What does EBP + 8 mean in this case in OllyDbg and Assembler?

Question

What does EBP + 8 mean in this case in OllyDbg and Assembler?

I am just learning assembly and debugging skills in OllyDbg to learn how to use undocumented functions. Now I have the following problem:

I have the following piece of code (from OllyDbg):

MOV EDI,EDI
PUSH EBP
MOV EBP,ESP
MOV EAX, DWORD PTR SS:[EBP+8]
XOR EDX,EDX
LEA ECX, DWORD PTR DS:[EAX+4]
MOV DWORD PTR DS:[EAX], EDX
MOV DWORD PTR DS:[ECX+4],ECX
MOV DWORD PTR DS:[ECX],ECX
MOV DWORD PTR DS:[EAX+C],ECX
MOV ECX, DWORD PTR SS:[EBP+C]

This is the beginning of the function, and the goal is to find the data structure. So I realized that it first pushes the EBP towards the stack, and then translates the ESP (current stack pointer) to EBP, where I think it now defines the stack frame for this function. Now the textbook says that in the popular layout, the first argument is placed in [EBP + 8], and the second in [EBP + C]

This is what I do not understand. How to find out that the first parameter is placed in EBP + 8?

Hope someone can help me! Thank!

+5

assembly stackframe ollydbg

Chuck bartovski 02 . '12 10:13

1

Daniel Kamil Kozar · Accepted Answer · 2012-06-02T10:31:32+0000

" " ? . - "" .

EBP , C- ( cdecl). (, ), EBP . , , , . :

MOV EAX, DWORD PTR SS:[EBP+8]
LEA ECX, DWORD PTR DS:[EAX+4]
MOV DWORD PTR DS:[EAX], EDX
MOV DWORD PTR DS:[ECX+4],ECX
MOV DWORD PTR DS:[ECX],ECX
MOV DWORD PTR DS:[EAX+C],ECX
MOV ECX, DWORD PTR SS:[EBP+C]

EAX. 4 ECX. , LEA, "Load Effective Address". , - , , , , , . , . MOV , ECX . , , C:

struct a { /* pointed to by EAX / [EBP+8] */
    int memb1; /* MOV DWORD PTR DS:[EAX], EDX */
    struct b* memb2; /* LEA ECX, DWORD PTR DS:[EAX+4] */
    int memb3; /* unused? */
    int memb4; /* MOV DWORD PTR DS:[EAX+C],ECX */
};

struct b {
    int memb1; /* MOV DWORD PTR DS:[ECX],ECX */
    int memb2; /* MOV DWORD PTR DS:[ECX+4],ECX */
};

, - . - , - API, , .

What does EBP + 8 mean in this case in OllyDbg and Assembler?

More articles: