im writing a dll file, and i need 2 argument (reason of call).
so:


dont work, printf 1 and dont return. Return addr overwritten?


work, printfs 1 and 0


Could someone explain me why the 1st 1 dont work?

ret pop cs and eip from the stack
if you modify esp, then you will obtain an invalid return address, because esp is the stack pointer.

the best is to never touch the esp reg, let it for stack.

Not at all, ret is the short mnemonic for retn, so pops out EIP only.



But it needs to be touched, you need to do that to reserve space for local variables and to adjust the stack pointer after calling a cdecl function. It must be assured to keep all as expected before releasing control to the caller, but the callee can do anything that suits good for the task.

zxcv, as for why the second return is perhaps because you popped the return address on EBX and then pushed it on the stack again so the return address was at a suitable place for RET. After returning from printf you need to add to ESP (1+number_of_varargs)*4.

the stack is popularized by the enter and leave instructions, but i doubt it is the best way to pass parameters, even it's the more used by the billion programmer all over the world...this error is initiated by MS and intel. and everybody follows...

the stack is, for me, only for the registers push/pop and the call/ret/int/iret .

yes, sorry for the mistake, ret is effectivelly a near ret
retf is the version who use cs and eip

Yes, I doubt it too, since it is not a way to pass parameters at all. Enter, in the non-nested simpler form is just "push ebp/mov ebp, esp", so it serves to create the stack frame for the proc/func, from EBP+8+X you have the parameters and from ESP to EBP-4 the local variables (you have to do a "sub esp, something" to have space for local variables). You can forget enter instruction or the recommended equivalent instructions pair, and use an ESP-based frame instead of an EBP-based one, but the latter is easy to handle while in the ESP based one you need to keep track of the pushes and pops to properly access local variables and parameters while EBP is immune to those instructions. EBP-based frames also facilitates debugging in some cases but I'll not enter in anymore details now to not over complicate the thread.

ss is not a good segment register to acces data.

Stack frames are one of the most difficult things for beginners to understand. Especially when you want to write code for 16, 32,and 64 bit modes where the OS uses different standards. Just to confuse things more, some Intel documentation also gives sample code using ebx (instead of ebp) as the stack base.

The situation is worse in ARM code. Lack of resources and documentation being a major problem.

I think zxcv is confused because the printf function uses the c-call method, whereas the normal windows functions use the std-call method. If zxcv can tell us whether the code is part of a larger windows app or is used in a C app that would help to determine the proper stack frame to use.

Why not? When you use ebp or esp (this includes push and pop) without any explicit override then you are using ss. If you are writing windows apps then ss is the same as ds and es.

i don't write for windows...something like a boycott

the reason

does not work is that a push actually subtracts from esp, and a pop adds to esp, and a call also pushes to esp, so the called code has to first save the return address, which is automatically done by proc, and then you can get to the pushed values. By doing the add 8 to esp first it is the same as a double pop, which corrupts the stack because you are pointing to and overwriting valid info whenever pushes and calls are done along with whatever other data modifications done to this area.

The system saves a lot of info on the stack so be sure you don't mess with values you did not put there unless you really know what you are doing.

its a dll.
stack: return address, dll main 1 argument, 2, 3
i used add+8, to get access do 2 argument. then push f - overwrite 1 argument. and sub, to point esp into return address.

i guess system use stack below esp, so after calling printf return address was overwriten?


i know the diffrence between std/cdecl/fastcall

however, the call happens in the middle of the modified esp. By doing the call in the middle you are corrupting stack data because the call itself also causes a push, which will overwrite existing data. You have to have the esp at the original value at the time of call and the called procedure has to handle the stack data access point. I recommend you use Ollydbg and check this out as a regular program before making a dll out of it just so you can see the stack action.

the stack goes in reverse direction, so all higher addresses (from esp) are being used and lower addresses are available.

ahh, i forgot that printf uses same stack.
Im noob

Problem solved.