Re: Stack Exploit

Frank Kotler wrote:

08048390 <printMessage>:
8048390: 55 push %ebp
8048391: 89 e5 mov %esp,%ebp
8048393: 57 push %edi
8048394: 56 push %esi
8048395: 83 ec 1c sub $0x1c,%esp

80483bc: 8d 65 f8 lea 0xfffffff8(%ebp),%esp
80483bf: 5e pop %esi
80483c0: 5f pop %edi
80483c1: 5d pop %ebp
80483c2: c3 ret

What's with the "lea 0xfffffff8(%ebp),%esp" after the "call"? Not the

It restores the stack to the value where %esi was saved.

+4(%ebp) -> return address
(%ebp) -> saved %ebp
-4(%ebp) -> saved %edi
-8(%ebp) -> saved %esi

way I would have expected to clean up stack... Mysterious are the ways
of gcc!

But if you compile it with -O2, you will get much better code.
.

Relevant Pages

  • Re: sub esp, 0ch question
    ... store ebp in stack (because ebp wiill be used by the caller - later it ... treat ebp as esp (we need it for getting params from stack. ... storing registers ebx, esi, edi ... load variable reserved in stack to edi ...
    (microsoft.public.win32.programmer.kernel)
  • Re: some advice
    ... > uses ecx, edx, esi, edi ... mov ebp, esp ... dec eax; jz .ans ...
    (alt.lang.asm)
  • Re: sub esp, 0ch question
    ... store ebp in stack (because ebp wiill be used by the caller - later it ... treat ebp as esp (we need it for getting params from stack. ... load variable reserved in stack to edi ... I don't see here restoring ebp and ebx, edi, esi: ...
    (microsoft.public.win32.programmer.kernel)
  • Re: some advice
    ... >> uses ecx, edx, esi, edi ... > mov ebp, esp ... 'add eax, 1' works better than 'dec eax' ...
    (alt.lang.asm)
  • Re: 387 emulator hack - mutant AAD trick - any objections?
    ... push/pop of ESI from it by recycling EBP to address its parms once the frame ... might use ESI from then on and eliminate the save/restore of ESI. ... push/pop dwords really hurt the SX. ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)