Where are the arguments at this ASM function?

Question

I have this disassembled function:

PUSH    EBP
MOV     EBP, ESP
SUB     ESP, C
PUSH    408506
MOV     EAX, DWORD PTR FS:[0]
PUSH    EAX
MOV     DWORD PTR FS:[0], ESP
SUB     ESP, 14
PUSH    EBX
PUSH    ESI
PUSH    EDI
MOV     DWORD PTR [EBP-C], ESP
MOV     DWORD PTR [EBP-8], 4077D8
XOR     EBX, EBX
MOV     DWORD PTR [EBP-4], EBX
MOV     EDI, DWORD PTR [EBP+8]
PUSH    EDI
MOV     EAX, DWORD PTR [EDI]
CALL    NEAR DWORD PTR [EAX+4]
MOV     ESI, DWORD PTR [EBP+C]
MOV     ECX, DWORD PTR [EDI]
LEA     EDX, DWORD PTR [EBP-1C]
MOV     DWORD PTR [EBP-18], EBX
PUSH    EDX
PUSH    ESI
PUSH    EDI
MOV     DWORD PTR [EBP-1C], EBX
CALL    NEAR DWORD PTR [ECX+37C]
CMP     WORD PTR [EBP-1C], BX
JE      00558206
MOV     EAX, DWORD PTR [EDI+D8]
CMP     EAX, EBX
JE      0055819A
CMP     WORD PTR [EAX], 1
JNZ     0055819A
MOV     EDX, DWORD PTR [EAX+14]
MOV     ECX, DWORD PTR [EAX+10]
MOV     EBX, DWORD PTR [401190]
MOVSX   ESI, SI
SUB     ESI, EDX
CMP     ESI, ECX
JB      0055818F
CALL    NEAR EBX
LEA     EAX, DWORD PTR [ESI+ESI*4]
LEA     EAX, DWORD PTR [EAX+EAX*4]
SHL     EAX, 5
JMP     005581A2
MOV     EBX, DWORD PTR [401190]
CALL    NEAR EBX
MOV     ECX, DWORD PTR [EDI+D8]
MOV     EDX, DWORD PTR [ECX+C]
MOV     ECX, DWORD PTR [EBP+10]
MOV     AX, WORD PTR [EDX+EAX+2C8]
MOV     WORD PTR [ECX], AX
MOV     EAX, DWORD PTR [EDI+D8]
TEST    EAX, EAX
JE      005581E6
CMP     WORD PTR [EAX], 1
JNZ     005581E6
MOVSX   ESI, WORD PTR [EBP+C]
MOV     EDX, DWORD PTR [EAX+14]
MOV     ECX, DWORD PTR [EAX+10]
SUB     ESI, EDX
CMP     ESI, ECX
JB      005581DB
CALL    NEAR EBX
LEA     EAX, DWORD PTR [ESI+ESI*4]
LEA     EAX, DWORD PTR [EAX+EAX*4]
SHL     EAX, 5
JMP     005581E8
CALL    NEAR EBX
MOV     EDX, DWORD PTR [EDI+D8]
MOV     DWORD PTR [EBP-18], -1
MOV     ECX, DWORD PTR [EDX+C]
MOV     DX, WORD PTR [ECX+EAX+2CA]
MOV     EAX, DWORD PTR [EBP+14]
MOV     WORD PTR [EAX], DX
MOV     EAX, DWORD PTR [EBP+8]
PUSH    EAX
MOV     ECX, DWORD PTR [EAX]
CALL    NEAR DWORD PTR [ECX+8]
MOV     EDX, DWORD PTR [EBP+18]
MOV     AX, WORD PTR [EBP-18]
MOV     WORD PTR [EDX], AX
MOV     EAX, DWORD PTR [EBP-4]
MOV     ECX, DWORD PTR [EBP-14]
POP     EDI
POP     ESI
MOV     DWORD PTR FS:[0], ECX
POP     EBX
MOV     ESP, EBP
POP     EBP
RETN    14

I can guess that the function takes maybe 5 arguments of 4 bytes each one because of the RETN 14(0x14 = 20 right?). Then I can also see in that disassembled code things like EBP+8 and EBP+C so I think "Oh, those are the first and second arguments". Well, right, those are the first and second arguments of the function. But I can't guess where are the other ones. I tried EBP+16, EBP+20 and EBP+24 but the values that they give me doesn't sound like the arguments.

How can I interpretate this disassembled code?

Thanks in advance.

Answer 1

Your assumption is right; scanning through the disassembly, I found five parameters being referenced, all DWORD so 4 bytes each:

DWORD PTR [EBP+8]     ; first parameter (the first 8 bytes are reserved for return address and original EBP)
DWORD PTR [EBP+C]     ; hexadecimal C = decimal 12
DWORD PTR [EBP+10]    ; hexadecimal 10 = decimal 16
DWORD PTR [EBP+14]    ; hexadecimal 14 = decimal 20
DWORD PTR [EBP+18]    ; hexadecimal 18 = decimal 24

Considering the numbers you proposed for parameters 3/4/5, I suppose you just got confused when converting between decimal and hexadecimal; you should keep a table of numbers by your side until this has become second nature to you.

EDIT: about calling convention...

The disassembly appears to be a function with stdcall calling convention. To call the function, you first have to push each double-word parameter value on the stack, from right to left (i.e. the first parameter is the last one to push). The function cleans up the stack, so you don't have to pop anything afterwards. You can find source samples here:

• http://www.unixwiz.net/techtips/win32-callconv.html
• http://pic.dhe.ibm.com/infocenter/ratdevz/v7r5/index.jsp?topic=%2Fcom.ibm.etools.pl1.win.doc%2Ftopics%2Fxf6854-z.htm