`stackcmp` does not handle `esp + [offset]` references correctly

[jonschz]

Stack variables can be addressed both from the base (ebp - [offset]) and the top (esp + offset) of the stack. Debug builds only ever use the former, while release builds use both. This causes two kinds of issues for stackcmp:

• The top of the stack changes during the execution of a function. This is not currently accounted for, leading to misdetections (both false positives and false negatives).
• The same variable can be referenced from both the top and the bottom of the stack. These different kinds of references are not matched at the moment.

[jonschz]

Solving this issue in general is pretty hard since one would need to know the calling conventions and usually also the signatures of the functions that are called from the current function. One partial remedy could be to

• parse explicit changes to esp
• Ignore pushes and call instructions
• Handle a few common cases (like ecx being pushed at the beginning)
• Warn whenever we encounter an operation beyond what we believe the stack to be, or when the stack isn't cleaned up

This would still have numerous pitfalls, but it would be a start.