A very positive offset relative to EBP
سؤال
I have a i386
binary and have not an opportunity to execute it. The otool -tv
says:
some funciton or method:
0001a1e0 pushl %ebp ; just prolog
0001a1e1 movl %esp,%ebp ; save old ESP
0001a1e3 pushl %edi ; save EDI, ESI, EBX
0001a1e4 pushl %esi ;
0001a1e5 pushl %ebx ;
0001a1e6 subl $0x4c,%esp ; allocate 0x4c bytes for local puproses
... ; etc
The instruction somewhere below
0001a20e leal 0xe0(%ebp),%eax ; load an address into EAX
is disappointed me! Where the 0xe0(%ebp)
points to? I think this is not a local variable because of positive offset. I can see such access among all the otool
output. How to interpreter it?
المحلول
This a reference to a stack address, but your asm is misleading (this is why I don't like AT&T syntax), if you convert leal 0xe0(%ebp),%eax
to a byte sequence, you'll get 8D45 E0
, which is the same as LEA EAX,DWORD PTR SS:[EBP-20]
.
Its either creating a pointer to a local stack buffer (created by the SUB ESP
), or creating a pointer to the 7th function param, but without seeing the full code, my bets are on the former.