tags:

views:

144

answers:

2
+1  Q: 

Will arguments to a function be passed on the stack or in a register?

I'm currently analyzing a program I wrote in assembly and was thinking about moving some code around in the assembly. I have a procedure which takes one argument, but I'm not sure if it is passed on the stack or a register.

When I open my program in IDA Pro, the first line in the procedure is:

ThreadID= dword ptr -4

If I hover my cursor over the declaration, the following also appears: 

ThreadID dd ?
 r db 4 dup(?)

which I would assume would point to a stack variable?

When I open the same program in OllyDbg however, at this spot on the stack there is a large value, which would be inconsistent with any parameter that could have been passed, leading me to believe that it is passed in a register.

Can anyone point me in the right direction?

A: 

The way arguments are passed to a function depends on the function's calling convention. The default calling convention depends on the language, compiler and architecture.

I can't say anything for sure with the information you provided, however you shouldn't forget that assembly-level debuggers like OllyDbg and disassemblers like IDA often use heuristics to reverse-engineer the program. The best way to study the code generated by the compiler is to instruct it to write assembly listings. Most compilers have an option to do this.

CyberShadow  2009-06-10 16:21:00
The calling convention is __fastcall
samoz  2009-06-10 16:22:44
"Typically fastcall calling conventions pass one or more arguments in registers which reduces the number of memory accesses required for the call."-- http://en.wikipedia.org/wiki/X86_calling_conventions#fastcall
CyberShadow  2009-06-10 16:25:37
One more thing I didn't notice. Positive offsets in the stack (relative to the base pointer) are local variables, so ThreadID is most likely a local variable.
CyberShadow  2009-06-10 16:27:20
A: 

It is a local variable for sure. To check out arguments look for [esp+XXX] values. IDA names those [esp+arg_XXX] automatically. 

.text:0100346A sub_100346A     proc near               ; CODE XREF: sub_100347C+44p
.text:0100346A                                         ; sub_100367A+C6p ...
.text:0100346A
.text:0100346A arg_0           = dword ptr  4
.text:0100346A
.text:0100346A                 mov     eax, [esp+arg_0]
.text:0100346E                 add     dword_1005194, eax
.text:01003474                 call    sub_1002801
.text:01003474
.text:01003479                 retn    4
.text:01003479
.text:01003479 sub_100346A     endp

And fastcall convention as was outlined in comment above uses registers to pass arguments. I'd bet on Microsoft or GCC compiler as they are more widely used. So check out ECX and EDX registers first.

Microsoft or GCC [2] __fastcall[3] convention (aka __msfastcall) passes the first two arguments (evaluated left to right) that fit into ECX and EDX. Remaining arguments are pushed onto the stack from right to left. http://en.wikipedia.org/wiki/X86_calling_conventions#fastcall

Stanislav  2009-07-30 12:48:33

related questions

Wrapping Visual C++ in C#
Open source ER diagramming tool for mysql
What are the best ways to understand an unfamiliar database?
Is reverse engineering evil?
Best way to inject functionality into a binary...
Good techniques for understanding someone else's code
How is the photoshop cutout filter implemented?
Best way to reverse-engineer a web service interface from a WSDL file?
How to reverse engineer undocumented legacy application?
Is there a C++ decompiler?
What's a good C decompiler?
Reverse engineering war stories
How do I decompile a .NET EXE into readable C# source code?
Creating a new rrd database based on an existing one
how are serial generators / cracks developed?
Is it legal to reverse engineer binary file formats
How would you go about reverse engineering a set of binary data pulled from a device?
Reverse Engineering C# code using StarUML
What are the best tools for reverse engineering z80 machine code?
Sequence Diagram Reverse Engineering
Stored procedures reverse engineering
How do I disassemble a VC++ application?
best tool to reverse-engineer a WinXP PS/2 touchpad driver?
Reverse engineer (oracle) schema to ERD
Annotating YouTube videos programatically