flat assembler
Message board for the users of flat assembler.

Index > Main > Difference EBP and ESP

Author
Thread Post new topic Reply to topic
Hicel



Joined: 09 Sep 2004
Posts: 55
Hicel
I am sorry if this is a stupid question but what is exactly the difference between the ebp and esp register? don't they both point to the stack? or does ebp point the the base of the PE file in memory like 400000h?
Post 20 Feb 2006, 10:12
View user's profile Send private message Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1608
Location: Ukraine
shoorick
esp automatically increased/decreased while pop/push operations, ebp is just pointer register with default base on ss. btw, in 16-bit mode you can not use sp as pointer register, only bp. thus, esp is used as stack pointer, and ebp is used to create stack frames for procedures (pointing to local vars in stack and to procedure parameters in stack)
Post 20 Feb 2006, 12:43
View user's profile Send private message Visit poster's website Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend
ESP points always to the stack. It changes on every call, push and pop.
When you call some proc it usually creates the stack-frame. It means that some place on the stack is reserved for your variables, and so no pushes will change them. So it look like this. Say you want to reserve 8 bytes on stack.
Code:
-16
-12
-08  After initalization of procedure, both ESP and EBP point here
-04
0    Original ESP pointed here
+04
+08
+12
+16    
When you push data on stack, ESP is always decreasing and so it will point to -12, -16, -20, ... You reserved 8 bytes and so from -8 to 0 the memory is what you reserved. EBP points to the beginning of that block and remains unchanged. ESP changes, but it will never overwrite the memory that EBP points to (of course if the code is well written). Hope you get the idea now Smile
Post 20 Feb 2006, 12:52
View user's profile Send private message Visit poster's website Reply with quote
Hicel



Joined: 09 Sep 2004
Posts: 55
Hicel
orry for the late reply! Thanks to you both now I get it more Smile
but what I don't get is if ebp always points to the same isn't it possible
that you do pushes and come to the point where ebp is pointed
and then you overwrite locals (when using ebp for them)

like

Code:
mov[ebp+8],20
push 20
push 20
push 20
push 20
push 20
mov eax,[ebp+8]    


?
Post 25 Feb 2006, 11:27
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2140
Location: Estonia
Madis731
I think the best way to explain this to yourself is put some C++ code in the OllyDBG and find out how EBPs are set and how ESP reacts. The thumbrule is that when your pushes and pops are equal then nothing can go wrong when calling/returning, although exception is when you modify either EBP or ESP yourself.
And what it comes to your example code: push 20 ONLY modifies ESP and EBP still points to the same location and push will hardly ever mess anything up because every push writes to a new memory location. POP on the other hand may delete something from your stack.
Very Happy When you learn more about stacks you'll see that it's the opposite way but I don't want to confuse you now so think like I explained before.
Post 25 Feb 2006, 13:09
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
vbVeryBeginner



Joined: 15 Aug 2004
Posts: 884
Location: \\world\asia\malaysia
vbVeryBeginner
hi hicel, check some of the examples i made below:
Code:
include '%fasminc%\win32ax.inc'

.code

t1 db "text 1",0
t2 db "title",0

  start:
        push [MessageBox]
        push t2
        push t1
        push @f
        jmp  jhere

        mov  eax,0
        mov  ebx,0
        @@:
        invoke  ExitProcess,0


jhere:
        mov  ebp,esp
        push MB_OK
        push dword [ebp+8]
        push dword [ebp+4]
        push NULL
        call dword [ebp+12]
        jmp  dword [ebp]

.end start
    


Code:
jhere:
        push MB_OK                              ; esp - 4
        push dword [esp+12]             ; esp - 4
        push dword [esp+12]             ; esp - 4
        push NULL                               ; esp - 4
        call dword [esp+28]             ; esp +16
        jmp  dword [esp]
    


they are basically the same, one made use of the ebp, and another one use esp.

one way to learn about this is, try could a function and pass your parameters using "esp". you would see it is more easier to use stack by using the ebx than the esp.
Post 25 Feb 2006, 15:31
View user's profile Send private message Visit poster's website Reply with quote
RedGhost



Joined: 18 May 2005
Posts: 443
Location: BC, Canada
RedGhost
Code:
mov dword[esp], 0
sub esp, 4
mov dword[esp], _text
sub esp, 4
mov dword[esp], _title
sub esp, 4
mov dword[esp], 0
sub esp, 4
mov dword[esp], done_call
sub esp, 4
mov eax, [MessageBoxA]
mov dword[esp], eax  
ret
done_call:
    


a call to messagebox without using push and using 'ret' instead of call Wink

the stack is fun:p

_________________
redghost.ca
Post 26 Feb 2006, 05:01
View user's profile Send private message AIM Address MSN Messenger Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2140
Location: Estonia
Madis731
There's a fine line between ingenuity and insanity, said a wise person one day Very Happy

There are no lines AT ALL in assembly Very Happy - add self-modifying code and there you have it Smile complete disaster
Post 26 Feb 2006, 17:52
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
instead of
Code:
mov eax, [MessageBoxA] 
mov dword[esp], eax   
ret     

use
Code:
jmp [MessageBoxA]    
Post 26 Feb 2006, 20:28
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
RedGhost



Joined: 18 May 2005
Posts: 443
Location: BC, Canada
RedGhost
vid wrote:
instead of
Code:
mov eax, [MessageBoxA] 
mov dword[esp], eax   
ret     

use
Code:
jmp [MessageBoxA]    


yes, i know, but i was just showing that you can do silly things like call a function with ret Smile

_________________
redghost.ca
Post 27 Feb 2006, 00:16
View user's profile Send private message AIM Address MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.