7.1 Local State

Basic Assembly
Local state
Assembly language programming

By xorpd xorpd.net
Objectives
• We will study the EBP register, and its use as the stack base
pointer.
• We will learn about function’s local variables, and where to

store them.
• We will understand the general structure of the stack during

the invocation of functions in our program.
EBP
• EBP – Extended base pointer.
• A register of size 32 bits.
ebp
bp
• Historically, ESP could not be used to access memory directly.

• “dword [esp + 4]” was not possible.
• The EBP register was used instead.
• These days ESP can access memory directly.

• EBP is usually used to “hold” the stack frame.
Example
• Extracting the arguments from the stack:
sum_nums:
mov esi,dword [esp + 4]

mov ecx,dword [esp + 8]
xor edx,edx
jecxz .no_nums
.next_dw:
lodsd
add edx,eax
loop .next_dw
.no_nums:
mov eax,edx
ret
Example
sum_nums: sum_nums:
push ecx
mov esi,dword [esp + 4] mov esi,dword [esp + 8]
mov ecx,dword [esp + 8] mov ecx,dword [esp + 0ch]
xor edx,edx xor edx,edx
jecxz .no_nums jecxz .no_nums
.next_dw: .next_dw:
lodsd lodsd
add edx,eax add edx,eax
loop .next_dw loop .next_dw
.no_nums: .no_nums:
mov eax,edx mov eax,edx
pop ecx
ret ret
Example
sum_nums: sum_nums:
push ecx
mov esi,dword [esp + 4] mov esi,dword [esp + 8]
mov ecx,dword [esp + 8] mov ecx,dword [esp + 0ch]
xor edx,edx xor edx,edx
jecxz .no_nums jecxz .no_nums
.next_dw: .next_dw:
lodsd lodsd
add edx,eax add edx,eax
loop .next_dw loop .next_dw
.no_nums: .no_nums:
mov eax,edx mov eax,edx
pop ecx
ret ret
• ESP might change many times during the function.

• We have to follow the current offset of ESP to be able to access
arguments.
• Not fun :(
Holding the stack frame
• We could use EBP to remember what ESP was initially.
• Then we don’t care about changes to esp.
sum_nums:
mov ebp,esp
push ecx
mov esi,dword [ebp + 4]
mov ecx,dword [ebp + 8]
xor edx,edx
jecxz .no_nums
.next_dw:
lodsd
add edx,eax
loop .next_dw
.no_nums:
mov eax,edx
pop ecx
ret
sum_nums:
push ebp ; Keep ebp
mov ebp,esp
push ecx
mov esi,dword [ebp + 4]
mov ecx,dword [ebp + 8]
xor edx,edx
jecxz .no_nums
.next_dw:
lodsd
add edx,eax
loop .next_dw
.no_nums:
mov eax,edx
pop ecx
pop ebp ; Restore ebp
ret
func:
push ebp ; Keep ebp
mov ebp,esp
...

ret
func: ...
push ebp ; Keep ebp
mov ebp,esp ????????
... ????????
Address
pop ebp ; Restore ebp ???????? growth
ret
????????
????????
????????
...
func: ...
push ebp ; Keep ebp
... ????????
pop ebp ; Restore ebp esp ret_addr

ret
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
... esp old_ebp
pop ebp ; Restore ebp ret_addr

ret
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
... esp old_ebp ebp

pop ebp ; Restore ebp ret_addr
ret
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
... old_ebp ebp

pop ebp ; Restore ebp ret_addr ebp + 4
ret
arg1 ebp + 8
arg2 ebp + 0xC
Inside the function:
arg3 ebp + 0x10
• old_ebp: 𝑒𝑏𝑝
• ret_addr: 𝑒𝑏𝑝 + 4 ...
• arg 1: 𝑒𝑏𝑝 + 8
• arg k: [𝑒𝑏𝑝 + 4 + 4 ⋅ 𝑘]
Local Variables
• We might need some memory during function execution.
• Using the global memory is usually not a good option.

