Search code examples
assemblyx86mov

What is the purpose of this mov before call in x86 asm?

I'm just learning ASM/x86, so please bear with me.

Question

I noticed the following in the program I'm inspecting, and I'm thinking that it is passing a parameter to the function that gets called:

mov   [ebp-04],00000005
call  <some function call here>

As far as I can tell, this seems to be setting the second byte from the top of the stack to the value 5.

Is this effectively passing a parameter of 5 to the function?

Would it resemble the following in C:

void someFunction(int num); //function declaration

someFunction(5); //In some context

If it is passing a single parameter of 5 to the function, why is it set as the second byte (-04), and not the top of the stack? What is at the top of the stack? Am I interpreting this all wrong?

EDIT The top of the function is where ebp gets set:

push  ebp
mov   ebp,esp
push  -01
push  184
mov   eax,fs:[00000000]
...   //bunch more pushes and movs with eax and ecx into [ebp-offset]
...   //a couple of jump if equals
...   //some more push and movs
lea   ecx,[ebp-1C]
mov   [ebp-04],00000005
call  <some function>

Here is the called function:

 mov   edx,[ecx]
 mov   eax,[ecx+08]
 sub   eax,edx
 test  edx,edx
 je    <label1>
 cmp   eax,00000080
 jna   <label2>
 push  edx
 call  <another function>
 add   esp,04
 ret
label2:
 push  eax
 push  edx
 call  <yet another function>
 add   esp,08
label1:
 ret
Solution

  • ebp is not the stack pointer, that's esp. ebp is customarily used as frame pointer, so depending on how it was set up it may indeed be passing that 5 as argument. Or it may just be storing it in a local variable.

    Also, it might not be possible to tell whether it's a local or a function argument without knowing the function itself:

    int x = 5;
foo();

    may generate the same code as foo(5);

    The frame pointer is used to point at the beginning of the stack area for the current function and has to be set up by the function itself in the prologue. Arguments are above it (positive offsets) locals are below it (negative offsets). Note that in 32 and 64 bit mode (on x86) you don't really need it because you can address relative to the stack pointer esp directly. Still, under some circumstances it may be useful, such as for debugging purposes.