What is the purpose of this mov before call in x86 asm?

1
votes

I'm just learning ASM/x86, so please bear with me.

Question

I noticed the following in the program I'm inspecting, and I'm thinking that it is passing a parameter to the function that gets called:

mov   [ebp-04],00000005
call  <some function call here>

As far as I can tell, this seems to be setting the second byte from the top of the stack to the value 5.

Is this effectively passing a parameter of 5 to the function?

Would it resemble the following in C:

void someFunction(int num); //function declaration

someFunction(5); //In some context

If it is passing a single parameter of 5 to the function, why is it set as the second byte (-04), and not the top of the stack? What is at the top of the stack? Am I interpreting this all wrong?

EDIT The top of the function is where ebp gets set:

push  ebp
mov   ebp,esp
push  -01
push  184
mov   eax,fs:[00000000]
...   //bunch more pushes and movs with eax and ecx into [ebp-offset]
...   //a couple of jump if equals
...   //some more push and movs
lea   ecx,[ebp-1C]
mov   [ebp-04],00000005
call  <some function>

Here is the called function:

 mov   edx,[ecx]
 mov   eax,[ecx+08]
 sub   eax,edx
 test  edx,edx
 je    <label1>
 cmp   eax,00000080
 jna   <label2>
 push  edx
 call  <another function>
 add   esp,04
 ret
label2:
 push  eax
 push  edx
 call  <yet another function>
 add   esp,08
label1:
 ret
3
assemblyx86mov

3 Answers

2
votes

The example you show is not a passing a value to the function. At least it wouldn't be a typical call.

The use of the fs register typically is a try/catch setup.

If this is really the whole sequence of the functions (particularly the called function) then

... here it might just sets some local variable.

mov   [ebp-04],00000005

... here seems a parameterr to be passed in the ECX register

lea   ecx,[ebp-1C]

Most compiled programs use the ebp register as a basepointer to local variables on the stack. The individual variables are then addressed with [ebp-X] where X is the offset of each variable. If you have, for example, two local int variables, then you would see [ebp-4] and [ebp-8] when these two variables are addressed.

1
votes

ebp is not the stack pointer, that's esp. ebp is customarily used as frame pointer, so depending on how it was set up it may indeed be passing that 5 as argument. Or it may just be storing it in a local variable.

Also, it might not be possible to tell whether it's a local or a function argument without knowing the function itself:

int x = 5;
foo();

may generate the same code as foo(5);

The frame pointer is used to point at the beginning of the stack area for the current function and has to be set up by the function itself in the prologue. Arguments are above it (positive offsets) locals are below it (negative offsets). Note that in 32 and 64 bit mode (on x86) you don't really need it because you can address relative to the stack pointer esp directly. Still, under some circumstances it may be useful, such as for debugging purposes.

1
votes

Generally parameters are passed by putting them in registers, or pushing them onto the stack, and then calling the targeted subroutine.

EBP often contains a pointer to a stack frame, not the stack top. So your example seems odd at least it doesn't appear to be likely to be an argument passing operation. It may be some other action relevant to the function in which the call is being made.

Is it compiler generated code? If so, the compiler may know the relationship between ESP and EBP (often when entering function ESP is copied into ESP) and may be taking advantage of that knowledge. You need to figure out where the EBP value being used is set, earlier; it would be helpful to show that code.