How C Program Converts Into Assembly

In an earlier article, we have seen C runtime: before starting main & How C program stored in RAM memory. Here we will see "How C program converts into the assembly?" and different aspect of its working at the machine level.

/!\: Originally published @ www.vishalchovatiya.com.

A bit about function stack frames

• During function code execution, a new stack frame is created in stack memory to allow access to function parameters and local variables.
• The direction of stack frame growth totally depends on compiler ABI which is out of our scope for this article.
• The complete information on stack frame size, memory allocation, returning from stack frame is decided at compile time.
• Before diving into assembly code you should be aware of two things :

1. CPU registers of x86 machine.
2. x86 assembly instructions: As this is a very vast topic & updating quite frequently, we will only see the instructions needed for our examples.

x86 CPU Registers

General Purpose Registers

Pointer Register

Segment Register

Index Registers

Apart from all these, there are many other registers as well which even I don't know about. But above-mentioned registers are sufficient to understand the subsequent topics.

How C program converts into assembly?

We will consider the following example with its disassembly inlined to understand its different aspect of its working at machine level :

We will focus on a stack frame of the function

func()

Function calling

Function calling is done by call instruction(see Line 15) which is subroutine instruction equivalent to:

push rip + 1 ; return address is address of next instructions
jmp func

Here,

call

rip+1

func()

Function stack frame

A function stack frame is divided into three parts

• Prologue/Entry
• User code
• Epilogue/Exit

1. Prologue/Entry: As you can see instructions(line 2 to 4) generated against start bracket

{

func()

push 

sub esp, 4   ; decrements ESP by 4 which is kind of space allocation
mov [esp], X ; put new stack item value X in

Parameter passing

Argument of 

func()

edi 

call 

Line 4 in 

func()

rbp

arg 

int

mov 

edi

          ---|-------------------------|--- main()
             |                         |          
             |                         |          
             |                         |          
             |-------------------------|          
             |    main frame pointer   |          
rbp & rsp ---|-------------------------|--- func()
in func()    |           arg           |          
             |-------------------------|          
             |            a            |          
             |-------------------------|    stack 
             |            +            |      |   
             |            +            |      |   
             |            +            |      |   
          ---|-------------------------|---  \|/  
             |                         |          
             |                         |          
                                                   

Allocating space for local variables

2. User code: Line 5 is reserving space for a local variable 

a

mov

5

Accessing global & local static variables

• As you can see above, 

  g 

  is addressed directly with its absolute addressing because its address is fixed which lies in the data segment.
• This is not the case all the time. Here we have compiled our code for  x86 mode, that’s why it is accessing it with an absolute address.
• In the case of x64 mode, the address is resolved using 

  rip

   register which meant that the assembler and linker should cooperate to compute the offset of 

  g 

  from the ultimate location of the current instruction which is pointed by 

  rip

   register.
• The same statement stands true for the local static variables also.

3. Epilogue/Exit: After the user code execution, the previous frame pointer is retrieved from the stack by 

pop

pop 

mov X, [esp] ; put top stack item value into X 
add esp, 4   ; increments ESP by 4 which is kind of deallocation

Return from function

ret

func() 

call 

ret

pop rip ; 
jmp rip ;

If any return value specified then it will be stored in 

eax

So, this is it for “How C program converts into assembly?”. Although this kind of information is strictly coupled with compiler & ABI. But most of the compilers, ABI & instruction set architecture follows the same more or less. In case, you have not gone through my previous articles, here are simple FAQs helps you to understand better:

Intuitive FAQs 

Q. How do you determine the stack growth direction ?

A. Simple…! by comparing the address of two different function’s local variables.

int *main_ptr = NULL;
int *func_ptr = NULL;
void func() { int a; func_ptr = &a; }
int main()
{
    int a; main_ptr = &a;
    func();
    (main_ptr > func_ptr) ? printf("DOWN\n") : printf("UP\n");
    return 0;
}

Q. How do you corrupt stack deliberately ?

A. Corrupt the SFR values stored in the stack frame.

void func()
{
    int a;
    memset(&a, 0, 100); // Corrupt SFR values stored in stack frame
}
int main()
{
    func();
    return 0;
}

Q. How you can increase stack frame size ?

A. 

alloca()