08 - The Stack
Vložit
- čas přidán 22. 07. 2024
- Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 www.pluralsight.com/authors/j...
🌶️ CZcams 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 / joshstroschein
🌎 Follow me 👉🏻 / jstrosch , / joshstroschein
⚙️ Tinker with me on Github 👉🏻 github.com/jstrosch - Věda a technologie
Wow. I am at a lost for words. This is hands down the BEST video on assembly I have seen. THANK YOU!
Wow, thanks! I appreciate the feedback.
Thanks for the lesson. Whenever you need to overwrite a register but you also need this erased value, just write it on the stack. We push EIP because we need to go the actual body of the Foo function before doing the add. At 13:00 "return addy" means the "old value" of EIP
finally a good explanation. thank you
Thank you :)
Great video and sooo helpful for my upcoming exam in malware analysis. Thx for taking your time to make this video. Saved me a headache
Glad it helped!
If at the end we increment ESP and it goes over the stored eax in the stack, what happens to eax as eax is no longer in the frame between the base of the stack and the top of the stack? Aren't we losing this data this way?
for the epilogue, shouldnt the stack pointer mov to the base pointer instead? so it would be mov esp, ebp
Nice and clear introduction! Just one thing starting around 6:55, you mentioned [ebp+4] as a way to reference a variable on the stack, and then draw it below ebp. But as the stack grows downward, I would assume [esp+4] to be in the stack. I believe [ebp+4] would be in the red zone (above the current stack frame).
Hi! It's quite possible that I misspoke in the moment - you are correct, local variables are going to typically be at a negative offset from EBP while arguments will be at a positive offset! Thanks for catching that.
I understand almost everything but I am still unable to know how the old value of SBP will be restored to its previous value before the function call ( Is it like the SBP contains its own stack data structure so that every time a function is called the old value of the SBP will be pushed onto the SBP stack data structure). And also, the return address will be the part of the calling function stack frame or called function stack frame and the pushed old SBP value as well?
Thank you very much
You are welcome
Thank you fir the amazing tutorial. Sorry if this is a stupid question but I would like to know how these registers would work in a real life program if we would want to disassemble and crack it.
The registers and memory would be used by the CPU during execution - so disassembling gives us the instructions that will be executed. Memory will change, which often leads us to debug a program while reversing. It's a bit of a long answer, I'd suggest trying this playlist out to help get a more practical viewpoint: czcams.com/play/PLHJns8WZXCdu6kPwPpBhA0mfdB4ZuWy6M.html.
@@jstrosch thank you a lot for the answer and the link ❤️
Thank you!
You're welcome!
Thank you for a great video!
Would you mind to explain how stack would look like when multiple parameters are passed when procedure/ function is called?
It will depend on the architecture (32 or 64 bit) and the calling convention. This video should help explain the primary conventions used in 32-bit programs: Understanding Calling Conventions - Ghidra Reversing Tutorials
czcams.com/video/FPIr4fGI8lw/video.html. I use Ghidra, but the analysis of the code would be the same as if you were looking at it in IDA Pro. If someone is using assembly, they can essentially craft their own calling convention - in which case they could use any combination of registers/stack. If the stack is being used for multiple parameters/arguments, then you’ll see additional PUSHes (or possibly MOVs into stack space) before the function call. Inside the function, it is common to use EBP to setup a stack frame, or base reference to reference arguments and locals. Inside the function then you’ll see relative positive offsets from EBP, such as EBP+8. The stack grows from higher to lower addresses, so inside a function positive offsets are needed to reference “lower” regions of the stack and thus the arguments. The stack will remain 4 byte aligned, even with values less than 4 bytes - so all of the offsets will be in multiple of 4s - i.e. +8, +Ch, +10h, etc. Let me know if this helps!
Thanks very much!
You're welcome!
best explanation yet
Glad you think so!
thanks a lot
You are most welcome
Thanks Sir it was really helpful
Glad to hear that
nice explaination
Thanks and welcome 🙏