Thanks for the lesson. Whenever you need to overwrite a register but you also need this erased value, just write it on the stack. We push EIP because we need to go the actual body of the Foo function before doing the add. At 13:00 "return addy" means the "old value" of EIP
Nice and clear introduction! Just one thing starting around 6:55, you mentioned [ebp+4] as a way to reference a variable on the stack, and then draw it below ebp. But as the stack grows downward, I would assume [esp+4] to be in the stack. I believe [ebp+4] would be in the red zone (above the current stack frame).
Hi! It's quite possible that I misspoke in the moment - you are correct, local variables are going to typically be at a negative offset from EBP while arguments will be at a positive offset! Thanks for catching that.
Thank you fir the amazing tutorial. Sorry if this is a stupid question but I would like to know how these registers would work in a real life program if we would want to disassemble and crack it.
The registers and memory would be used by the CPU during execution - so disassembling gives us the instructions that will be executed. Memory will change, which often leads us to debug a program while reversing. It's a bit of a long answer, I'd suggest trying this playlist out to help get a more practical viewpoint: th-cam.com/play/PLHJns8WZXCdu6kPwPpBhA0mfdB4ZuWy6M.html.
I understand almost everything but I am still unable to know how the old value of SBP will be restored to its previous value before the function call ( Is it like the SBP contains its own stack data structure so that every time a function is called the old value of the SBP will be pushed onto the SBP stack data structure). And also, the return address will be the part of the calling function stack frame or called function stack frame and the pushed old SBP value as well?
Thank you for a great video! Would you mind to explain how stack would look like when multiple parameters are passed when procedure/ function is called?
It will depend on the architecture (32 or 64 bit) and the calling convention. This video should help explain the primary conventions used in 32-bit programs: Understanding Calling Conventions - Ghidra Reversing Tutorials th-cam.com/video/FPIr4fGI8lw/w-d-xo.html. I use Ghidra, but the analysis of the code would be the same as if you were looking at it in IDA Pro. If someone is using assembly, they can essentially craft their own calling convention - in which case they could use any combination of registers/stack. If the stack is being used for multiple parameters/arguments, then you’ll see additional PUSHes (or possibly MOVs into stack space) before the function call. Inside the function, it is common to use EBP to setup a stack frame, or base reference to reference arguments and locals. Inside the function then you’ll see relative positive offsets from EBP, such as EBP+8. The stack grows from higher to lower addresses, so inside a function positive offsets are needed to reference “lower” regions of the stack and thus the arguments. The stack will remain 4 byte aligned, even with values less than 4 bytes - so all of the offsets will be in multiple of 4s - i.e. +8, +Ch, +10h, etc. Let me know if this helps!
If at the end we increment ESP and it goes over the stored eax in the stack, what happens to eax as eax is no longer in the frame between the base of the stack and the top of the stack? Aren't we losing this data this way?
I don't recall exactly what I covered in the video - data left on the stack after a function unwinds/returns is lost, in a way. For example, if stack space is used to store data (i.e. as locals) during function execution, then a function reaches the epilogue to begin to return that data simply stays on the stack. It is no longer referenced and will be overwritten at some point from another function during it's stack usage. Depending on the sensitivity of the data, it may be worth while to zero out the local variables before moving on. If the data is needed, it needs to be stored or returned for the rest of the program to use. Does this help answer your question?
Wow. I am at a lost for words. This is hands down the BEST video on assembly I have seen. THANK YOU!
Wow, thanks! I appreciate the feedback.
Thanks for the lesson. Whenever you need to overwrite a register but you also need this erased value, just write it on the stack. We push EIP because we need to go the actual body of the Foo function before doing the add. At 13:00 "return addy" means the "old value" of EIP
"if this is to confusion..." Your tutorial was excelent!!!
