Why [ebp - 8] ?
I don't understand this. I was fiddling with accessing local variables without using their "names", purely in the interests of education. I got this far:
I made it naked so the output assembly code is a little more legible (to me at least). Anyways, in the MSDN docs, it says that "The locals area begins at ebp-2. To access local variables, calculate an offset from ebp by subtracting the appropriate value from ebp."
__declspec(naked) long aFunc()
mov ebp, esp
sub esp, 4
mov [ebp - 2], 1
mov eax, [ebp - 2]
mov esp, ebp
So here's me subtracting 2 from ebp with no avail.
"Ok" I thought. A long is 4 bytes, right? So I try to subtract 4, also with no desired results.
So I give up, replace it with 'var' and view the compiler's assembly output with the symbol names switched off.
8 is the number I'm looking for and I can't figure out why. :(
Why 8? What else is on the stack? The return address is out of the way right? I thought that's why it starts at ebp-2?
return address (for ret, it's not out of the way unless msvc is crazy)
ebp (that was pushed upon entrance)
Both topmost values are dwords.
I think I understand. Maybe.
EBP-8 is where the first parameter being passed to the function is at. This is due to what valis posted.
I've been researching similiar ideas. And I'm having trouble understanding alot of the assembly code. I've been using gdb to disassemble a couple of little programs, but I never know exactly what I'm looking at.
Is there a good resource for this?
Maybe start with http://www.acm.uiuc.edu/sigmil/RevEng/ch06.html
And then move on to http://www.osdata.com/topic/language/asm/asmintro.htm
Pay attention to the book recommendations. You will need one or two of those
yeah, I wouldn't start out reverse engineering because there are very large amounts of wierd tricks that are commonly performed that obfuscate the code (but are there to increase performance).
The art of assembly language is good
Assembly language for intel based computers is also (provides less info than the art)
After you get the basics down I would recommend getting intel's system manuals and info on extensions like mmx, sse, and the cpuid instruction.