CODEWITHSUNDEEP
cassemblygdb
user994165
user994165

Reputation: 9502

Assembly Instruction interpretation

I see this instruction:

*0x804a1a0(,%eax,4)

I got the value at 0x804a1a0 and added the value of $eax*4, but that's not where the code jumped to. I did the same using the value 0x804a1a0 itself plus $eax*4 and it points elsewhere. How do I interpret the instruction above?

Upvotes: 2

Views: 219

Answers (1)

Daniel Hanrahan
Daniel Hanrahan

Reputation: 4959

The short anwser:

You say:

I got the value at 0x804a1a0 and added the value of $eax*4

This is wrong.

I did the same using the value 0x804a1a0 itself plus $eax*4

This is also wrong.

What you want is to compute 0x804a1a0 + eax*4 first, and then look at the value at that memory location.

The long answer:

The code you provided is not a full instruction, rather an operand to a move/jump/call instruction in AT&T syntax. More specifically, it's called an effective address. Basically this is a form of indirect addressing, which means the memory at the location given by the operand will be used.

The AT&T syntax of an effective address is:

DISP(BASE,INDEX,SCALE)

which should be interpreted as:

BASE + INDEX*SCALE + DISP

In your case,

0x804a1a0(,%eax,4)

is really:

%eax*4 + 0x804a1a0

Now for the *, according to http://wiki.osdev.org/Opcode_syntax:

Relative Addressing: Used by default in all jump and call instructions.

To use absolute addressing, the operand must be prefixed with an asterisk (*).

Also, from http://en.wikipedia.org/wiki/Addressing_mode:

The effective address for an absolute instruction address is the address parameter itself with no modifications.

So the final address is actually the location pointed to by eax*4 + 0x804a1a0.

If I had to guess, I'd say it's probably a jump/switch table at offset 0x804a1a0. In other words, the code does not execute at offset eax*4 + 0x804a1a0, rather it reads the address stored at that location, and jumps to that (hence it's an indirect jump).

Side rant: I really hate AT&T syntax. If you're new to assembly, you might prefer Intel syntax. I think it's far more readable. Your code in Intel syntax would probably be:

jmp dword ptr [0x804a1a0 + eax*4]

assuming the instruction is a jump.

Upvotes: 4

Related Questions