0

I am learning RE via a book.

It says that when a Callee function gets controlled, it does 3 things:

  1. Set up function stack frame
  2. Allocate space for local variables
  3. If required, preserve EBX,ESI,EDI

Why is step 3 needed? What are their purpose before the preservation? According to the book, EBX is used as pointer to data, ESI is used as pointer to source in string operations and EDI is used as pointer to destination string operations.

Why isn't step 3 carried out right before the callee function is called i.e when EAX,ECX and EDX registers are pushed onto the stack?

piwave2716
  • 71
  • 1
  • 1
    The Windows and SystemV calling convention for x86-32 requires functions to preserve the `ebx`, `esi`, `edi`, and `ebp` registers. But these are just conventions. – Raymond Chen Dec 09 '21 at 02:54
  • Why would the caller push EAX, ECX, and EDX at all? Unless it happened to be using them to pass args. Are you [getting mixed up by the stupid terminology like "caller saved"](https://stackoverflow.com/questions/9268586/what-are-callee-and-caller-saved-registers/56178078#56178078) into thinking that callers actually *do* save those registers around every call site? A quick look at compiler output will show that's not the case. Call clobbered vs. call preserved are far clearer and more descriptive of reality. – Peter Cordes Dec 09 '21 at 07:20
  • See also [Why should certain registers be saved? What could go wrong if not?](https://stackoverflow.com/q/69419435), oh, and [Why no full context save on subroutine call?](https://stackoverflow.com/q/33930622) is a more exact duplicate, asking why we don't save all the registers ahead of a function call. – Peter Cordes Dec 09 '21 at 07:27

1 Answers1

1

There are a lot of calling conventions. Agner Fog has a document on some of them.

Callee-save registers are registers that you have to save before using them and restore after using them.

Suppose a function is small and does not use/modify these registers. Then it doesn't have to save and restore them. It can even call other functions which may save/modify/restore these registers. But it itself doesn't have to save/restore them.

But if it does use/modify them then it has to save them before modification and restore them before return to the caller.

Olsonist
  • 2,051
  • 1
  • 20
  • 35