Hello,

suppose i have

push ecx
push eax
call 404444

then ecx and eax are parameters passed to this call right ?

in this example :

lea eax, [ebp-24h]
push eax
lea ecx, [ebp-0Ch]
lea edx, [ebp-6Dh]
lea eax, [ebp-14h]
call 404444

what are the params passed to the call ?

is there a way to easily recognize how many and which are the parameters passed to a call ?

Regards
The Keeper

I thought I'd just clarify this -
__cdecl : caller pushes args _and_ caller cleans up stack after call.

__stdcall : caller pushes args, but callee cleans up stack

its the way in which the stack is cleaned up that is the fundemental difference between the two.

-shadz

Hi there !

i´m not that much into pushing and popping.
Isnt it a good idea to have a look in the call itself to find out if it has been a fastcall (parameters moved to registers) or a standardcall (only eax has been pushed in his example).
Tell me if i´m totally wrong :]

CTRL-D

If u really want to know which are the args to the function, u could
check which regs get used whinin the call...

This would be a definitive way of telling which regs hold arguments and
which hold temp values not destined to be used by the caller.

-shadz

only the eax seems to be the param... it is being pushed on to stack before the call - that's a pointer to whatever's at ebp-24h... the others r just lea's into regs... unless the params r passed through registers... virtually unknown except old dos interrupts.
btw... the ebp-24 will be the address passed not ebp-14