call return exploration
TRANSCRIPT
Calling functions by Pushing and Jumping
callReturnExploration.s
LC0:.ascii "%d\n\0"
.text
.globl _function_function::movl $99, %eax
# retpopl %ecxjmp *%ecx
.globl _main_main::pushl %ebpProgram starts here
LC0:.ascii "%d\n\0"
.text
.globl _function_function::movl $99, %eax
# retpopl %ecxjmp *%ecx
.globl _main_main::pushl %ebp
8(%esp) argv
4(%esp) argc
(%esp) return addr
%esp 28ff2c %ebp old %ebp %eax $0
_function::...
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)
8(%esp) argv
4(%esp) argc
(%esp) return addr
%esp 28ff2c %ebp old %ebp %eax $0
_function::...
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)
%esp 28ff28 %ebp old %ebp %eax $0
12(%esp) argv
8(%esp) argc
4(%esp) return addr
(%esp) old %ebp
_function::...
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)
%esp 28ff28 %ebp old %ebp %eax $0
12(%esp) argv
8(%esp) argc
4(%esp) return addr
(%esp) old %ebp
_function::...
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)
%esp 28ff28 %ebp 28ff28 %eax $0
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
_function::...
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)
%esp 28ff28 %ebp 28ff28 %eax $0
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
_function::...
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)
%esp 28ff20 %ebp 28ff28 %eax $0
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp)
(%esp)
_function::...
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)
%esp 28ff20 %ebp 28ff28 %eax $0
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp)
(%esp)
_function::...
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)
%esp 28ff1c %ebp 28ff28 %eax $0
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp)
4(%esp)
(%esp) $retAddr
_function::...
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)
%esp 28ff1c %ebp 28ff28 %eax $0
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp)
4(%esp)
(%esp) $retAddr
_function::...
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)
%esp 28ff1c %ebp 28ff28 %eax $0
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp)
4(%esp)
(%esp) $retAddr
_function::movl $99, %eax
# retpopl %ecxjmp *%ecx
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddr
%esp 28ff1c %ebp 28ff28 %eax $0
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp)
4(%esp)
(%esp) $retAddr
_function::movl $99, %eax
# retpopl %ecxjmp *%ecx
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddr
%esp 28ff1c %ebp 28ff28 %eax $0
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp)
4(%esp)
(%esp) $retAddr
_function::movl $99, %eax
# retpopl %ecxjmp *%ecx
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddr
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp)
4(%esp)
(%esp) $retAddr
%esp 28ff1c %ebp 28ff28 %eax $99
_function::movl $99, %eax
# retpopl %ecxjmp *%ecx
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddr
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp)
4(%esp)
(%esp) $retAddr
%esp 28ff1c %ebp 28ff28 %eax $99
_function::movl $99, %eax
# retpopl %ecxjmp *%ecx
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddr
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp)
(%esp)
%esp 28ff20 %ebp 28ff28 %eax $99%ecx $retAddr
_function::movl $99, %eax
# retpopl %ecxjmp *%ecx
.globl _main_main::pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddr
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp)
(%esp)
%esp 28ff20 %ebp 28ff28 %eax $99%ecx $retAddr
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp)
(%esp)
%esp 28ff20 %ebp 28ff28 %eax $99%ecx $retAddr
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp)
(%esp)
%esp 28ff20 %ebp 28ff28 %eax $99
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp)
(%esp)
%esp 28ff20 %ebp 28ff28 %eax $99
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp) $99
(%esp)
%esp 28ff20 %ebp 28ff28 %eax $99
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp) $99
(%esp)
%esp 28ff20 %ebp 28ff28 %eax $99
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp) $99
(%esp) $LC0
%esp 28ff20 %ebp 28ff28 %eax $99
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp) $99
(%esp) $LC0
%esp 28ff20 %ebp 28ff28 %eax $99
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
%esp 28ff1c %ebp 28ff28 %eax $99
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp) $99
4(%esp) $LC0
(%esp)address of
next instruction
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
%esp 28ff1c %ebp 28ff28 %eax $99
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp) $99
4(%esp) $LC0
(%esp)address of
next instruction
We push the address of the next instruction to the stack.
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
%esp 28ff1c %ebp 28ff28 %eax $99
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp) $99
4(%esp) $LC0
(%esp)address of
next instruction
We push the address of the next instruction to the stack.
We jump to _printf and do our business
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
%esp 28ff1c %ebp 28ff28 %eax $99
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
8(%esp) $99
4(%esp) $LC0
(%esp)address of
next instruction
We push the address of the next instruction to the stack.
We jump to _printf and do our business
When finished, _printf jumps to our next instruction
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp) $99
(%esp) $LC0
%esp 28ff20 %ebp 28ff28 %eax $99
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp) $99
(%esp) $LC0
%esp 28ff20 %ebp 28ff28 %eax $99
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp) $99
(%esp) $LC0
%esp 28ff20 %ebp 28ff28 %eax $0
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
12(%ebp) argv
8(%ebp) argc
4(%ebp) return addr
(%ebp) old %ebp
4(%esp) $99
(%esp) $LC0
%esp 28ff20 %ebp 28ff28 %eax $0
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
8(%esp) argv
4(%esp) argc
(%esp) return addr
%esp 28ff2c %ebp old %ebp %eax $0
pushl %ebpmovl %esp, %ebpsubl $8, %esp
# call _functionpushl $retAddrjmp _function
retAddr:movl %eax, 4(%esp)movl $LC0, (%esp)call _printfmovl $0, %eaxleaveret
8(%esp) argv
4(%esp) argc
(%esp) return addr
%esp 28ff2c %ebp old %ebp %eax $0
Calling functions by Pushing and Jumping
This presentation by Pat Hawks is licensed under aCreative Commons Attribution 4.0 International License
callReturnExploration.s