I would like to continue on how to get return result from a function call by using reference variable pass. We can pass variable to the function that accept the memory pointer of a variable that will look like void function (int * pVariable) in this case function will receive passing variable of pointer to int variable.
Let see the C code below, We are passing 2 integers and 1 pointer to integer. we will return the value of a + b in variable c
Here is the assembly code, We can see that passing variable using reference is translated to the assembly code where passing the memory address of the varible using lea (load effective address)
we can see that varible passed to the _calculate function for c variable that it will execute lea eax, [esp+28] where it loads the passedResult variable memory address.
We can see the in the above variable, Variable C is actually pointing to the address of passedResult 0x60FEFC. We can see in the below image after the it executes the highlighted codes then the result in edx is passed to the address that C hold –> mov [eax], edx. You ca see varible in the Locals windows that is now C variable has value 5
So we can differentiate passing reference and passing object to a function where passing reference will use lea to load the effective address and passing object will just use move statement as normal assignment.
Today I am going to continue writing about assembly related to function return. So basically whenever you call a function and you can expect return value which maybe returning a value from function internal process.
A function by its nature can only return one variable but if you require to return more than one variable then you should pass reference variable that link to the variable in the function caller
Lets do check return value using 1 variable. the C code will be like below
Let check the assembly code below
Following the standard convention that every return variable will be stored in EAX so that we can see that in the calclate function there is statement add eax, edx which as you know that the result of that statement will be store in the left variable where it is EAX.
We also check after the function call the next operation is to assign return value to the new varibale in main function that directly use EAX where the complete statement is mov [esp+1Ch], eax.
Lets prove it with debuger. We can see the value of EAX is now 5 where it is from 2+3. this is EAX value in calculate function
Lets check the EAX value after it return to the main function. Yes we can see EAX has values 5.
So that is it. By the standard of assembly language the return variable for function will be assigned to EAX.
I will explain the return using passing variable with reference
Another important things to understand related to function call is how the variable is passed to the function. Lets see the code below
in the code above I am going to pass 3 variable int var1, int var2 and int var3 to pass a function
we can now check the assembly in IDA as follow
As normal, all the variable shall be initilized in the main function stack frame but we can see that in the main function all the variable is accessed using ESP where the variables be access using positive because of the sub esp, 20h, it make esp pointing to lower memory address. where if EBP as the reference then it will using minus number.
Let jump to the passing variable. We can see that all the 3 varible is move backward toward the function signature void pass(int var1, int var2, int var3) where var3 is processed for the first time and var2 and the last is var1. it is the convetion of passing the variable will be read from the right to the left.
Hahah .. I am now posting the basic for the function local variable in assembly. Local varible is a variable where only be used just within the function and its operation. Lets see an example C code below
Then we can load the exe to IDA. We can jump straight to the check function that as follow
We can see the above picture. After the function prologue there is additional assembly code that is sub esp, 10h this code actually creating the stack space as much as 16 bytes or 10h to contain all the variables int = 4 bytes, sinve we have 2 local variable then we need at least 2 x 4 bytes = 8. But since we compile it in debug mode then compiler spare some space to it
We can see from the above ilustration EBP is the reference point for accessing the variable in the stack.
The convension is for local variable must be assigned to lower memory address or from the picture above is local variable is at the top of EBP where to access it will be EBP-XX where XX is the number of bytes required.
So for example we want to access height variable then we need to do EBP+(-8) or accessing width using EBP+(-4)
but usually if you load to IDA then it will help creating like macro to change the instructio more readble
so to access the variable EBP will be added by the macro then it will use EBP+width or EBP+height
we can see on the above assembly code that the we are assigning value to heigh and width using below code
I will post the explanation for variable that is passed to the function in the next post
Today I am going to explain about function call in assembly. We should understand it because function call is part of the essential things to understand because it has alot of next sub material such as memory stack, return value and also the application flow.
To make it easier, let start our assembly tutorial by coding an application in C as follow
in the above code that the application will call a function called check where the function does nothing but return 5 to the main function. Let see how it is in the assembly after it is compiled into binary
we can see that in the above picture that the main fucntion will call _check. A function will always be initilized by at least 2 instructions
the above 2 instructions are called function prologue where it will save the value of old ebp from the previous frameand following instruction is to make the ebp to become equal to esp. why this operation is crucial because ebp will become the base pointer for the stack and as the reference to access local variable and passed variable where esp will always change because it will mark as the top of stack
the first push ebp is intended to save the main function ebp pointer or caller ebp address.
the second instruction is mov ebp, esp means it is to initiate the stack frame base address where ebp usually never change after it is initiated and esp will wander as the compiler want it to go
So the next is when the function finish its execution, the function shall return to the caller. it is called as function epilog
.text:00401358 pop ebp .text:00401359 retn
functon epilog is the sequence to return to the previous execution in the caller function that stored in retn. the sequece is pop ebp and next to return to address in retn
we will later talk about the stack in detail in the next post because it is very interesting and crucial to undertand it correctly
This blog is part of my reverse engineering topic where understanding assembly language is mandatory because this is where the art of reverse come from.
I learn reverse engineering for about 10 years now. As a C/C++ software developer, I found difficulties understanding assembly language on that time because these two languages behave differently so that without a proper example then hard to understand it well.
I learn assembly from many sources but I found that there is not so many articles or books that enable me to realy map my experience in C to Assembly untill I found a book called Reverse Engineering for Beginners
This book explain really well of mapping between C language with the assembly language code so that it makes me easier to understand it.
To start learning assembly, you can follow my approach that i will code application in C and try to analyze it in assembly so that you could understand the assembly code very well because you can imagine what does actually happen and what the code in C looks like. After you can understand it then you can start to find some more interesting things such as bug, weaknesses and etc.
I am finally back to this blog, Now I am going to write about one of favourite subject that is reverse engineering.
Actually, I want to write this for long time since a long time ago but I just do not know where to start it because this topic is a bit hard to understand.
My target viewer for this topic is a person who is going to start to learn reverse engineering. But you have to know at least C programming because I am going to deliver alot of comparation C and Assembly in order to make it easier to understand
My approach for delivering this content is to allow you to understand assembly language as the product of compiled code of C languange. I will start from the very basic
The environment that I going to use is C languange which compiled with GCC with debuging symbol enabled and for x86 Assembly. The tools that I am going to use is Codeblock to develop the C code and IDA as the tool to view assembly code