KP003 - 函数压栈方式
0.程序段(交换2个变量的值)
1: #include <stdio.h>
2:
3: int swap(int * a,int * b)
4: {
0040EA30 push ebp //0x0012FF80 保存ebp,该寄存器将用来保存堆栈的栈顶指针,在函数退出时恢复
0040EA31 mov ebp,esp //esp:0x0012ff18 保存堆栈指针
0040EA33 sub esp,40h
0040EA36 push ebx
0040EA37 push esi
0040EA38 push edi
0040EA39 lea edi,[ebp-40h]
0040EA3C mov ecx,10h
0040EA41 mov eax,0CCCCCCCCh
0040EA46 rep stos dword ptr [edi]
5: *a = *a^*b;
0040EA48 mov eax,dword ptr [ebp+8] //即esp + 8地址 存放的是 参数 a 的地址
0040EA4B mov ecx,dword ptr [ebp+0Ch] //即esp + 12地址 存放的是 参数 b 的地址
0040EA4E mov edx,dword ptr [eax]
0040EA50 xor edx,dword ptr [ecx]
0040EA52 mov eax,dword ptr [ebp+8]
0040EA55 mov dword ptr [eax],edx
6: *b = *a^*b;
7: *a = *b^*a;
8:
9: return 0;
0040EA75 xor eax,eax
10: }
0040EA77 pop edi
0040EA78 pop esi
0040EA79 pop ebx
0040EA7A mov esp,ebp //恢复esp
0040EA7C pop ebp //出栈 ebp 0x0012FF80 esp:0x0012ff18 + 4 = 0x0012ff1c
//esp此时指向下一条指令add esp,8 esp中存放00401083
12: int main(void)
13: {
00401080 push ebp //0x0012ffc0
00401081 mov ebp,esp //esp:0012ff80
00401083 sub esp,4Ch
00401086 push ebx
00401087 push esi
00401088 push edi
00401089 lea edi,[ebp-4Ch]
0040108C mov ecx,13h
00401091 mov eax,0CCCCCCCCh
00401096 rep stos dword ptr [edi]
14: int num1 = 1;
00401068 mov dword ptr [ebp-4],1 //address 0x0012ff78
15: int num2 = 2;
0040106F mov dword ptr [ebp-8],2 //address 0x0012ff7c
16:
17: swap(&num1,&num2);
00401076 lea eax,[ebp-8]
00401079 push eax
0040107A lea ecx,[ebp-4]
0040107D push ecx
0040107E call @ILT+5(_swap) (0040100a)
00401083 add esp,8 //调用者恢复堆栈指针esp,大小8(参数1+参数2的大小)
18:
19: printf("%d,%d",num1,num2);
20:
21: return 0;
22: }
1.从右到左的顺序将参数压栈
2.调用函数
3.恢复堆栈
http://hi.baidu.com/xydjh/blog/item/f54f71e9dbb99d3cb90e2d78.html
http://www.xhit.cn/html/program/c/20070520/31125.html
http://hi.baidu.com/20794027/blog/item/8654ee33affdb6f31a4cff9e.html
浙公网安备 33010602011771号