Download to read offline
Call Return Exploration
- 1. Calling functions byPushing and Jumping callReturnExploration.s
- 2. LC0: .ascii "%dn0" .text .globl _function _function:: movl$99, %eax # ret popl %ecx jmp *%ecx .globl _main _main:: pushl %ebpProgram starts here
- 3. LC0: .ascii "%dn0" .text .globl _function _function:: movl$99, %eax # ret popl %ecx jmp *%ecx .globl _main _main:: pushl %ebp 8(%esp) argv 4(%esp) argc (%esp) return addr %esp 28ff2c %ebp old %ebp %eax $0
- 4. _function:: ... .globl _main _main:: pushl %ebp movl%esp, %ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) 8(%esp) argv 4(%esp) argc (%esp) return addr %esp 28ff2c %ebp old %ebp %eax $0
- 5. _function:: ... .globl _main _main:: pushl %ebp movl%esp, %ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) %esp 28ff28 %ebp old %ebp %eax $0 12(%esp) argv 8(%esp) argc 4(%esp) return addr (%esp) old %ebp
- 6. _function:: ... .globl _main _main:: pushl %ebp movl%esp, %ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) %esp 28ff28 %ebp old %ebp %eax $0 12(%esp) argv 8(%esp) argc 4(%esp) return addr (%esp) old %ebp
- 7. _function:: ... .globl _main _main:: pushl %ebp movl%esp, %ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) %esp 28ff28 %ebp 28ff28 %eax $0 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp
- 8. _function:: ... .globl _main _main:: pushl %ebp movl%esp, %ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) %esp 28ff28 %ebp 28ff28 %eax $0 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp
- 9. _function:: ... .globl _main _main:: pushl %ebp movl%esp, %ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) %esp 28ff20 %ebp 28ff28 %eax $0 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) (%esp)
- 10. _function:: ... .globl _main _main:: pushl %ebp movl%esp, %ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) %esp 28ff20 %ebp 28ff28 %eax $0 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) (%esp)
- 11. _function:: ... .globl _main _main:: pushl %ebp movl%esp, %ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) %esp 28ff1c %ebp 28ff28 %eax $0 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) 4(%esp) (%esp) $retAddr
- 12. _function:: ... .globl _main _main:: pushl %ebp movl%esp, %ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) %esp 28ff1c %ebp 28ff28 %eax $0 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) 4(%esp) (%esp) $retAddr
- 13. _function:: ... .globl _main _main:: pushl %ebp movl%esp, %ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) %esp 28ff1c %ebp 28ff28 %eax $0 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) 4(%esp) (%esp) $retAddr
- 14. _function:: movl $99, %eax #ret popl %ecx jmp *%ecx .globl _main _main:: pushl %ebp movl %esp, %ebp subl $8, %esp # call _function pushl $retAddr %esp 28ff1c %ebp 28ff28 %eax $0 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) 4(%esp) (%esp) $retAddr
- 15. _function:: movl $99, %eax #ret popl %ecx jmp *%ecx .globl _main _main:: pushl %ebp movl %esp, %ebp subl $8, %esp # call _function pushl $retAddr %esp 28ff1c %ebp 28ff28 %eax $0 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) 4(%esp) (%esp) $retAddr
- 16. _function:: movl $99, %eax #ret popl %ecx jmp *%ecx .globl _main _main:: pushl %ebp movl %esp, %ebp subl $8, %esp # call _function pushl $retAddr 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) 4(%esp) (%esp) $retAddr %esp 28ff1c %ebp 28ff28 %eax $99
- 17. _function:: movl $99, %eax #ret popl %ecx jmp *%ecx .globl _main _main:: pushl %ebp movl %esp, %ebp subl $8, %esp # call _function pushl $retAddr 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) 4(%esp) (%esp) $retAddr %esp 28ff1c %ebp 28ff28 %eax $99
- 18. _function:: movl $99, %eax #ret popl %ecx jmp *%ecx .globl _main _main:: pushl %ebp movl %esp, %ebp subl $8, %esp # call _function pushl $retAddr 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) (%esp) %esp 28ff20 %ebp 28ff28 %eax $99%ecx $retAddr
- 19. _function:: movl $99, %eax #ret popl %ecx jmp *%ecx .globl _main _main:: pushl %ebp movl %esp, %ebp subl $8, %esp # call _function pushl $retAddr 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) (%esp) %esp 28ff20 %ebp 28ff28 %eax $99%ecx $retAddr
- 20. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) (%esp) %esp 28ff20 %ebp 28ff28 %eax $99%ecx $retAddr
- 21. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) (%esp) %esp 28ff20 %ebp 28ff28 %eax $99
- 22. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) (%esp) %esp 28ff20 %ebp 28ff28 %eax $99
- 23. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) $99 (%esp) %esp 28ff20 %ebp 28ff28 %eax $99
- 24. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) $99 (%esp) %esp 28ff20 %ebp 28ff28 %eax $99
- 25. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) $99 (%esp) $LC0 %esp 28ff20 %ebp 28ff28 %eax $99
- 26. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) $99 (%esp) $LC0 %esp 28ff20 %ebp 28ff28 %eax $99
- 27. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret %esp 28ff1c %ebp 28ff28 %eax $99 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) $99 4(%esp) $LC0 (%esp) address of next instruction
- 28. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret %esp 28ff1c %ebp 28ff28 %eax $99 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) $99 4(%esp) $LC0 (%esp) address of next instruction We push the address of the next instruction to the stack.
- 29. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret %esp 28ff1c %ebp 28ff28 %eax $99 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) $99 4(%esp) $LC0 (%esp) address of next instruction We push the address of the next instruction to the stack. We jump to _printf and do our business
- 30. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret %esp 28ff1c %ebp 28ff28 %eax $99 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 8(%esp) $99 4(%esp) $LC0 (%esp) address of next instruction We push the address of the next instruction to the stack. We jump to _printf and do our business When finished, _printf jumps to our next instruction
- 31. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) $99 (%esp) $LC0 %esp 28ff20 %ebp 28ff28 %eax $99
- 32. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) $99 (%esp) $LC0 %esp 28ff20 %ebp 28ff28 %eax $99
- 33. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) $99 (%esp) $LC0 %esp 28ff20 %ebp 28ff28 %eax $0
- 34. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 12(%ebp) argv 8(%ebp) argc 4(%ebp) return addr (%ebp) old %ebp 4(%esp) $99 (%esp) $LC0 %esp 28ff20 %ebp 28ff28 %eax $0
- 35. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 8(%esp) argv 4(%esp) argc (%esp) return addr %esp 28ff2c %ebp old %ebp %eax $0
- 36. pushl %ebp movl %esp,%ebp subl $8, %esp # call _function pushl $retAddr jmp _function retAddr: movl %eax, 4(%esp) movl $LC0, (%esp) call _printf movl $0, %eax leave ret 8(%esp) argv 4(%esp) argc (%esp) return addr %esp 28ff2c %ebp old %ebp %eax $0
- 37. Calling functions byPushing and Jumping This presentation by Pat Hawks is licensed under a Creative Commons Attribution 4.0 International License callReturnExploration.s