Member Avatar for eniwe

When a CALL instruction is executed, the address of the current instruction is pushed into the stack. Then, the execution makes an unconditional JMP to the address specified as the parameter of the call instruction.

.code
Test:
     call delta
delta:
     pop  ebp
     sub  ebp,offset delta
     mov  esi,[esp]
     and  esi,0ffff0000h
     push 0
     call ExitProcess

Screen shot (unable to paste here from the word file hence attaching it) of debugger after the call instruction is executed is as below:

00401000   call    test. 00401005
00401005   pop     ebp
                                                           esp  0012FFC0
                                                           eip   00401005

The current code address is: 00401005. (True. EIP confirms this fact).
This address is supposed to have been pushed to stack.
This address is on the top of the stack. (True. EBP shows it after the POP).
And below is the sketch of my partially faulty assumption and understanding.
That, ESP points to the top of the stack.
But, ESP Does not shows 4001005, but another value 0012FFC0.

Request help... a little illumination on this situation.
Thank you.

test.JPG 67.79 KB
  • 2 Contributors
  • 5 Replies
  • 104 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by eniwe
Member Avatar for Salem

You haven't actually executed the pop ebp yet, so of course it has the old value.

Member Avatar for eniwe

thank you...
iam afraid that i was not able to put across clearly the issue due to my lack of understanding of the area.
i can see that the address 00401005h is on top of the stack, because that value is pop-ed to EBP register later on. this fact, iam able to recognize and i had mentioned it in my last post.

This address is on the top of the stack. (true. EBP shows it after the pop).

So, EBP is in clear.
My problem is with ESP.
what is the value 0012FFC4 pointed to by ESP stands for?

if 0012FFC4 is an address in memory, it may not belong to this current process’s address space because the image base of the current process by default is 00400000h. if it is not an address, what does it refer to ?

hope you would bear with this ignorant assembly admirer.
regards...

note: the screen shot after the pop execution is attached.

test1.JPG 59.65 KB
Member Avatar for eniwe

multiple entry

Edited by eniwe because: n/a
Member Avatar for Salem

> what is the value 0012FFC4 pointed to by ESP stands for?
0012FFC4 is a memory address - ESP (SP being Stack Pointer)
[ESP] is the contents of that address.

In C terms, it's
int *esp;

esp is a pointer to some memory
*esp is the contents of that memory location

push is *(--esp) = value;
pop is *esp++

Member Avatar for eniwe

Registers: (A) After loading. (B) After the CALL (C) After the MOV.
A . After loading

:00401000►   call   AS.00401005    eax 00000000 
:00401005    pop    ebp            ebx 7FFDD000 
:00401006    sub    ebp,00401005   ecx 0012FFB0 
:0040100C    mov    esi,[esp]      edx 7C90E514 
:0040100F    and    esi,FFFF0000   esi 7C918F21 
:00401015    push   00000000       edi 7C80F291 
:00401017    call   KERNEL32.ExitP ebp 0012FFF0 
:0040101C    jmp    [00403030]     esp 0012FFC4

B. After the CALL

:00401000    [B]CALL[/B]   AS.00401005    eax 00000000
:00401005►   pop    ebp            ebx 7FFDD000
:00401006    sub    ebp,00401005   ecx 0012FFB0
:0040100C    mov    esi,[esp]      edx 7C90E514
:0040100F    and    esi,FFFF0000   esi 7C918F21
:00401015    push   00000000       edi 7C80F291
:00401017    call   KERNEL32.ExitP ebp 0012FFF0
:0040101C    jmp    [00403030]     [B]ESP 0012FFC0[/B]

C. After the MOV

:00401000    call   AS.00401005    eax 00000000
:00401005    pop    ebp            ebx 7FFDE000
:00401006    sub    ebp,00401005   ecx 0012FFB0
:0040100C    [B]MOV[/B]    ESI,[ESP]      edx 7C90E514
:0040100F►   and    esi,FFFF0000   [B]ESI 7C817077[/B]
:00401015    push   00000000       edi 7C80F291
:00401017    call   KERNEL32.ExitP ebp 00000000
:0040101C    jmp    [00403030]     esp 0012FFC4

ESP showed 0012FFC4 in the beginning, and when the dword 00401005 occupied 4 bytes of space in the stack, ESP reflected that fact by showing 0012FFC0. (FFC4-4=FFC0)That settles it ; the meaning of the value pointed to by ESP.
So, the initial part of my Faulty observation is resolved. But, the later part remains. it is about ESP.

when CALL instruction is executed, the return address is pushed to the stack. that value (for example, 00401005h) can be pop-ed to a register. similarly, at load, ESP indicates that there is a value present in the stack. POP-ing it to EBX, i find that value is 7C817077.
.code
test:
pop ebp ; ebp = a return address?
call delta
delta:
pop ebp

is it a return address?
Suppose, our program (as.exe), is in fact call-ed from an address within kernel32.dll and what we have seen is the return address to that location. if true, can’t we find the base address of kernel32.dll from here?
what purpose it serves...i am not sure, may be 'am just inquisitive.
i may be forgiven, if this query is excessively far off the mark for reason.
Thank you.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.