?
Solved

Easy newbie question about opcode

Posted on 2004-08-29
8
Medium Priority
?
425 Views
Last Modified: 2008-02-01
Hi

The following code:


jmp dword ptr [00402808]


in the debugger it's written this way:

jmp dword ptr ds:[<&user32.MessageBoxA>]


I want to know what they both mean, I only know jmp is an unconditional jump. Also I seek information on these registers that I can't seem to understand:

CS - code seg.
DS - data seg.
SS - ??

Please, detailed explanations/links. Thanks a lot gentlemen
0
Comment
Question by:BUCHAS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 

Expert Comment

by:__init__
ID: 11928806
> jmp dword ptr [00402808]

This is an indirect unconditional jump. Go to the address specified in the dword at address 00402808

> CS - code seg.
> DS - data seg.
SS - stack seg
ES,FS,GS - auxiliary segs

The most authoritative source is http://developer.intel.com/design/pentium/manuals/
0
 
LVL 7

Expert Comment

by:aib_42
ID: 11928826
"dword ptr" and the [braces] basically mean:
read (the braces) a DWORD (the ptr) from the given address and jump to it. The DWORD variable at location 00402808 through 0040280B contains the address of the code (which is MessageBox in this case) to jump to.
The "DS:" is implicit. Since you're reading the value of a variable and variables are in DS, you are actually reading DS:00402808; the debugger barely reminds you of this fact.

SS is short for "Stack Segment" and is the segment of the memory where the stack for the current task is located. The stack is a "push value in, pop value out when needed" kind of temporary storage for... well, anything temporary. Suppose you want to exchange the values of two registers without using the XCHG command or a third temporary register: What you do is, "push" the value of one onto the stack, give one register the value of the other, and "pop" back the value from the stack, i.e. temporary storage. Some instructions such as CALL and RET also use the stack (to save and restore the IP of the calling function, respectively). It is a different topic altogether, and I'm sure lots of experts (with better explaining capabilities than me :) would help you understand it if you asked.

Anyway, SS is used together with SP (Stack Pointer) to pin-point to the top of the stack. SS points to the big block of memory reserved for the stack and doesn't change very often, whereas SP points to the "top" of the stack within that big block of memory, and is changed with every stack operation (PUSH or POP).
0
 
LVL 2

Author Comment

by:BUCHAS
ID: 11935525
But what if I put the code simply this way:

> jmp [00402808]

Wouldn't it make the same effect as before? Also, what do the 3 letters "ptr" mean?
0
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

 
LVL 7

Assisted Solution

by:aib_42
aib_42 earned 80 total points
ID: 11939313
That is the way you simply put the code, isn't it?

"ptr" means "pointer", and it again refers to the fact that "00402808" is merely a pointer, and you are reading something (in this case a DWORD) from the place it points.

The debugger is correct and so are you, think of this as you typing:

mov eax, 12345678

and the debugger showing it as:

mov eax, DWORD 12345678
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 11959340
You still might have a question about this:

    jmp dword ptr ds:[<&user32.MessageBoxA>]

Why jump to an address that is specified somewhere else?  Why not simply:

    jmp MessageBoxA

?  That is because MessageBoxA is a function in an external DLL.  The DLL gets loaded into memory at runtime.   When the compler compiles the code, it does not know the correct address.   So it allocates a fixed location in local memory for storage of the correct address.   Then when the system loads the program, the loader needs only to place the address in one place, rather than going through the entire program to update each opcode that jumps to that function.
0
 
LVL 9

Accepted Solution

by:
BeyondWu earned 320 total points
ID: 12328689
>>>But what if I put the code simply this way:
>>>> jmp [00402808]
>>>Wouldn't it make the same effect as before?

Well, you can't code "jmp [00402808]" directly in your code, in most case it will crash your program.
Because "jmp dword ptr [00402808]" has different effect with "jmp dword ptr ds:[<&user32.MessageBoxA>]"
What you are asking is about PE format, it has nothing to do with Asm language...

We call IAT(Import Address Table), when you are coding for a windows application, you may write:
MessageBox(blahblah....); in C++.
or maybe with ASM
PUSH blahblah...
CALL MessageBoxA
As you know, you haven't implement the function MessageBoxA, it has been implemented in a system DLL, user32.dll
And the compiler(whatever c or asm) actually don't know the acutal address of MessageBoxA function at that time,
because the DLL can be relocated at any address, and also different version windows platform have different version user32.dll and they may have different address of MessageBoxA function.

So the compiler or linker just leave it into a table which called IAT.
MessageBox(blahblah....); will be translated to something like "call xxx" and xxx point to a jump table, in your case the jump table contains "jmp dword ptr [00402808]", here 00402808 actually is a pointer to a IAT item, which contains the DLL name and funtion name, that's why your debugger knows "jmp dword ptr ds:[<&user32.MessageBoxA>]", actually at that time, the real address of MessageBoxA should be saved at [00402808], but to make the exe file more portable the linker hasn't filled in the real address of MessageBoxA at that time, at runtime, the loader(OS) will load User32.dll and it maybe relocated, the loader knows where it is, and the loader will fill all relevant addresses through the IAT table, and then pass the control to your program's entry point, at that time, every thing is OK...

OK, it's  really a looooong story, hope this can help you.
for more detailed information, please refer to http://personal5.iddeo.es/ret007ow/PE.TXT

Good Luck
0
 
LVL 2

Author Comment

by:BUCHAS
ID: 12538712
Thank you very much all who participated this topic. All your help is very appreciated. Whoever I "rewarded" the answers that more effectively pointed me to the solution.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question