Let us step into this statement by pressing F11 again and something like the following will be displayed in the disassembly window. Note: It is very important that you press F11 and not F10 because the code path will NEVER return to the statement after the call statement:
Disassembly of THUNK at 0x0014A810 > 0x14A810: 52 PUSH EDX 0x14A811: 68 F0 30 1B 79 PUSH 0x791B30F0 0x14A816: 55 PUSH EBP 0x14A817: 53 PUSH EBX 0x14A818: 56 PUSH ESI 0x14A819: 57 PUSH EDI 0x14A81A: 8D 74 24 10 LEA ESI,DWORD PTR [ESP+0x10] 0x14A81E: 51 PUSH ECX 0x14A81F: 52 PUSH EDX 0x14A820: 64 8B 1D 2C 0E 00 00 MOV EBX,FS:[0xE2C] 0x14A827: 8B 7B 08 MOV EDI,DWORD PTR [EBX+0x8] 0x14A82A: 89 7E 04 MOV DWORD PTR [ESI+0x4],EDI 0x14A82D: 89 73 08 MOV DWORD PTR [EBX+0x8],ESI 0x14A830: 56 PUSH ESI 0x14A831: E8 14 C2 08 79 CALL 0x791D6A4A ; (0x791D6A4A) 0x14A836: 89 7B 08 MOV DWORD PTR [EBX+0x8],EDI 0x14A839: 89 46 04 MOV DWORD PTR [ESI+0x4],EAX ;<==Note #2 0x14A83C: 5A POP EDX 0x14A83D: 59 POP ECX 0x14A83E: 5F POP EDI 0x14A83F: 5E POP ESI 0x14A840: 5B POP EBX 0x14A841: 5D POP EBP 0x14A842: 83 C4 04 ADD ESP,0x4 0x14A845: 8F 04 24 POP DWORD PTR [ESP] ;<==Note #3 0x14A848: C3 RET
Now, single-step to the call statement (Note #2) and examine the contents of ESP by finding the Register Contents window and double-clicking on the ESP line:
ESP: 0x0012F2E4
+0x0012F2E4 0012F300 .... ESP
0x0012F2E8 00009731 ...1 -3C
+0x0012F2EC 04B71D10 .... -38
+0x0012F2F0 04B71D10 .... -34
0x0012F2F4 00009731 ...1 -30
+0x0012F2F8 0012F448 ...H -2C
+0x0012F2FC 0012F324 ...$ -28
+0x0012F300 791B30F0 y.0. -24 Ordinal79 + 0x30F0
+0x0012F304 0012F5B4 .... -20
+0x0012F308 06ED7B70 ..{p -1C
+0x0012F30C 071DF040 ...@ -18 Wilderland.WilderlandForm::Hobbiton_Button_Click (06000006) + 0x0028
+0x0012F310 04B72E74 ...t -14
+0x0012F314 04B72FA4 ../. -10
+0x0012F318 0012F368 ...h -0C
+0x0012F31C 04B72E74 ...t -08
+0x0012F320 06ED7B7B ..{{ -04
+0x0012F324 0012F368 ...h EBP
*** Frame for 0x0014A831***
+0x0012F328 071DD4A2 .... RET System.Windows.Forms.Control::OnClick (060005C4) + 0x0052
If you have paid attention to the execution of the disassembly, you will see that the contents of most of the registers have been pushed onto the stack as well as the return address from the initial call statement, i.e., ESP-0x18. We won't step into the call statement even though this call actually invokes the JIT-compiler because exploring and explaining what happens there is beyond the scope of this article. It is worthwhile to point out that the address of ESP-0x24 has been loaded into the ESI register and that this is the only parameter passed into the compiler. Finally, our local variable, TheOneRing, appears twice in the stack. Now, step over the call statement by pressing F10 and reexamine the contents of ESP:
ESP: 0x0012F2E8
0x0012F2E8 00009731 ...1 ESP
+0x0012F2EC 04B71D10 .... -38
+0x0012F2F0 04B71D10 .... -34
0x0012F2F4 00009731 ...1 -30
+0x0012F2F8 0012F448 ...H -2C
+0x0012F2FC 0012F324 ...$ -28
+0x0012F300 791B30F0 y.0. -24 Ordinal79 + 0x30F0
+0x0012F304 0012F5B4 .... -20
+0x0012F308 06ED7B70 ..{p -1C
+0x0012F30C 071DF040 ...@ -18 Wilderland.WilderlandForm::Hobbiton_Button_Click (06000006) + 0x0028
+0x0012F310 04B72E74 ...t -14
+0x0012F314 04B72FA4 ../. -10
+0x0012F318 0012F368 ...h -0C
+0x0012F31C 04B72E74 ...t -08
+0x0012F320 06ED7B7B ..{{ -04
+0x0012F324 0012F368 ...h EBP
*** Frame for 0x0014A836***
+0x0012F328 071DD4A2 .... RET System.Windows.Forms.Control::OnClick (060005C4) + 0x0052
If you carefully compare the before contents with the after contents, you will find no change in the stack values! What is going on here? In order to answer this question, we will continue single-stepping until we reach the statement, POP DWORD PTR [ESP] (Note #3 - which by the way removes the return address from the call statement at 0x6ED7B6B), and then examine what will be popped off the stack. The more astute of you may have seen that while we were single-stepping one of the DWORD value's was altered from
+0x0012F304 0012F5B4 to 06ED7B6B
by the second move statement after the call. Single-stepping one more time will make this address now the target of the return statement! Is this the end of our journey? No! Press F11 at the return statement and you will see something like the following:
Disassembly of THUNK at 0x06ED7B6B > 0x6ED7B6B: E8 28 A9 2C 00 CALL 0x71A2498
Furthermore, this address should be somewhat familiar since we saw it as the target of the call statement back in the disassembly for Wilderland.WilderlandForm::Hobbiton_Button_Click. The call statement has changed!
 prev page | 1st page | next page  |