-1

i've been learning x86 assembly for reverse engineering recently and in my tutorial there is sentence that says Ebp points to the old Ebp, however i don't understand this, its confusing.

I looked up on other posts about it but no one did answer my question.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
fre
  • 11
  • 5
  • When frame pointers are used, a function has a prolog (unless it's naked) that goes like `push ebp / mov ebp, esp`. You can see that `ebp` is overwritten with the value of `esp` but before that it is pushed on the stack. So the old value of `ebp` is on the stack but since the stack pointer was copied in `ebp`, this new value of `ebp` points to the old one. Drawing this on paper once will greatly help. A frame pointer is useful because the arguments are on the stack (not all of them depending on the calling convention) and accessing an argument while pushing the arguments of a call ... – Margaret Bloom Apr 05 '23 at 17:29
  • ... will make working with `esp` tedious. Also, the arguments stay at a fixed offset no matter how much local variable space is allocated and how many registers are saved. – Margaret Bloom Apr 05 '23 at 17:35

1 Answers1

0

The point of one frame pointer referring to another is that this creates a linked list of stack frames, each stack frame can be used to identify the prior (invoking, calling) stack frame — this means that (A) a debugger can trace the call stack, (B) we can unwind the stack for exception handling (catch/throw).

(Note that some additional behaviors/information is required for completeness of these jobs, and, also that the frame pointer mechanism is only one of several ways to accomplish stack tracing.)

The current ebp refers to the location that the current frame has stored the prior ebp value.

This creates a classic singly linked list.  So, dereference current ebp and get the value of prior ebp, do so with prior and get the prior's prior ebp.

Because the prior ebp is pushed as the first push of the newly called function, which was called using some call instruction, we know that there is a return address on the stack immediately above each old ebp value.

Since the return address is always right next to the ebp and we can follow each ebp to its caller (the caller's frame), we can find the code that did the call — that requires using the return address and some checking of ranges to identify the calling function.  Thus, a key element of the linked list created by ebp values pointing to the prior frame is access to the return addresses in the stack frames that can be used to identify the function (and even which location in the function) that did the calling.

Erik Eidt
  • 23,049
  • 2
  • 29
  • 53
  • so i've been reading comments and answers and i understand it like Ebp points to Ebp from previous stack frame. Do i understand it correctly? – fre Apr 05 '23 at 20:19
  • 2
    Yes, a classic singly linked list. @fre `ebp` points to the location in the current frame that the previous `ebp` is stored, so dereference `ebp` and get the value of prior `ebp`, do so with prior and get the prior's prior `ebp`. Immediately above each stored/prior `ebp` is the return address pushed, so you can find the code that did the call — that usually requires some checking of ranges to identify the calling function. – Erik Eidt Apr 05 '23 at 20:21
  • i Don't know how i can accept the comment as your answer can you write it as answer and i will mark it? – fre Apr 05 '23 at 21:15
  • @fre, ok hope that edit helps. – Erik Eidt Apr 05 '23 at 21:45