Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Easy newbie question about opcode

Posted on 2004-08-29
8
Medium Priority
?
427 Views
Last Modified: 2008-02-01
Hi

The following code:


jmp dword ptr [00402808]


in the debugger it's written this way:

jmp dword ptr ds:[<&user32.MessageBoxA>]


I want to know what they both mean, I only know jmp is an unconditional jump. Also I seek information on these registers that I can't seem to understand:

CS - code seg.
DS - data seg.
SS - ??

Please, detailed explanations/links. Thanks a lot gentlemen
0
Comment
Question by:BUCHAS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 

Expert Comment

by:__init__
ID: 11928806
> jmp dword ptr [00402808]

This is an indirect unconditional jump. Go to the address specified in the dword at address 00402808

> CS - code seg.
> DS - data seg.
SS - stack seg
ES,FS,GS - auxiliary segs

The most authoritative source is http://developer.intel.com/design/pentium/manuals/
0
 
LVL 7

Expert Comment

by:aib_42
ID: 11928826
"dword ptr" and the [braces] basically mean:
read (the braces) a DWORD (the ptr) from the given address and jump to it. The DWORD variable at location 00402808 through 0040280B contains the address of the code (which is MessageBox in this case) to jump to.
The "DS:" is implicit. Since you're reading the value of a variable and variables are in DS, you are actually reading DS:00402808; the debugger barely reminds you of this fact.

SS is short for "Stack Segment" and is the segment of the memory where the stack for the current task is located. The stack is a "push value in, pop value out when needed" kind of temporary storage for... well, anything temporary. Suppose you want to exchange the values of two registers without using the XCHG command or a third temporary register: What you do is, "push" the value of one onto the stack, give one register the value of the other, and "pop" back the value from the stack, i.e. temporary storage. Some instructions such as CALL and RET also use the stack (to save and restore the IP of the calling function, respectively). It is a different topic altogether, and I'm sure lots of experts (with better explaining capabilities than me :) would help you understand it if you asked.

Anyway, SS is used together with SP (Stack Pointer) to pin-point to the top of the stack. SS points to the big block of memory reserved for the stack and doesn't change very often, whereas SP points to the "top" of the stack within that big block of memory, and is changed with every stack operation (PUSH or POP).
0
 
LVL 2

Author Comment

by:BUCHAS
ID: 11935525
But what if I put the code simply this way:

> jmp [00402808]

Wouldn't it make the same effect as before? Also, what do the 3 letters "ptr" mean?
0
Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

 
LVL 7

Assisted Solution

by:aib_42
aib_42 earned 80 total points
ID: 11939313
That is the way you simply put the code, isn't it?

"ptr" means "pointer", and it again refers to the fact that "00402808" is merely a pointer, and you are reading something (in this case a DWORD) from the place it points.

The debugger is correct and so are you, think of this as you typing:

mov eax, 12345678

and the debugger showing it as:

mov eax, DWORD 12345678
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 11959340
You still might have a question about this:

    jmp dword ptr ds:[<&user32.MessageBoxA>]

Why jump to an address that is specified somewhere else?  Why not simply:

    jmp MessageBoxA

?  That is because MessageBoxA is a function in an external DLL.  The DLL gets loaded into memory at runtime.   When the compler compiles the code, it does not know the correct address.   So it allocates a fixed location in local memory for storage of the correct address.   Then when the system loads the program, the loader needs only to place the address in one place, rather than going through the entire program to update each opcode that jumps to that function.
0
 
LVL 9

Accepted Solution

by:
BeyondWu earned 320 total points
ID: 12328689
>>>But what if I put the code simply this way:
>>>> jmp [00402808]
>>>Wouldn't it make the same effect as before?

Well, you can't code "jmp [00402808]" directly in your code, in most case it will crash your program.
Because "jmp dword ptr [00402808]" has different effect with "jmp dword ptr ds:[<&user32.MessageBoxA>]"
What you are asking is about PE format, it has nothing to do with Asm language...

We call IAT(Import Address Table), when you are coding for a windows application, you may write:
MessageBox(blahblah....); in C++.
or maybe with ASM
PUSH blahblah...
CALL MessageBoxA
As you know, you haven't implement the function MessageBoxA, it has been implemented in a system DLL, user32.dll
And the compiler(whatever c or asm) actually don't know the acutal address of MessageBoxA function at that time,
because the DLL can be relocated at any address, and also different version windows platform have different version user32.dll and they may have different address of MessageBoxA function.

So the compiler or linker just leave it into a table which called IAT.
MessageBox(blahblah....); will be translated to something like "call xxx" and xxx point to a jump table, in your case the jump table contains "jmp dword ptr [00402808]", here 00402808 actually is a pointer to a IAT item, which contains the DLL name and funtion name, that's why your debugger knows "jmp dword ptr ds:[<&user32.MessageBoxA>]", actually at that time, the real address of MessageBoxA should be saved at [00402808], but to make the exe file more portable the linker hasn't filled in the real address of MessageBoxA at that time, at runtime, the loader(OS) will load User32.dll and it maybe relocated, the loader knows where it is, and the loader will fill all relevant addresses through the IAT table, and then pass the control to your program's entry point, at that time, every thing is OK...

OK, it's  really a looooong story, hope this can help you.
for more detailed information, please refer to http://personal5.iddeo.es/ret007ow/PE.TXT

Good Luck
0
 
LVL 2

Author Comment

by:BUCHAS
ID: 12538712
Thank you very much all who participated this topic. All your help is very appreciated. Whoever I "rewarded" the answers that more effectively pointed me to the solution.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question