x86 - Assembly - How 0x80 with ecx=esp work? -

i have next code:

doit: mov eax, 4 ; write system call       push dword, 0x44434241       mov ebx, 1       mov ecx, esp       mov edx, 4       int 0x80       add esp, 4       ret 

as check, it's print "abcd", why? understood it, on stack have next picture:

low --- 0x41 0x42 0x43 0x44 -- esp,

i.e esp point 0x44. when call 0x80. should print "dcba". missed?

your stack picture wrong. because x86 little-endian architecture, esp equal address of least-significant byte in pushed value, or 0x41.

from intel's priceless architecture developer's manual:

when item pushed onto stack, processor decrements esp register, writes item @ new top of stack.