Reputation: 385
New to assembly, a bit confused regarding some instructions
So I'm practicing/slowly but surely learning and brushing up on my Assembly. Here's a random disassembled kernel function as an example:
81a1e85f 8b450c mov eax,dword ptr [ebp+0Ch] // Moving value stored at memory address contained in the ebp register+0Ch to the eax register.
81a1e862 8b4048 mov eax,dword ptr [eax+48h] // Moving value stored at memory address contained in the eax register+48h to the eax register.
81a1e865 8945f0 mov dword ptr [ebp-10h],eax // Moving value stored at memory address contained in the epb-10h register to the eax register?
81a1e868 6a00 push 0 // ?
81a1e86a 8bc7 mov eax,edi // Move contents of the edi register into eax.
81a1e86c c745fc22010000 mov dword ptr [ebp-4],122h // ?
81a1e873 e8bf010000 call nt!PspGetPreviousProcessThread (81a1ea37) // Call the function name nt!PspGetPreviousProcessThread?
81a1e878 8b5d14 mov ebx,dword ptr [ebp+14h] // Moving value stored at memory address contained in the ebp register+14h to the ebx register.
I'm pretty new to most of it, so there's no doubt I'm either wrong on some of it, or wrong on all of it. Can anyone let me know what's going on most of all where I commented '?' as I am unfamiliar.
Also, anything in brackets -- [ebp-4] for example, this is considered a dereferenced pointer, correct?
Upvotes: 1
Views: 828
Answers (2)
Reputation: 5499
Also, anything in brackets -- [ebp-4] for example, this is considered a dereferenced pointer, correct?
While this is true in the examples you have provided, note that it is not true in all cases in the x86/x64 syntax. Specifically, the Load Effective Address (LEA) command uses square brackets but does not perform a pointer dereference. For example:
LEA EAX, [EBP+4]
Would add 4 to the value of EBP and store the result of the addition in EAX.
There's an excellent article by Matt Pietrek from 1998 (!) that covers a lot of these basics:
http://www.microsoft.com/msj/0298/hood0298.aspx
Upvotes: 5
Reputation: 28839
// Moving value stored at memory address contained in the ebp register+0Ch to the eax register.
// correct
mov eax,dword ptr [ebp+0Ch]
// Moving value stored at memory address contained in the eax register+48h to the eax register.
// correct
mov eax,dword ptr [eax+48h]
// Moving value stored at memory address contained in the epb-10h register to the eax register?
// no, moving content of eax register (dword) to location [ebp-10h]
mov dword ptr [ebp-10h],eax
// ?
// pushes a 32-bit zero on stack - probably an argument to the call below
push 0
// Move contents of the edi register into eax.
// correct
mov eax,edi
// ?
// store the 32-bit value 122h to location [ebp-4]
mov dword ptr [ebp-4],122h
// Call the function name nt!PspGetPreviousProcessThread?
// correct
call nt!PspGetPreviousProcessThread (81a1ea37)
// Moving value stored at memory address contained in the ebp register+14h to the ebx register
// correct
mov ebx,dword ptr [ebp+14h]
Upvotes: 6
Related Questions
- What is this assembly instruction doing?
- What do these instructions mean?
- How to interpret this assembly?
- Interpreting some assembly instructions
- Understanding some assembly code?
- A few assembly instructions
- I need help to understand these assembly instructions
- Two lines in assembly that don't make any sense together
- interpreting assembly instructions
- understaning assembly code in windbg