Reputation: 876
x64 mov instead of push sequence
So after reversing an x64 binary I found this sequence at the beginning of a function:
mov [rsp+8], rbx
mov [rsp+0x10], rbp
mov [rsp+0x18], rsi
push rdi
Now I've never really quite done this in assembly (am only experienced in x86). For me that would just be a local variable initialization.
Any idea why one would have such a code as the function prologue?
Upvotes: 2
Views: 345
Answers (1)
Reputation: 365247
Seems reasonable to use the shadow space (32 bytes above the return address) for saving some of the call-preserved registers, instead of using more stack space to push them all. Without that, you'd just push any call-preserved registers you wanted to use (so you could restore them later). Here, I guess they're restored by reloading them with mov right before ret, instead of pop.
(In Windows x64, RDI and RSI are call-preserved registers, unlike x86-64 System V where they're call-clobbered arg-passing registers.)
Especially if it makes stack alignment work out nicely by allowing an odd number of total pushes, if there's no sub rsp, n to reserve more stack space. (That's presumably why it pushes RDI instead of saving it to [rsp + 0x20].)
Upvotes: 3
Related Questions
- Puzzled by x86 MOV instruction
- Assembly: REP MOVS mechanism
- Assembly instruction mov
- x86_64 - encoding a mov instruction
- How does this x86 mov work in reverse?
- Implement x86 to x64 assembly code switch
- assembly code with MOVS
- MOVZX x86 encoding
- Addressing issue with mov instruction in x86
- Assembly MOVS instruction