I would like to continue on how to get return result from a function call by using reference variable pass. We can pass variable to the function that accept the memory pointer of a variable that will look like void function (int * pVariable) in this case function will receive passing variable of pointer to int variable.

Let see the C code below, We are passing 2 integers and 1 pointer to integer. we will return the value of a + b in variable c

Here is the assembly code, We can see that passing variable using reference is translated to the assembly code where passing the memory address of the varible using lea (load effective address)

we can see that varible passed to the _calculate function for c variable that it will execute lea eax, [esp+28] where it loads the passedResult variable memory address.

We can see the in the above variable, Variable C is actually pointing to the address of passedResult 0x60FEFC. We can see in the below image after the it executes the highlighted codes then the result in edx is passed to the address that C hold –> mov [eax], edx. You ca see varible in the Locals windows that is now C variable has value 5

So we can differentiate passing reference and passing object to a function where passing reference will use lea to load the effective address and passing object will just use move statement as normal assignment.

Dear Friends,

Today I am going to continue writing about assembly related to function return. So basically whenever you call a function and you can expect return value which maybe returning a value from function internal process.

A function by its nature can only return one variable but if you require to return more than one variable then you should pass reference variable that link to the variable in the function caller

Lets do check return value using 1 variable. the C code will be like below

Let check the assembly code below

Following the standard convention that every return variable will be stored in EAX so that we can see that in the calclate function there is statement add eax, edx which as you know that the result of that statement will be store in the left variable where it is EAX.

We also check after the function call the next operation is to assign return value to the new varibale in main function that directly use EAX where the complete statement is mov [esp+1Ch], eax.

Lets prove it with debuger. We can see the value of EAX is now 5 where it is from 2+3. this is EAX value in calculate function

Lets check the EAX value after it return to the main function. Yes we can see EAX has values 5.

So that is it. By the standard of assembly language the return variable for function will be assigned to EAX.

I will explain the return using passing variable with reference

Hi Engineers,

Another important things to understand related to function call is how the variable is passed to the function. Lets see the code below

in the code above I am going to pass 3 variable int var1, int var2 and int var3 to pass a function

we can now check the assembly in IDA as follow

As normal, all the variable shall be initilized in the main function stack frame but we can see that in the main function all the variable is accessed using ESP where the variables be access using positive because of the sub esp, 20h, it make esp pointing to lower memory address. where if EBP as the reference then it will using minus number.

Let jump to the passing variable. We can see that all the 3 varible is move backward toward the function signature void pass(int var1, int var2, int var3) where var3 is processed for the first time and var2 and the last is var1. it is the convetion of passing the variable will be read from the right to the left.

Hi Dear,

Hahah .. I am now posting the basic for the function local variable in assembly. Local varible is a variable where only be used just within the function and its operation. Lets see an example C code below

Then we can load the exe to IDA. We can jump straight to the check function that as follow

We can see the above picture. After the function prologue there is additional assembly code that is sub esp, 10h this code actually creating the stack space as much as 16 bytes or 10h to contain all the variables int = 4 bytes, sinve we have 2 local variable then we need at least 2 x 4 bytes = 8. But since we compile it in debug mode then compiler spare some space to it

We can see from the above ilustration EBP is the reference point for accessing the variable in the stack.

The convension is for local variable must be assigned to lower memory address or from the picture above is local variable is at the top of EBP where to access it will be EBP-XX where XX is the number of bytes required.

So for example we want to access height variable then we need to do EBP+(-8) or accessing width using EBP+(-4)

but usually if you load to IDA then it will help creating like macro to change the instructio more readble

so to access the variable EBP will be added by the macro then it will use EBP+width or EBP+height

we can see on the above assembly code that the we are assigning value to heigh and width using below code

I will post the explanation for variable that is passed to the function in the next post

Hi Everyone,

Today I am going to explain about function call in assembly. We should understand it because function call is part of the essential things to understand because it has alot of next sub material such as memory stack, return value and also the application flow.

To make it easier, let start our assembly tutorial by coding an application in C as follow

in the above code that the application will call a function called check where the function does nothing but return 5 to the main function. Let see how it is in the assembly after it is compiled into binary

we can see that in the above picture that the main fucntion will call _check. A function will always be initilized by at least 2 instructions

.text:00401350 push ebp
.text:00401351 mov ebp, esp

the above 2 instructions are called function prologue where it will save the value of old ebp from the previous frame and following instruction is to make the ebp to become equal to esp. why this operation is crucial because ebp will become the base pointer for the stack and as the reference to access local variable and passed variable where esp will always change because it will mark as the top of stack

the first push ebp is intended to save the main function ebp pointer or caller ebp address.

the second instruction is mov ebp, esp means it is to initiate the stack frame base address where ebp usually never change after it is initiated and esp will wander as the compiler want it to go

So the next is when the function finish its execution, the function shall return to the caller. it is called as function epilog

.text:00401358 pop ebp
.text:00401359 retn

functon epilog is the sequence to return to the previous execution in the caller function that stored in retn. the sequece is pop ebp and next to return to address in retn

we will later talk about the stack in detail in the next post because it is very interesting and crucial to undertand it correctly