What you need to know:
- EIP is a register that indicates the execution of the following command.
When the function is called, the arguments and then EIP (the so-called function knows where to return) are stored on the stack.
When the compiler was told (explicitly or implicitly) to use frame pointers, it then stores the frame pointer (in the EBP register) on the stack (so that it can later restore the frame pointer to the value that it is on the calling function), and then sets the frame pointer pointing to the current top of the stack. This makes it easy to access arguments and local variables from a known reference point (frame pointer) and greatly simplifies debugging.
- Then the space is reserved for local variables, and the function is executed.
- When returning from a function, the previous pointer and frame pointer are restored.
The function call on x86 looks something like this:
... int main() add $-0x8,%esp ; alignment { push $0x2 ; arg 2 ... push $0x1 ; arg 1 func(1, 2); call func ; function call ... add $0x10,%esp ; pop args from stack } ...
And the function being called looks something like this:
void func(int arg1, int arg2) push %ebp ;\ { mov %esp,%ebp ;/ create stack frame int local1; sub $0x18,%esp ; reserves space ... ... } mov %ebp,%esp ;\ pop %ebp ;/ destroys frame ret ; returns
So, the stack will look like this:
: : +-----------+ : alignment : +-----------+ 12(%ebp) | arg2 | +-----------+ 8(%ebp) | arg1 | +-----------+ 4(%ebp) | ret | -----> return address +-----------+ (%ebp) | ebp | -----> previous ebp +-----------+ -4(%ebp) | local1 | -----> local vars +-----------+ : alignment : +-----------+ : :
(Lower addresses below at ASCII level)