This call causes a jump in the flow of the
program. When a function is called in assembly code, three things take place.
By convention, the calling program sets up the function call by first placing the function
parameters on the stack in reverse order. Next the extended instruction (eip) is
saved on the stack so the program can continue where it left off when the function
returns. This is referred to as the return address. Finally, the call command is executed,
and the address of the function is placed in eip to execute.
In assembly code, the call looks like this:
0x8048393
: mov 0xc(%ebp),%eax
0x8048396 : add $0x8,%eax
0x8048399 : pushl (%eax)
0x804839b : mov 0xc(%ebp),%eax
0x804839e : add $0x4,%eax
0x80483a1 : pushl (%eax)
0x80483a3 : call 0x804835c
The called function??™s responsibilities are to first save the calling program??™s ebp on the
stack. Next it saves the current esp to ebp (setting the current stack frame). Then esp is
Gray Hat Hacking: The Ethical Hacker??™s Handbook
148
Figure 7-1
The relationship
of ebp and esp on
a stack
decremented to make room for the function??™s local variables. Finally, the function gets
an opportunity to execute its statements.
Pages:
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314