What happens when you push a memory address in assembly?

Question

I am trying to reverse engineer a disassembled binary. I don't understand what it is doing when it makes a call such as:

push $0x804a254

What makes it even more confusing is that that address is not and address of an instruction nor is it in the symbol table. What is it doing?

Answer 1

This is one of 3 cases: its either a constant(be it a hash, number, bitflags or a typecasted address), the address of a variable or buffer(this includes string literals) that is statically allocated at any scope or a missanalyzed operand(due to encryption/junking). Its true meaning is relative to its use(be it a call argument or and indirect method of setting a mem/reg).

Answer 2

That instruction simply pushes 32-bit constant (0x804a254) in the stack.

That instruction alone is not enough for us to tell how it is later used. Could you provide more dissasembly of the code? Especially I would like to see where this value is popped out, and how this value is later being used.

Before starting any reverse engineering I would recommend reading this book (Reverse Engineering secrets) and then X86 instruction set manual (Intel or AMD). I am assuming that you are Reverse Engineering for x86 CPU.

Answer 3

The value you see there is not in any table nor an instruction because it is a local variable. (Local variables to not maintain any name associated with a symbol table since they are only "alive" while you are in a specific method) The address is equivalent to something like

void somefunc()
{
  int t; //t may have address 0x804a254 since this is a local variable.
}

In order to properly free memory local variable are allocated on the system stack instead of somewhere else in memory. they are pushed when the function is created and popped off when the function returns, thats what you are seeing.