16

Let's take a look of how IDA displays address of local variable. For instance:

MOV EAX, [EBP + var_4]

As we all know as far as local variables go, they are located at lower addresses of EBP.

Stack Frame

Though, I have been taking it for granted and inevitable, I am still very curious. Why does IDA display local variable offset as [EBP + var], not [EBP - var]?

Thank you so much.

PSS
  • 3,088
  • 1
  • 21
  • 35

1 Answers1

23

Have a look at the var_4 definition at the start of the function:

var_4 = dword ptr -4

So it's actually negative as expected.

For a more complete picture, use Ctrl+K or double-click/Enter on the stack var to see the stack frame layout:

-00000018 ; Two special fields " r" and " s" represent return address and saved registers.
-00000018 ; Frame size: 18; Saved regs: 4; Purge: 0
-00000018 ;
-00000018
-00000018 var_18          dd ?
-00000014 var_14          dd ?
-00000010 var_10          db 12 dup(?)
-00000004 var_4           dd ?
+00000000  s              db 4 dup(?)
+00000004  r              db 4 dup(?)
+00000008 arg_0           dd ?
+0000000C
+0000000C ; end of stack variables
Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115