[PoP:Rev] Reverse Engineering x86 ELF: 0x1

New Concepts Covered


We will start off this series by looking at the simplest of cases – a program that does nothing apart from returning 0.

Source Code

int main()
{
	return 0;
}

Disassembly

0x080483db <+0>:	push   ebp
0x080483dc <+1>:	mov    ebp,esp
0x080483de <+3>:	mov    eax,0x0
0x080483e3 <+8>:	pop    ebp
0x080483e4 <+9>:	ret

Function Prologue

0x080483db <+0>:	push   ebp
0x080483dc <+1>:	mov    ebp,esp

This is what we call a function prologue. It prepares the stack and registers for use within the current function. In this scenario, the old frame pointer ebp is being saved by pushing it onto the stack. After which, ebp is set up for use as main’s frame pointer by copying the value of esp into it.

Return value

0x080483de <+3>:	mov    eax,0x0

This sets the value of eax to 0. By convention, eax is the register that stores the return value of a function. As such, this sets the return value of main to 0.

Function epilogue

0x080483e3 <+8>:	pop    ebp
0x080483e4 <+9>:	ret

Similar to how we set up the stack and registers in the function prologue at the start of main, we need to perform cleanup at the end. This is done in what is called a function epilogue. In this scenario, the value of ebp is restored, and we execute a ret instruction to return to the parent function of main.