add esp,8 is to adjust esp to the state before the function call to balance the stack
The default is cdcall: outer stack
stdcall: inner stack
What is stack balancing?
》What does the original stack look like? What does the stack look like after the function call (that is, the values of esp and ebp remain unchanged)? All function calls in this thread use the same stack.
Why do we need to keep the stack balanced?
》Because the stack in Windows allocates 1M of space by default. If the stack space allocated for local variables by each function is not recycled, it will be used up soon. In order to reuse the stack, the stack needs to be balanced.
Once the function call is completed, the local variables and other contents stored in the stack space of the original function become garbage data, so do not use pointers to hook out the values of local variables in the original function, because once the value in that memory If there is a change, it is very likely that what you get is junk data.
The pointer must be set to NULL after use, and the new object must be deleted.
Why is fastcall so fast?
Pass the parameters into the register:
Generally speaking, parameters are passed through registers. If there are many parameters, some of them will be passed in registers and some will be pushed on the stack.
In C++, calling member functions of a class is implemented through thiscall.
This pointer is placed in the ecx register for transfer
Function calling method under Windows:
Their definitions are included in the windef.h header file
The top is MAC, the bottom is Windows
An indefinite number of parameters is usually cdcall, because only the caller knows how many parameters have been passed in.
In the release version, if the local variables are relatively simple, they may be directly optimized. You can use scanf to avoid this situation. So if you are in ida, you should mainly pay attention to its variable name, such as arg1, regardless of its offset. In ida, the local variable is var, and the parameter passed in from the outside is arg.