Subroutines

[SVG]

I am having some trouble understanding how PE Explorer come up with the disassembly of CALL SUB_LXYZ... If one jumps to where SUB_LXYZ.. is defined, there is no stack operation such as PUSH %EBP etc. Under what conditions does PE Explorer label the disassembly like this?

[TechMan]

It labels what it finds. A function doesn't have to always have a prolog and an epilog, or use the stack, etc. First, and most important, there's a function call somewhere. It's absolutely normal to have a function like this:

CODE

sub_xxxx:
 mov eax, 1
 ret

Here's a more complex example that doesn't allocate stack space, and yet it does a job. The element index is passed to the EAX register, the return value is placed into the EAX register:

CODE

TABLE:
   dd 0
   dd 1
   dd 2

sub_xxxx:
 cmp eax, COUNT
 ja  _above
 mov eax, dwod ptr [TABLE + eax*4]
 jmp _exit
_above:
 mov eax, -1
_exit:
 ret

The compiler may easily generate code that doesn't use the stack if the compiler decides so, it's called optimization. Due to the fact that optimization issues on modern CPUs are so complex, modern compilers often generate output code that has almost nothing to do with the original source code.