I’m in the process of trying to decode some assembly code generated from a binary. There’s a call to the sscanf function in the code:
400f08: e8 13 fc ff ff callq 400b20 <sscanf@plt>
400f0d: 89 45 fc mov %eax,-0x4(%rbp)
Can you tell me how sscanf works in assembly? I’m pretty sure the number of arguments is stored in %eax….does it push the input into the stack in reverse order? So say my input is 0 1, after running sscanf, %eax=2 and the stack looks like:
1
0 <----%rsp (top of the stack)
Is this correct?
Thanks!
Follow the calling convention of the platform, as normal. 32-bit Linux uses cdecl by default, which has you push all the arguments onto the stack in reverse order. 64-bit Linux uses the System V AMD64 ABI convention, which uses
RDI,RSI,RDX,RCX,R8, andR9for integers and address and the XMM registers for floating point arguments (with surplus arguments going on the stack).The number of arguments isn’t pushed anywhere; AFAIK
sscanfdetermines this from the format string (though I’m happy to be corrected). The System V AMD64 ABI (64-bit) does specify thatALis used to store the number of XMM registers used (from 0 to 8), but that applies to floating-point arguments only (which should never be arguments tosscanf).