I wish to analyze assembly code that calls functions, and for each 'call' find out how many arguments are passed to the function. I assume that the target functions are not accessible to me, but only the calling code. I limit myself to code that was compiled with GCC only, and to System V ABI calling convention. I tried scanning back from each 'call' instruction, but I failed to find a good enough convention (e.g., where to stop scanning? what happen on two subsequent calls with the same arguments?). Assistance is highly appreciated.
How many arguments are passed in a function call?
1.6k Views Asked by Jaaz At
1
There are 1 best solutions below
Related Questions in FUNCTION
- What is the code of the sorted function?
- I'm trying to make the "merge function" work by writing a Callback.
- Split a large query (2 days) into pieces to increase the speed in Postgres
- Recursive function in PHP function : how to prevent return value?
- Javascript function onclick
- Borland c++: Error while assigning OnChange to another function?
- Control BX Slider from outside of function
- Jquery Resize: how to check if a screen has been resized at any point
- OrientDB - SQL command to pass array value as parameter in OrientDB function
- Check if a private function exists inside an object in JavaScript
- Python - Cannot sort properly my list by alphabetical order
- refactor 'execute and log' pattern
- Javascript: Add multiple fields together and insert into Totals column on Form
- Is it possible in matlab to declare functions that will be accessible from other m files in a similar way as in c coding?
- Defining Callbacks for custom Javascript Functions
Related Questions in ASSEMBLY
- (x64 Nasm) Writeline function on Linux
- Is the compiler Xcode uses to produce Assembly code a bad compiler?
- Why do we need AX instead of MOV DS, data directly with a segment?
- Bootloader in Assembly with Linux kernel
- How should the byte sequence 0x40 0x55 be interpreted by an x86-64 emulator?
- C++ code into assembly
- Drawing circles of increasing radius
- Assembly print on screen using pop ecx
- Equivalent to asm volatile in Gfortran?
- Show 640x480 BMP image with inline ASM c++
- Keep track of numbers entered in by a user in assembly
- 8086 Assembly Arrays with I/O
- DB ASM variable in Inline ASM C++
- What does Jump to means in callgrind?
- How to convert binary into decimal in assembly x8086?
Related Questions in CALL
- Access Violation: 0xC0000005, why is this happening?
- How to handle empty parameters in a main method java call
- To call an asynchronous function synchronously in javascript
- How do you run/call a module in another module in VBA excel?
- How to call posts from PHP
- How to set javascript properties on a global listener, without duplicating code
- Fail on second call
- How to call a data.frame inside an R Function by name
- SIP protocol / call waiting
- How call a function objective c with args in swift
- How to block call in Android 4.2
- ACTION_CALL is not working in Samsung Galaxy S5(Lollipop 5.0) in Android
- Using call to pass context
- Django: accept AJAX call and render response?
- How do I allow the user to select from the list to make a call
Related Questions in REVERSE-ENGINEERING
- How to break code on a click event?
- How to increment versionCode using APKTool?
- Alloy traces and projection issues
- Understanding assembly of a simple C program
- Bomb lab phase 5
- I am not able to generate hibernate.reveng.xml
- Database reverse engineering tool with columnDefinition support
- Unable to see all the classes in an android application using AndBug tool
- Reverse engineer database in spring data rest
- Entity Framework 6.1 - debug t4 script execution with customized code first reverse engineering
- Differences between call, push+ret and push+jump in assembly
- Bomb lab assembly explanation
- Android bytecode: value of some variables not defined
- Reverse engineering proprietary magnetic card formats
- How many arguments are passed in a function call?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Reposting my comments as an answer.
You can't reliably tell in optimized code. And even doing a good job most of the time probably requires human-level AI. e.g. did a function leave a value in RSI because it's a second argument, or was it just using RSI as a scratch register while computing a value for RDI (the first argument)? As Ross says, gcc-generated code for stack-args calling-conventions have more obvious patterns, but still nothing easy to detect.
It's also potentially hard to tell the difference between stores that spill locals to the stack vs. stores that store args to the stack (since gcc can and does use
movstores for stack-args sometimes: see-maccumulate-outgoing-args). One way to tell the difference is that locals will be reloaded later, but args are always assumed to be clobbered.Compilers always re-write args before making another call, because they assume that functions clobber their args (even on the stack). The ABI says that functions "own" their args. Compilers do make code that does this (see comments), but compiler-generated code isn't always willing to re-purpose the stack memory holding its args for storing completely different args in order to enable tail-call optimization. :( This is hand-wavey because I don't remember exactly what I've seen as far as missed tail-call optimization opportunities.
Even that isn't reliable. The System V x86-64 ABI is not simple.
int foo(int, big_struct, int)would pass the two integer args in regs, but pass the big struct by value on the stack. FP args are also a major complication. You can't conclude that seeing stuff on the stack means that all 6 integer arg-passing slots are used.The Windows x64 ABI is significantly different: For example, if the 2nd arg (after adding a hidden return-value pointer if needed) is integer/pointer, it always goes in RDX, regardless of whether the first arg went in RCX, XMM0, or on the stack. It also requires the caller to leave "shadow space".
So you might be able to come up with some heuristics to will work ok for un-optimized code. Even that will be hard to get right.
For optimized code generated by different compilers, I think it would be more work to implement anything even close to useful than you'd ever save by having it.