Talk:Reverse Engineering Mentoring Lesson 004

Original program:

int f1(int a1) {	return a1 + 1; }

main(int argc, char **argv) {	f1(1); }

This is how the disassembled code looks in IDA Pro:

-

.text:00401150 .text:00401150 arg_0          = dword ptr  8 .text:00401150 .text:00401150                push    ebp .text:00401151                mov     ebp, esp .text:00401153                mov     eax, [ebp+arg_0] .text:00401156                inc     eax .text:00401157                pop     ebp .text:00401158                retn .text:00401158 sub_401150     endp .text:00401158 .text:00401159 .text:00401159 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ .text:00401159 .text:00401159 ; Attributes: bp-based frame .text:00401159 .text:00401159 ; int __cdecl main(int argc,const char **argv,const char *envp) .text:00401159 _main          proc near               ; DATA XREF: .data:004090D0�o .text:00401159 .text:00401159 argc           = dword ptr  8 .text:00401159 argv           = dword ptr  0Ch .text:00401159 envp           = dword ptr  10h .text:00401159 .text:00401159                push    ebp .text:0040115A                mov     ebp, esp .text:0040115C                push    1 .text:0040115E                call    sub_401150 .text:00401163                pop     ecx .text:00401164                pop     ebp .text:00401165                retn --

As explained in previous tutorials, argc, argv, and envp are the arguments which are passed to the main function. These arguments are pushed into the stack before the function main is called. These arguments can be accessed with reference to the extended base pointer register (EBP) which points to the top of the stack like (EBP + argc or EBP + 8) points to the first argument.

Lets go back to the original program, as we can see function f1(1) has been called inside the main function with an integer argument value 1.

The PUSH instruction at address .text:0040115C is saving integer 1 which is argument to the function f1 into the stack so that it can be accessed later by the function.

The next instruction executed is a call to function defined at address .text:00401150. The instruction pointer (EIP) now points to the instruction at address 00401150. Before the call instruction is actually executed, the value of EIP which is the address of the next instruction after call is saved into the stack and which can be accessed at positive offset from EBP (EBP + 4).

At address .text:00401150, we can see stack frame is being created (Prologue code).

Just after this we can see the function argument ([EBP + arg_0]), integer 1 is being copied into the accumulator register (EAX).

.text:00401156                inc     eax

The value of variable a1 is incremented by 1.

Then the normal Epilogue code follows.