c3 <+42>: mov edx,esi
0x561c5 <+44>: mov BYTE PTR [ebp-0x30],dl
0x561c8 <+47>: mov BYTE PTR [ebp-0x34],bl
0x561cb <+50>: mov BYTE PTR [ebp-0x38],cl
0x561ce <+53>: movzx edx,BYTE PTR [ebp-0x40]
0x561d2 <+57>: mov BYTE PTR [ebp-0x3c],dl
0x561d5 <+60>: mov BYTE PTR [ebp-0x19],0x6 ; loc_var1
0x561d9 <+64>: mov BYTE PTR [ebp-0x1a],0x7 ; loc_var2
0x561dd <+68>: mov BYTE PTR [ebp-0x1b],0x8 ; loc_var3
0x561e1 <+72>: movsx edi,BYTE PTR [ebp-0x3c]
0x561e5 <+76>: movsx esi,BYTE PTR [ebp-0x38]
0x561e9 <+80>: movsx ebx,BYTE PTR [ebp-0x34]
0x561ed <+84>: movsx ecx,BYTE PTR [ebp-0x30]
0x561f1 <+88>: movsx edx,BYTE PTR [ebp-0x2c]
0x561f5 <+92>: sub esp,0x8
0x561f8 <+95>: push edi
0x561f9 <+96>: push esi
0x561fa <+97>: push ebx
0x561fb <+98>: push ecx
0x561fc <+99>: push edx
0x561fd <+100>: lea edx,[eax-0x1ff8]
0x56203 <+106>: push edx
0x56204 <+107>: mov ebx,eax
0x56206 <+109>: call 0x56556030 <printf@plt>
0x5620b <+114>: add esp,0x20
0x5620e <+117>: mov eax,0xc0fee
0x56213 <+122>: lea esp,[ebp-0xc]
0x56216 <+125>: pop ebx
0x56217 <+126>: pop esi
0x56218 <+127>: pop edi
0x56219 <+128>: pop ebp
Args order Link to heading
Params pushed in reverse order :
push c
push b
push a
access :
rbp+8h = a
rbp+ch = b
rpb+10h = c
– Run until breakpoint –
Stack view Link to heading
Print 10 words from ebp :
(gdb) x/8x $ebp
0xffffd4a8: 0xffffd4d8 0x56556247 0x00000001 0x00000002
ebp ebp+4 ebp+8 ebp+0xc
ebp saved eip 1st arg 2nd arg
0xffffd4b8: 0x00000003 0x00000004 0x00000005 0xffffd584
ebp+0x10
arg
Retrieve esp from esp :
(gdb) x/80x $esp
0xffffd460: 0x00000000 0x00c30000 0x00000005 0xf7ffc805
0xffffd470: 0xffffd404 0x00000003 0xf7ffd002 0x00000001
0xffffd480: *:0x00000000 *:0xffffd584 *:0xf7fa4000 *:0x00000000
0xffffd490: *:0x00000000 *:0xf7fa4000 *:0xf7dfbcb9 sebp:0x56559000
0xffffd4a0: sesi:0xf7fa4000 sedi:0xf7fa4000 ebp:0xffffd4d8 eip:0x56556247
0xffffd4b0: arg:0x00000001 arg:0x00000002 arg:0x00000003 arg:0x00000004
0xffffd4c0: arg:0x00000005 0xffffd584 0xffffd58c 0x5655622f
0xffffd4d0: 0xffffd4f0 0x00000000 0x00000000 0xf7de4b41
...
* = 0x5655619f <+6>: sub esp,0x3c allocates 7 slots (0x3c = 60 ; 60/8=7)