A very positive offset relative to EBP

Question

I have a i386 binary and have not an opportunity to execute it. The otool -tv says:

some funciton or method:

0001a1e0    pushl   %ebp            ; just prolog
0001a1e1    movl    %esp,%ebp       ; save old ESP
0001a1e3    pushl   %edi            ; save EDI, ESI, EBX
0001a1e4    pushl   %esi            ;
0001a1e5    pushl   %ebx            ;
0001a1e6    subl    $0x4c,%esp      ; allocate 0x4c bytes for local puproses
...                                 ; etc

The instruction somewhere below

0001a20e    leal    0xe0(%ebp),%eax ; load an address into EAX

is disappointed me! Where the 0xe0(%ebp) points to? I think this is not a local variable because of positive offset. I can see such access among all the otool output. How to interpreter it?

Answer 1

This a reference to a stack address, but your asm is misleading (this is why I don't like AT&T syntax), if you convert leal 0xe0(%ebp),%eax to a byte sequence, you'll get 8D45 E0, which is the same as LEA EAX,DWORD PTR SS:[EBP-20].

Its either creating a pointer to a local stack buffer (created by the SUB ESP), or creating a pointer to the 7th function param, but without seeing the full code, my bets are on the former.