1

I try to understand things about stackpointer, basepointer .. how does it work .. and because most of the teaching material are not combined with a practical examples, I try to reproduce that: https://en.wikibooks.org/wiki/X86_Disassembly/Functions_and_Stack_Frames

Following very simple code by me:

#include <stdio.h>

int main()
{
    function1(1, 2);
}

int function1(int a, int b)
{
    int c = a + b; 
    return c; 
}

I use WinDbg to execute the programm and set the breakpoint bm CallStackPractice!function1 and type g to hit the breakpoint and p to step into the function.

With ebp+8 we should get the first parameter. I did that in WinDbg:

0:000> ? poi(ebp+8)
Evaluate expression: 1 = 00000001

good. No we want our second parameter that should be ebp+12.

0:000> ? poi(ebp+12)
Evaluate expression: 270729434 = 102300da

We don't get 2 = 00000002. I opened the memory window in WinDbg and it shows me the correct value but why does my command not work?

Thank you!

UPDATE: For better understanding the screenshot: windbg screenshot

Enki
  • 77
  • 7
  • You are probably seeing the arguments of `main` (ie. `argc` and `argv`). When you break at `function1` you break at the first instruction. The very first instructions of a function are the prolog (if any) and it is in the prolog that `ebp` is set (the stack frame is set). `esp+4` and `esp+8` should contains the args at the start of a function. – Margaret Bloom Sep 02 '22 at 09:18
  • The stack frame is set and what I don't understand is, I see the value `2` in the memory window of WinDbg. And when I manully count, `ebp+12` is right, but the evaluation seems wrong? – Enki Sep 02 '22 at 09:35
  • IIRC, function arguments are passed right-to-left, so `esp+4` should be `2` and `esp+8` should be `1`. – lodo Sep 02 '22 at 12:02
  • 1
    @lodo The C calling convention for 32-bit programs passes the args in reverse order, yes. But that means `[esp+4]` is 1 and `[esp+8]` is 2. – Margaret Bloom Sep 02 '22 at 13:02
  • @Enki, I don't know WinDBG that well. I still believe you are breaking too early. To be sure, please post what you are **exactly** doing. – Margaret Bloom Sep 02 '22 at 13:06
  • @MargaretBloom I added a screenshot in the original post. you can see everything I typed (beginning with `g`). I think you can also see why I have a comprehension problem, because from counting `ebp+12` should actually give 2. But WinDbg returns a different value. – Enki Sep 03 '22 at 09:58
  • 1
    @Enki Thanks. It appears WinDBG is interpreting `12` as a hex number (see: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/masm-numbers-and-operators) try using `esp+0xc` or `esp+0n12` (or just `esp+c` if I understood the doc correctly). – Margaret Bloom Sep 03 '22 at 14:24
  • you haven't declared `function1` before calling it – phuclv Sep 03 '22 at 14:45
  • thank you @MargaretBloom you're right. Something very obvious but I did not think of it, thank you! – Enki Sep 03 '22 at 15:13

1 Answers1

1

That's a common mistake. 12 means 0x12 by default.

If you want a decimal number 12, use 0n12 or 0xC or change the default number format using n 10 (I don't know anyone who does that, actually).

0:000> ? 12
Evaluate expression: 18 = 00000000`00000012
0:000> n 10
base is 10
0:000> ? 12
Evaluate expression: 12 = 00000000`0000000c

Back at base 16:

1:005:x86> n 16
base is 16
1:005:x86> ? poi(ebp+8)
Evaluate expression: 1 = 00000001
1:005:x86> ? poi(ebp+c)
Evaluate expression: 2 = 00000002

If you get weird errors like

1:005:x86> ?poi(ebp +c)
Memory access error at ')'

that's because you're still at base 10.

You might also want to take a look at the stack with dps like so:

1:005:x86> dps ebp-c L7
008ff60c  cccccccc       <-- magic number (4x INT 3 breakpoint)
008ff610  00000003        
008ff614  cccccccc
008ff618  008ff6f4
008ff61c  00fb189a DebugESPEBP!main+0x2a [C:\...\DebugESPEBP.cpp @ 13]
008ff620  00000001        <-- a
008ff624  00000002        <-- b

As you see, dps will give you the return address as a symbol with line number. And you'll see that the memory layout in debug mode contains magic numbers helpful for debugging

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
  • thank you! I think it's a very common beginer mistake. If you aware of that, it's easy but otherwise it doesn't make sense at all :-) Thank you for the hint with dps, seems pretty nice to get the memory address and the content in a structured way. – Enki Sep 04 '22 at 15:36