Thank you! 🙏
Nice and clear introduction! Just one thing starting around 6:55, you mentioned [ebp+4] as a way to reference a variable on the stack, and then draw it below ebp. But as the stack grows downward, I would assume [esp+4] to be in the stack. I believe [ebp+4] would be in the red zone (above the current stack frame).
Hi! It's quite possible that I misspoke in the moment - you are correct, local variables are going to typically be at a negative offset from EBP while arguments will be at a positive offset! Thanks for catching that.
Great video and sooo helpful for my upcoming exam in malware analysis. Thx for taking your time to make this video. Saved me a headache
Glad it helped!
Thank you fir the amazing tutorial. Sorry if this is a stupid question but I would like to know how these registers would work in a real life program if we would want to disassemble and crack it.
The registers and memory would be used by the CPU during execution - so disassembling gives us the instructions that will be executed. Memory will change, which often leads us to debug a program while reversing. It's a bit of a long answer, I'd suggest trying this playlist out to help get a more practical viewpoint: th-cam.com/play/PLHJns8WZXCdu6kPwPpBhA0mfdB4ZuWy6M.html.
@@jstrosch thank you a lot for the answer and the link ❤️
I understand almost everything but I am still unable to know how the old value of SBP will be restored to its previous value before the function call ( Is it like the SBP contains its own stack data structure so that every time a function is called the old value of the SBP will be pushed onto the SBP stack data structure). And also, the return address will be the part of the calling function stack frame or called function stack frame and the pushed old SBP value as well?
Thank you for a great video!
Would you mind to explain how stack would look like when multiple parameters are passed when procedure/ function is called?
It will depend on the architecture (32 or 64 bit) and the calling convention. This video should help explain the primary conventions used in 32-bit programs: Understanding Calling Conventions - Ghidra Reversing Tutorials
th-cam.com/video/FPIr4fGI8lw/w-d-xo.html. I use Ghidra, but the analysis of the code would be the same as if you were looking at it in IDA Pro. If someone is using assembly, they can essentially craft their own calling convention - in which case they could use any combination of registers/stack. If the stack is being used for multiple parameters/arguments, then you’ll see additional PUSHes (or possibly MOVs into stack space) before the function call. Inside the function, it is common to use EBP to setup a stack frame, or base reference to reference arguments and locals. Inside the function then you’ll see relative positive offsets from EBP, such as EBP+8. The stack grows from higher to lower addresses, so inside a function positive offsets are needed to reference “lower” regions of the stack and thus the arguments. The stack will remain 4 byte aligned, even with values less than 4 bytes - so all of the offsets will be in multiple of 4s - i.e. +8, +Ch, +10h, etc. Let me know if this helps!
for the epilogue, shouldnt the stack pointer mov to the base pointer instead? so it would be mov esp, ebp
Yes, that is typically the command used to move ESP back to the base, then POP and RET. Did I say that wrong in the video? Thanks for catching if so!
If at the end we increment ESP and it goes over the stored eax in the stack, what happens to eax as eax is no longer in the frame between the base of the stack and the top of the stack? Aren't we losing this data this way?
I don't recall exactly what I covered in the video - data left on the stack after a function unwinds/returns is lost, in a way. For example, if stack space is used to store data (i.e. as locals) during function execution, then a function reaches the epilogue to begin to return that data simply stays on the stack. It is no longer referenced and will be overwritten at some point from another function during it's stack usage. Depending on the sensitivity of the data, it may be worth while to zero out the local variables before moving on. If the data is needed, it needs to be stored or returned for the rest of the program to use. Does this help answer your question?
Thank you very much
You are welcome
best explanation yet
Glad you think so!
finally a good explanation. thank you
Thank you :)
really good video thanks🎉
Thanks - really glad to hear these "old" videos are still getting some use!
i cant believe i finally understood stack
Hey - that's great to hear!
Thank you!
You're welcome!
Thanks very much!
You're welcome!
nice explaination
Thanks and welcome 🙏
thanks a lot
You are most welcome
Thanks Sir it was really helpful
Glad to hear that