Solved

Easy newbie question about opcode

Posted on 2004-08-29
8
420 Views
Last Modified: 2008-02-01
Hi

The following code:


jmp dword ptr [00402808]


in the debugger it's written this way:

jmp dword ptr ds:[<&user32.MessageBoxA>]


I want to know what they both mean, I only know jmp is an unconditional jump. Also I seek information on these registers that I can't seem to understand:

CS - code seg.
DS - data seg.
SS - ??

Please, detailed explanations/links. Thanks a lot gentlemen
0
Comment
Question by:BUCHAS
8 Comments
 

Expert Comment

by:__init__
ID: 11928806
> jmp dword ptr [00402808]

This is an indirect unconditional jump. Go to the address specified in the dword at address 00402808

> CS - code seg.
> DS - data seg.
SS - stack seg
ES,FS,GS - auxiliary segs

The most authoritative source is http://developer.intel.com/design/pentium/manuals/
0
 
LVL 7

Expert Comment

by:aib_42
ID: 11928826
"dword ptr" and the [braces] basically mean:
read (the braces) a DWORD (the ptr) from the given address and jump to it. The DWORD variable at location 00402808 through 0040280B contains the address of the code (which is MessageBox in this case) to jump to.
The "DS:" is implicit. Since you're reading the value of a variable and variables are in DS, you are actually reading DS:00402808; the debugger barely reminds you of this fact.

SS is short for "Stack Segment" and is the segment of the memory where the stack for the current task is located. The stack is a "push value in, pop value out when needed" kind of temporary storage for... well, anything temporary. Suppose you want to exchange the values of two registers without using the XCHG command or a third temporary register: What you do is, "push" the value of one onto the stack, give one register the value of the other, and "pop" back the value from the stack, i.e. temporary storage. Some instructions such as CALL and RET also use the stack (to save and restore the IP of the calling function, respectively). It is a different topic altogether, and I'm sure lots of experts (with better explaining capabilities than me :) would help you understand it if you asked.

Anyway, SS is used together with SP (Stack Pointer) to pin-point to the top of the stack. SS points to the big block of memory reserved for the stack and doesn't change very often, whereas SP points to the "top" of the stack within that big block of memory, and is changed with every stack operation (PUSH or POP).
0
 
LVL 2

Author Comment

by:BUCHAS
ID: 11935525
But what if I put the code simply this way:

> jmp [00402808]

Wouldn't it make the same effect as before? Also, what do the 3 letters "ptr" mean?
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 7

Assisted Solution

by:aib_42
aib_42 earned 20 total points
ID: 11939313
That is the way you simply put the code, isn't it?

"ptr" means "pointer", and it again refers to the fact that "00402808" is merely a pointer, and you are reading something (in this case a DWORD) from the place it points.

The debugger is correct and so are you, think of this as you typing:

mov eax, 12345678

and the debugger showing it as:

mov eax, DWORD 12345678
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 11959340
You still might have a question about this:

    jmp dword ptr ds:[<&user32.MessageBoxA>]

Why jump to an address that is specified somewhere else?  Why not simply:

    jmp MessageBoxA

?  That is because MessageBoxA is a function in an external DLL.  The DLL gets loaded into memory at runtime.   When the compler compiles the code, it does not know the correct address.   So it allocates a fixed location in local memory for storage of the correct address.   Then when the system loads the program, the loader needs only to place the address in one place, rather than going through the entire program to update each opcode that jumps to that function.
0
 
LVL 9

Accepted Solution

by:
BeyondWu earned 80 total points
ID: 12328689
>>>But what if I put the code simply this way:
>>>> jmp [00402808]
>>>Wouldn't it make the same effect as before?

Well, you can't code "jmp [00402808]" directly in your code, in most case it will crash your program.
Because "jmp dword ptr [00402808]" has different effect with "jmp dword ptr ds:[<&user32.MessageBoxA>]"
What you are asking is about PE format, it has nothing to do with Asm language...

We call IAT(Import Address Table), when you are coding for a windows application, you may write:
MessageBox(blahblah....); in C++.
or maybe with ASM
PUSH blahblah...
CALL MessageBoxA
As you know, you haven't implement the function MessageBoxA, it has been implemented in a system DLL, user32.dll
And the compiler(whatever c or asm) actually don't know the acutal address of MessageBoxA function at that time,
because the DLL can be relocated at any address, and also different version windows platform have different version user32.dll and they may have different address of MessageBoxA function.

So the compiler or linker just leave it into a table which called IAT.
MessageBox(blahblah....); will be translated to something like "call xxx" and xxx point to a jump table, in your case the jump table contains "jmp dword ptr [00402808]", here 00402808 actually is a pointer to a IAT item, which contains the DLL name and funtion name, that's why your debugger knows "jmp dword ptr ds:[<&user32.MessageBoxA>]", actually at that time, the real address of MessageBoxA should be saved at [00402808], but to make the exe file more portable the linker hasn't filled in the real address of MessageBoxA at that time, at runtime, the loader(OS) will load User32.dll and it maybe relocated, the loader knows where it is, and the loader will fill all relevant addresses through the IAT table, and then pass the control to your program's entry point, at that time, every thing is OK...

OK, it's  really a looooong story, hope this can help you.
for more detailed information, please refer to http://personal5.iddeo.es/ret007ow/PE.TXT

Good Luck
0
 
LVL 2

Author Comment

by:BUCHAS
ID: 12538712
Thank you very much all who participated this topic. All your help is very appreciated. Whoever I "rewarded" the answers that more effectively pointed me to the solution.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Binary bomb phase 3 10 2,063
debugging dll files in a .NET project 5 477
Buffer Bomb Level 3 (Dynamite) 5 7,651
new build power loop at boot no POST or beeps - new cpu, motherboard and PS 7 2,265
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question