This final chapter summarizes various patterns we have encountered during the reading of this book.
push ebp mov ebp,esp
mov esp,ebp pop ebp ret [number]
In some old legacy code this is equivalent to:
leave ret [number]
Knowing prolog can help in identifying situations when symbol files or function start addresses are not correct. For example, suppose you have the following stack trace:
func3+0×5F func2+0×8F func+0×20
If we disassemble func2 function and see that it doesn't start with prolog we may assume that stack trace needs more attention:
0:000> u func2 func2+0×8F add ecx, 10 mov eax, [ebx+10] push ebp mov ebp, esp ...
Local variable ...