• Not very modular. (We want the function to be self contained).
• Other cons. (Not reentrant)
• We could use the stack!

Local Variables (Cont.)
• Decrease esp to allocate space on stack:
func:
push ebp ; Keep ebp
mov ebp,esp
; ‘Allocate’ 3 dwords on stack:
sub esp,4*3
...
; ‘Free’ the 3 allocated dwords:
add esp,4*3
ret
func: ...
push ebp ; Keep ebp
sub esp,4*3 ????????
...
; ‘Free’ the 3 allocated dwords: ????????
add esp,4*3 Address
pop ebp ; Restore ebp ????????
growth
ret
????????
????????
????????
????????
????????
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 ????????
...
add esp,4*3
ret
????????
????????
????????
????????
????????
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 ????????
...
add esp,4*3
ret
????????
esp ret_addr
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 ????????
...
add esp,4*3
ret
esp old_ebp
ret_addr
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 ????????
...
add esp,4*3
ret
esp old_ebp ebp
ret_addr
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 esp ????????
...
add esp,4*3
ret
old_ebp ebp
ret_addr
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 esp ????????
... Local
vars
add esp,4*3
ret
old_ebp ebp
ret_addr
arg1
arguments arg2
arg3
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 esp ???????? ebp - 0xC
...
; ‘Free’ the 3 allocated dwords: ???????? ebp - 8
add esp,4*3
pop ebp ; Restore ebp ???????? ebp - 4
ret
old_ebp ebp
ret_addr
arg1 ebp + 8
arg2 ebp + 0xC
arg3 ebp + 0x10
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 esp ???????? ebp - 0xC
...
; ‘Free’ the 3 allocated dwords: ???????? ebp - 8
add esp,4*3
pop ebp ; Restore ebp ???????? ebp - 4
ret
old_ebp ebp
ret_addr
• Variables: [𝑒𝑏𝑝 – 4 ⋅ 𝑘]
arg1 ebp + 8
• Arguments: [𝑒𝑏𝑝 + 4 + 4 ⋅ 𝑟]
arg2 ebp + 0xC
arg3 ebp + 0x10
...
• Increase esp to free the allocated stack space:
func: ...
push ebp ; Keep ebp
sub esp,4*3 esp ????????
...
add esp,4*3
ret
old_ebp ebp
ret_addr
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 esp ????????
...
add esp,4*3
ret
old_ebp ebp
ret_addr
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 ????????
...
add esp,4*3
ret
esp old_ebp ebp
ret_addr
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 ????????
...
add esp,4*3
ret
old_ebp
esp ret_addr
arg1
arg2
arg3
...
func: ...
push ebp ; Keep ebp
sub esp,4*3 ????????
...
add esp,4*3
ret
old_ebp
esp ret_addr
• The local state is freed when the
function returns. arg1
• Local data lives a short life. arg2
arg3
...
The call stack
• Every function being called has a “frame” inside the stack.
• Arguments
• Return address
• Old EBP (Previous frame)
• Local variables
• The stack tells the story of all functions currently “open”, all
the way to the current function.
The call stack (Cont.)
...
start
esp ...
...
start
func_a
esp
Locals
old_ebp ebp
ret_addr
Arguments
...
...
esp
start Locals
old_ebp ebp
func_a ret_addr
Arguments
func_b
Locals
old_ebp
ret_addr
Arguments
...
...
start Locals
old_ebp
func_b’s frame
func_a ret_addr
Arguments
func_b
Locals
old_ebp
func_a’s frame
ret_addr
Arguments
...
...
esp
start Locals
old_ebp ebp
func_a ret_addr
Arguments
dword [ebp]
func_b
Locals
old_ebp
ret_addr
Arguments
...
• Traversing the call stack:
• EBP entries form a “linked list”!
...
• Traversing the call stack: old_ebp ebp
ret_addr
start ...
old_ebp
ret_addr
func_a
...
old_ebp
func_b ret_addr
...
old_ebp
func_c ret_addr
...
func_d
...
ret_addr
start ...
old_ebp
ret_addr
func_a
...
old_ebp
func_b ret_addr
...
old_ebp
func_c ret_addr
...
func_d
...
ret_addr
mov ebp,dword [ebp]
start ...
old_ebp
ret_addr
func_a mov ebp,dword [ebp]
...
old_ebp
func_b mov ebp,dword [ebp]

