VS2013+WIN7+Debug

--- g:\coding\poet\test\ctest.cpp ----------------------------------------------#include 
    
     using namespace std;int main(){;将ebp入栈，保存ebp，保护原现场00D252A0  push        ebp;将esp传送给ebp00D252A1  mov         ebp,esp;esp减去0C0h，开辟栈空间存放局部变量;注意汇编语言中数字常量如果是字母开头必须加上000D252A3  sub         esp,0C0h;保存常用的寄存器ebx,esi,edi，保护原现场00D252A9  push        ebx00D252AA  push        esi  00D252AB  push        edi;将edi赋值为ebp-0C0h(lea取得偏移地址)00D252AC  lea         edi,[ebp-0C0h] ;30h（临时栈区大小，4字节为单位）放入ecx,为rep执行次数;注意到30h * 4字节 = 0C0h 00D252B2  mov         ecx,30h  ;0CCCCCCCCh为系统中断int 3h，也是临时栈区初始值00D252B7  mov         eax,0CCCCCCCCh  ;用int 3h循环填充临时栈区00D252BC  rep stos    dword ptr es:[edi]   		  return 0;;等价于mov eax, 0但是xor更高效00D252BE  xor         eax,eax  };恢复寄存器ebx,esi,edi00D252C0  pop         edi  00D252C1  pop         esi  00D252C2  pop         ebx ;用ebp恢复函数调用前的栈指针esp 00D252C3  mov         esp,ebp  ;恢复ebp00D252C5  pop         ebp  ;返回 00D252C6  ret
    

栈区开辟的存储空间都是使用0CCCCCCCCh来填充4字节单位的，也就是说，栈区开辟的存取局部变量的空间的每一个字节都被0xCC填充了。（为什么用0xCC，这个是int 3h的机器码，下断点用的）

未初始化的变量会被系统赋初值为0xCC,超过了ASCII码0-127这个范围，因此这个“字符串”被系统当成了宽字符组成的字符串，即两个字节数据组成一个字符，而0xCCCC表示的宽字符正好是乱码中的那个“烫”字。

#include 
    
     #include 
     
      int main(){	char s[100];	memset(s, 0xcc, sizeof(s));	printf("%s\n", s);		return 0;}
     
    

动态分配的空间开辟与堆，VC的Debug用0xCD填充堆的空间，两个0xCD和在一起就是屯了。

; The ebp register is used to access local variables that are stored on the stack,   ; this is known as a stack frame. Before we start doing anything, we need to save   ; the stack frame of the calling function so it can be restored when we finish.  push    ebp                     ; These two instructions create our stack frame, in this case, 192 bytes  ; This space, although not used in this case, is useful for edit-and-continue. If you  ; break the program and add code which requires a local variable, the space is   ; available for it. This is much simpler than trying to relocate stack variables,   ; especially if you have pointers to stack variables.  mov     ebp,esp             d sub     esp,0C0h                ; C/C++ functions shouldn't alter these three registers in this build configuration,  ; so save them. These are stored below our stack frame (the stack moves down in memory)r push    ebxr push    esir push    edi                     ; This puts the address of the stack frame bottom (lowest address) into edi...d lea     edi,[ebp-0C0h]          ; ...and then fill the stack frame with the uninitialised data value (ecx = number of  ; dwords, eax = value to store)d mov     ecx,30hd mov     eax,0CCCCCCCCh     d rep stos dword ptr es:[edi]     ; Stack checking code: the stack pointer is stored in esir mov     esi,esp                 ; This is the first parameter to printf. Parameters are pushed onto the stack   ; in reverse order (i.e. last parameter pushed first) before calling the function.  push    offset SimpleDemo!`string'   ; This is the call to printf. Note the call is indirect, the target address is  ; specified in the memory address SimpleDemo!_imp__printf, which is filled in when  ; the executable is loaded into RAM.  call    dword ptr [SimpleDemo!_imp__printf]   ; In C/C++, the caller is responsible for removing the parameters. This is because  ; the caller is the only code that knows how many parameters were put on the stack  ; (thanks to the '...' parameter type)  add     esp,4                   ; More stack checking code - this sets the zero flag if the stack pointer is pointing  ; where we expect it to be pointing. r cmp     esi,esp                 ; ILT - Import Lookup Table? This is a statically linked function which throws an  ; exception/error if the zero flag is cleared (i.e. the stack pointer is pointing  ; somewhere unexpected)r call    SimpleDemo!ILT+295(__RTC_CheckEsp))   ; The return value is stored in eax by convention  xor     eax,eax                 ; Restore the values we shouldn't have alteredr pop     edir pop     esir pop     ebx                     ; Destroy the stack framer add     esp,0C0h                ; More stack checking code - this sets the zero flag if the stack pointer is pointing  ; where we expect it to be pointing. r cmp     ebp,esp                 ; see abover call    SimpleDemo!ILT+295(__RTC_CheckEsp)   ; This is the usual way to destroy the stack frame, but here it's not really necessary  ; since ebp==esp  mov     esp,ebp                 ; Restore the caller's stack frame  pop     ebp                     ; And exit  ret                             ; Debug only, no runtime checks    push    ebp                     mov     ebp,esp             d sub     esp,0C0h              d lea     edi,[ebp-0C0h]        d mov     ecx,30hd mov     eax,0CCCCCCCCh     d rep stos dword ptr es:[edi]     push    offset SimpleDemo!`string'   call    dword ptr [SimpleDemo!_imp__printf]   add     esp,4                   xor     eax,eax                 mov     esp,ebp                 pop     ebp                     ret                               ; Release mode (I'm assuming the optimiser is clever enough to drop the stack frame when there's no local variables)  push    offset SimpleDemo!`string'   call    dword ptr [SimpleDemo!_imp__printf]   add     esp,4                   xor     eax,eax                 ret

http://stackoverflow.com/questions/4024492/can-anyone-help-me-interpret-this-simple-disassembly-from-windbg