Skip to content

Advanced static analysis

When a function is called, a new stack frame is created.

A stack frame consists of the ESP and the EBP:

ESP

Stack pointer

EBP

Base pointer

How many items are pushed to the stack?

Count pushes before the function call.

This is also the number of arguments passed to the function

Recognizing main method

Main method is the entry point of a program.

int main(int argc /* (1)! */, char *argv[] /* (2)! */) {
    return 0;
}
  1. Number of arguments passed to the program.
  2. Array of arguments passed to the program.

Example

int add(int a, int b) {
    return a + b;
}

int sub(int a, int b) {
    return a - b;
}

int main(int argc, char *argv[]) {
    int x = add(5, 4);
    int y = sub(10, 5);
    return 0;
}

Function prologue and epilogue

Prologue is the code that is executed before the function is called.

ESP and EBP have the same address.

push  ebp # (1)!
mov   ebp, esp # (2)!
  1. Push EBP to the stack. Save old EBP to the stack.
  2. Replace EBP with ESP

Epilogue is the code that is executed after the function is called.

pop ebp # (1)!
retn # (2)!
  1. Move top of stack to EBP
  2. Return to main function
Last update: June 11, 2023
Created: June 11, 2023