I am new to reverse engineering. Whenever I disassemled a program, I always found that value of ebp register be multiple of 8.
Is value of
ebpregister always multiple of 8 or just my observation?
Asked
Active
Viewed 73 times
0
lzutao
- 409
- 5
- 13
-
for aligning the stack [Why does the compiler allocate more than needed in the stack?](http://stackoverflow.com/q/37770751/995714) – phuclv Dec 24 '16 at 17:12
-
As a side note, on Windows x86 EBP register is aligned on 4 but it's not always a multiple of 8. – Neitsa Jan 03 '17 at 10:49
1 Answers
3
For performance reasons, modern x64 calling conventions requires the stack to be aligned to 16 bytes. https://msdn.microsoft.com/en-us/library/ms235286.aspx https://en.wikipedia.org/wiki/X86_calling_conventions
This is also the case for GCCs x86 calling convention.
I can assume this is relevant for ebp, not only esp.
Mark Segal
- 5,427
- 4
- 31
- 69