O'Reilly logo

Windows Debugging: Practical Foundations by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 14. Summary of Code Disassembly Patterns

This final chapter summarizes various patterns we have encountered during the reading of this book.

Function Prolog / Epilog

Function prolog

push    ebp
mov     ebp,esp

Function epilog

mov    esp,ebp
pop    ebp
ret    [number]

In some old legacy code this is equivalent to:

leave
ret      [number]

Knowing prolog can help in identifying situations when symbol files or function start addresses are not correct. For example, suppose you have the following stack trace:

func3+0×5F
func2+0×8F
func+0×20

If we disassemble func2 function and see that it doesn't start with prolog we may assume that stack trace needs more attention:

0:000> u func2 func2+0×8F
add  ecx, 10
mov  eax, [ebx+10]
push ebp
mov  ebp, esp
...

Passing Parameters

Local variable ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required