x86 Args and local vars

Cheatsheet - x86 Args and local vars Link to heading

Source code Link to heading

int func(char a, char b, char c, char d, char e){
    char f = 6, g = 7, h =8 ;
    printf("%d %d %d %d %d\n", a,b,c,d,e);
    return 0xC0FEE ;
}

int main(void){
    printf("%d",func(1,2,3,4,5));
    return 0;
}

Gdb view Link to heading


(gdb) disass main
   ...
   0x00001238 <+29>:  push   0x5
   0x0000123a <+31>:  push   0x4
   0x0000123c <+33>:  push   0x3
   0x0000123e <+35>:  push   0x2
   0x00001240 <+37>:  push   0x1
   0x00001242 <+39>:  call   0x1199 <func>
   ...

(gdb) disass func
   0x56199 <+0>:      push   ebp
   0x5619a <+1>:      mov    ebp,esp
   0x5619c <+3>:      push   edi
   0x5619d <+4>:      push   esi
   0x5619e <+5>:      push   ebx
   0x5619f <+6>:      sub    esp,0x3c
   0x561a2 <+9>:      call   0x5655626c <__x86.get_pc_thunk.ax>
   0x561a7 <+14>:     add    eax,0x2e59
   <-- Breakpoint -->
   0x561ac <+19>:     mov    edi,DWORD PTR [ebp+0x8]  ;fetch arg1
   0x561af <+22>:     mov    esi,DWORD PTR [ebp+0xc]  ;fetch arg2
   0x561b2 <+25>:     mov    ebx,DWORD PTR [ebp+0x10] ;fetch arg3
   0x561b5 <+28>:     mov    ecx,DWORD PTR [ebp+0x14] ;fetch arg4
   0x561b8 <+31>:     mov    edx,DWORD PTR [ebp+0x18] ;fetch arg5
   0x561bb <+34>:     mov    DWORD PTR [ebp-0x40],edx
   0x561be <+37>:     mov    edx,edi
   0x561c0 <+39>:     mov    BYTE PTR [ebp-0x2c],dl
   0x561c3 <+42>:     mov    edx,esi
   0x561c5 <+44>:     mov    BYTE PTR [ebp-0x30],dl
   0x561c8 <+47>:     mov    BYTE PTR [ebp-0x34],bl
   0x561cb <+50>:     mov    BYTE PTR [ebp-0x38],cl
   0x561ce <+53>:     movzx  edx,BYTE PTR [ebp-0x40]
   0x561d2 <+57>:     mov    BYTE PTR [ebp-0x3c],dl
   0x561d5 <+60>:     mov    BYTE PTR [ebp-0x19],0x6 ; loc_var1
   0x561d9 <+64>:     mov    BYTE PTR [ebp-0x1a],0x7 ; loc_var2
   0x561dd <+68>:     mov    BYTE PTR [ebp-0x1b],0x8 ; loc_var3
   0x561e1 <+72>:     movsx  edi,BYTE PTR [ebp-0x3c]
   0x561e5 <+76>:     movsx  esi,BYTE PTR [ebp-0x38]
   0x561e9 <+80>:     movsx  ebx,BYTE PTR [ebp-0x34]
   0x561ed <+84>:     movsx  ecx,BYTE PTR [ebp-0x30]
   0x561f1 <+88>:     movsx  edx,BYTE PTR [ebp-0x2c]
   0x561f5 <+92>:     sub    esp,0x8
   0x561f8 <+95>:     push   edi
   0x561f9 <+96>:     push   esi
   0x561fa <+97>:     push   ebx
   0x561fb <+98>:     push   ecx
   0x561fc <+99>:     push   edx
   0x561fd <+100>:    lea    edx,[eax-0x1ff8]
   0x56203 <+106>:    push   edx
   0x56204 <+107>:    mov    ebx,eax
   0x56206 <+109>:    call   0x56556030 <printf@plt>
   0x5620b <+114>:    add    esp,0x20
   0x5620e <+117>:    mov    eax,0xc0fee
   0x56213 <+122>:    lea    esp,[ebp-0xc]
   0x56216 <+125>:    pop    ebx
   0x56217 <+126>:    pop    esi
   0x56218 <+127>:    pop    edi
   0x56219 <+128>:    pop    ebp

Args order Link to heading

Params pushed in reverse order :

push c
push b
push a

access :

rbp+8h  = a
rbp+ch  = b
rpb+10h = c

– Run until breakpoint –

Stack view Link to heading

Print 10 words from ebp :

(gdb) x/8x $ebp
0xffffd4a8:   0xffffd4d8   0x56556247   0x00000001   0x00000002
              ebp          ebp+4        ebp+8        ebp+0xc
              ebp          saved eip    1st arg      2nd arg

0xffffd4b8:   0x00000003   0x00000004   0x00000005   0xffffd584
              ebp+0x10
              arg

Retrieve esp from esp :

(gdb) x/80x $esp
0xffffd460:      0x00000000      0x00c30000     0x00000005      0xf7ffc805
0xffffd470:      0xffffd404      0x00000003     0xf7ffd002      0x00000001
0xffffd480:    *:0x00000000    *:0xffffd584   *:0xf7fa4000    *:0x00000000
0xffffd490:    *:0x00000000    *:0xf7fa4000   *:0xf7dfbcb9 sebp:0x56559000
0xffffd4a0: sesi:0xf7fa4000 sedi:0xf7fa4000 ebp:0xffffd4d8  eip:0x56556247
0xffffd4b0:  arg:0x00000001  arg:0x00000002 arg:0x00000003  arg:0x00000004
0xffffd4c0:  arg:0x00000005      0xffffd584     0xffffd58c      0x5655622f
0xffffd4d0:     0xffffd4f0       0x00000000     0x00000000      0xf7de4b41
...

* = 0x5655619f <+6>: sub esp,0x3c allocates 7 slots (0x3c = 60 ; 60/8=7)