error in binary exploitation/buffer overflow

[B1LLP4RK]

EIP = 0x08048426 (ret)
ESP = 0xfffefffc
EBP = 0xffff002c

        0xffff0004: 0xffffa0a0              // say_hi argument 1
ESP ->  0xffff0000: 0x0804845a              // Return address for say_hi

if EBP is moved to ESP and the stack is popped as in the explanation, The value of ESP should be 0xffff0000, at least from my understanding.
Besides, the code itself is contradicting because the value of ESP at the top is not the same as where ESP is pointing in the stack at the bottom.