How are arguments loaded into $esp?

Let's say I have two arguments, arg1 and arg2, and a function that I wish to call. If I load arg1 into $esp + 4 and arg2 into $esp, which of开发者_JAVA技巧 the following will I be doing:

func(arg1, arg2)

or

func(arg2, arg1)

I am using IA32.

Oh man I get to answer in my favourite way!

It Depends!

It depends on the calling mechanism you're using. Take a look at x86 calling conventions and be amazed.

However, note that in the most common default, cdecl, function parameters are pushed on the stack in a right-to-left order. In fact, they are also pushed right-to-left in stdcall, which Windows uses.

Now to work out which way esp+x goes in the function ordering. The stack grows from the high end of the address space down, and right to left ordering implies the rightmost object goes onto the stack first, so rightmost arguments have a higher memory addresses. Thus, as you add to esp or whatever register tracks the lowest (in terms of memory address) argument in the stack you are moving through the arguments right to left.

I want to add that ebp tends to be the base pointer and esp is moved to allow for local variable storage as per this description of the function prologue.

This is an extremely helpful article which explains the application stack very well.

f(arg2, arg1)

The stack grows down and the arguments are are laid out somewhat like an array, and in particular such that the first argument (what your example calls arg2) is at the same place regardless of how many arguments are in the call.

Otherwise, it would be very difficult to make functions work when they take a variable number of parameters.

A platform could, in theory, do it differently, but that's not the case with any major instance.

This article is a must read for everyone interested in reverse engineering with no experience on the subject.