As i know in win32, when a function called the Process memory layout be like this:
High Memory Addresses
+-----------------+ <- Higher addresses
| Arguments | <- Arguments pushed by the caller
+-----------------+
| Return Address| <- Return address pushed by the CALL instruction
+-----------------+
| Old EBP | <- Saved EBP of the calling function
+-----------------+ <- Current EBP points here
| Local Vars | <- Local variables of the function
| and/or |
| Temporaries |
+-----------------+ ----> ESP point Here .>>
Low Memory Addresses
so esp will point to the last block on stack as mentioned above.
i saw in many articles that they use esp + 0 , esp + 4 and so to reach function arguments and ret address . how can this done ? i mean in windows32 i know each block on stack use 4 bytes , so if the stack want to use functions arguments must use 4byte(ebp) + 4byte(return address) then can reach arguments .
so
exp + 0 not ret address
esp + 0 is ebp
esp + 4 is ret
i know im wrong but can anyone correct me.