8

I disassembled an .exe file and got this as its first line.

push ebp
  • What does it mean?
  • Why ebp?
  • Does it have anything to do with pop command? even though I don't see it in the disassembly!
Ciro Santilli OurBigBook.com
  • 347,512
  • 102
  • 1,199
  • 985
David Weng
  • 4,165
  • 12
  • 42
  • 51
  • You don't see corresponding `pop` command in the disassembly, because the [`LEAVE`](https://c9x.me/x86/html/file_module_x86_id_154.html) instruction is used instead. – Ruslan Jun 29 '18 at 09:50

3 Answers3

13

push ebp just means pushing whatever is in register ebp onto the stack. ebp stores the stack pointer by convention.

This is generally used to establish a stack frame, followed by

mov     ebp, esp
NullUserException
  • 83,810
  • 28
  • 209
  • 234
  • You may also see the instruction LEAVE at the end of the function, which is equivalent to MOV ESP,EBP followed by POP EBP. That's why you may not see an explicit pop. – indiv Jul 31 '10 at 14:47
  • 1
    So, does this mean that all applications start with `push ebp` followed by `mov ebp, esp`? – David Weng Jul 31 '10 at 15:05
  • Most. All apps that use the ebp register for variable addressing or whatever must restore the calling program's stack frame. – Jens Björnhager Jul 31 '10 at 15:20
2

It pushes the value of the EBP register on the stack, and is most commonly used to set up a stackframe. Pop retrieves a value from the stack.

Willem van Rumpt
  • 6,490
  • 2
  • 32
  • 44
2

The push instruction saves the value of a register onto the stack. The value can later be retrieved using a pop-instruction.

Wikipedia Stack (data structure): http://en.wikipedia.org/wiki/Stack_%28data_structure%29

Ville Krumlinde
  • 7,021
  • 1
  • 33
  • 41