Why [ebp - 8] ?

**cboard_member** · 07-13-2006

I don't understand this. I was fiddling with accessing local variables without using their "names", purely in the interests of education. I got this far:

Code:

__declspec(naked) long aFunc()
{
    long var;

    __asm
    {
        push ebp
        mov ebp, esp
        sub esp, 4

        mov [ebp - 2], 1
        mov eax, [ebp - 2]

        mov esp, ebp
        pop ebp
        ret
    }
}

I made it naked so the output assembly code is a little more legible (to me at least). Anyways, in the MSDN docs, it says that "The locals area begins at ebp-2. To access local variables, calculate an offset from ebp by subtracting the appropriate value from ebp."

So here's me subtracting 2 from ebp with no avail.
"Ok" I thought. A long is 4 bytes, right? So I try to subtract 4, also with no desired results.

So I give up, replace it with 'var' and view the compiler's assembly output with the symbol names switched off.

8 is the number I'm looking for and I can't figure out why.

Why 8? What else is on the stack? The return address is out of the way right? I thought that's why it starts at ebp-2?

**valis** · 07-13-2006

stack:
stuff
params
return address (for ret, it's not out of the way unless msvc is crazy)
ebp (that was pushed upon entrance)

Both topmost values are dwords.

**cboard_member** · 07-14-2006

I think I understand. Maybe.

**VirtualAce** · 07-14-2006

EBP-8 is where the first parameter being passed to the function is at. This is due to what valis posted.

**m.mixon** · 07-19-2006

I've been researching similiar ideas. And I'm having trouble understanding alot of the assembly code. I've been using gdb to disassemble a couple of little programs, but I never know exactly what I'm looking at.

Is there a good resource for this?

Thanks,
Michael

**Mario F.** · 07-19-2006

Maybe start with http://www.acm.uiuc.edu/sigmil/RevEng/ch06.html

And then move on to http://www.osdata.com/topic/language/asm/asmintro.htm

Pay attention to the book recommendations. You will need one or two of those

**valis** · 07-19-2006

yeah, I wouldn't start out reverse engineering because there are very large amounts of wierd tricks that are commonly performed that obfuscate the code (but are there to increase performance).
The art of assembly language is good
Assembly language for intel based computers is also (provides less info than the art)

After you get the basics down I would recommend getting intel's system manuals and info on extensions like mmx, sse, and the cpuid instruction.

Thread: Why [ebp - 8] ?

Thread Tools

Search Thread

Display

Why [ebp - 8] ?

Similar Threads

Something I'd like to share with all of you: simple frustum culling