almost 6 years ago

"A calling convention is a set of rules dictating how function calls work at the machine level. It is defined by the Application Binary Interface (ABI) for a particular system. For example, should the parameters be passed through the stack, in registers, or both? Should the parameters be passed in from left-to-right or right-to-left? Should the return value be stored on the stack, in registers, or both?
There are many calling convetins, but the popular ones are CDECL, STDCALL, THISCALL, and FASTCALL. (The compiler can also generate its own custom calling convention [...])" - Practical Reverse Engineering: X86, X64, Arm, Windows Kernel, Reversing Tools, and Obfuscation

Calling Conventions

Parameters Pushed on the stack from right-to-left. Caller must clean up the stack after the call. Same as CDECL except that the callee must clean the stack. First two parameters are passed in ECX and EDX. The rest are on the stack.
Return value Stored in EAX. Stored in EAX. Stored in EAX.
Non-volatile registers EBP, ESP, EBX, ESI, EDI. EBP, ESP, EBX, ESI, EDI. EBP, ESP, EBX, ESI, EDI.

The most important thing that you have to know is that there are many ways to pass parameters (and acces them). Is not necessary to learn all calling conventions.

Author: @D00RT

Unpacking Revenge ransomware →