What does arg contain in an ASM function?

Question

Main

push    ebp
mov     ebp, esp
and     esp, 0FFFFFFF0h
sub     esp, 30h
mov     dword ptr [esp], 8 ; size
call    _malloc
mov     [esp+2Ch], eax
mov     dword ptr [esp+4], 4
mov     eax, [esp+2Ch]
mov     [esp], eax
call    __start

__start

arg_0= dword ptr  8
arg_4= dword ptr  0Ch

push    ebp
mov     ebp, esp
mov     eax, [ebp+arg_4]
mov     edx, eax
sar     edx, 1Fh
shr     edx, 1Eh
add     eax, edx
and     eax, 3
sub     eax, edx
mov     [ebp+arg_4], eax
mov     eax, [ebp+arg_4]
cmp     eax, 1
jz      short loc_80489F0

The code above represents a portion of a project I am working on, where I need to reverse engineer this assembly into corresponding C-Code. I believe I have the placement of the main() down on the stack where [esp] contains the pointer to malloc, and [esp+4] contains the number 4.

I am having some difficulty figuring out which arg contains, I am under the assumption arg_0 contains 4, but arg_4 has me thrown off.

What does arg_0 and arg_4 refer to?

Thank you!

Answer 1

Think of the definitions as #define arg_0 8 and #define arg_4 0xc in C. They are emitted by the compiler to connect the symbolic name of the argument to its offset on the stack in a readable way. In this case e.g. arg_4 is at positive 12 from the base pointer. In this calling convention (which looks like Microsoft), the base pointer ebp points to the previous base pointer, which is just under the return address. Arguments are at positive offsets with respect to ebp, and local (auto) variables are at the negative offsets.

The compiler has applied an optimization in Main to build the stack frame for both calls to malloc and _start with one setting of esp. To see what is happening, draw a picture of 48 bytes of the stack allocated by the sub esp, 30h instruction and trace each instruction from there carefully. The truth will out.