ret_addr
...
old_ebp
func_c ret_addr
...
func_d
ENTER and LEAVE
• Almost all functions begin and end in the same standard way.
• Those standard beginning and ending are also called Prologue
and Epilogue.
func:
push ebp
Prologue mov ebp,esp
sub esp,N
... Function’s body

add esp,N
Epilogue pop ebp
ret
• This construct is so common, that new instructions were

introduced to do this job.
ENTER and LEAVE (Cont.)
• Building a stack frame using ENTER and LEAVE:
func:
push ebp
mov ebp,esp
sub esp,N
...
add esp,N
pop ebp
ret
func: func:
push ebp enter N,0
mov ebp,esp
sub esp,N
... ...
add esp,N add esp,N

pop ebp pop ebp
ret ret
func: func:
push ebp enter N,0
mov ebp,esp
sub esp,N
... ...
mov esp,ebp mov esp,ebp

pop ebp pop ebp
ret ret
func: func:
push ebp enter N,0
mov ebp,esp
sub esp,N
... ...
mov esp,ebp
pop ebp leave
ret ret
func: func:
push ebp enter N,0
mov ebp,esp
sub esp,N
... ...
mov esp,ebp
pop ebp leave
ret ret
• Much cleaner :)
• ENTER Size,NestingLevel
• Make stack frame for procedure parameters.
• Operation (For NestingLevel = 0):
• push ebp
mov ebp,esp ENTER N,0
sub esp,N
• LEAVE
• High level procedure exit.
• Operation:
• mov esp,ebp
pop ebp LEAVE
FAQ
• Do I have to use EBP for stack based argument passing?
• Answer: No, but it is a good practice to do so.
• Which way should I choose to write my function prologue and

epilogue – ENTER and LEAVE or push ebp … ?
• Answer: It’s your code, you decide.

• ENTER is shorter. Some say it is slower though.
Summary
• We use EBP to “hold” the stack frame.
• EBP has the initial value of ESP.
• We make space for local variables on the stack by decreasing

ESP.
• We free that space by increasing ESP.
• The stack is divided into frames of different functions.
• EBPs on the stack form a linked list that can be traversed.
• The ENTER and LEAVE instruction build and destroy the stack
frame.
Exercises
• Read code.
• Write code.
• Enjoy :)

7.1 Local State

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

7.1 Local State

Uploaded by

Copyright:

Available Formats

Basic Assembly

Assembly language programming

• We will learn about function’s local variables, and where to

• We will understand the general structure of the stack during

• Historically, ESP could not be used to access memory directly.

• These days ESP can access memory directly.

mov esi,dword [esp + 4]

• ESP might change many times during the function.

pop ebp ; Restore ebp

pop ebp ; Restore ebp esp ret_addr

... esp old_ebp

pop ebp ; Restore ebp ret_addr

... esp old_ebp ebp

... old_ebp ebp

• Using the global memory is usually not a good option.

• We could use the stack!

func_b mov ebp,dword [ebp]

... Function’s body

• This construct is so common, that new instructions were

add esp,N add esp,N

mov esp,ebp mov esp,ebp

• Answer: No, but it is a good practice to do so.

• Which way should I choose to write my function prologue and

• Answer: It’s your code, you decide.

• We make space for local variables on the stack by decreasing

• The stack is divided into frames of different functions.

• EBPs on the stack form a linked list that can be traversed.

You might also like