Solved

Easy newbie question about opcode

Posted on 2004-08-29
8
419 Views
Last Modified: 2008-02-01
Hi

The following code:


jmp dword ptr [00402808]


in the debugger it's written this way:

jmp dword ptr ds:[<&user32.MessageBoxA>]


I want to know what they both mean, I only know jmp is an unconditional jump. Also I seek information on these registers that I can't seem to understand:

CS - code seg.
DS - data seg.
SS - ??

Please, detailed explanations/links. Thanks a lot gentlemen
0
Comment
Question by:BUCHAS
8 Comments
 

Expert Comment

by:__init__
ID: 11928806
> jmp dword ptr [00402808]

This is an indirect unconditional jump. Go to the address specified in the dword at address 00402808

> CS - code seg.
> DS - data seg.
SS - stack seg
ES,FS,GS - auxiliary segs

The most authoritative source is http://developer.intel.com/design/pentium/manuals/
0
 
LVL 7

Expert Comment

by:aib_42
ID: 11928826
"dword ptr" and the [braces] basically mean:
read (the braces) a DWORD (the ptr) from the given address and jump to it. The DWORD variable at location 00402808 through 0040280B contains the address of the code (which is MessageBox in this case) to jump to.
The "DS:" is implicit. Since you're reading the value of a variable and variables are in DS, you are actually reading DS:00402808; the debugger barely reminds you of this fact.

SS is short for "Stack Segment" and is the segment of the memory where the stack for the current task is located. The stack is a "push value in, pop value out when needed" kind of temporary storage for... well, anything temporary. Suppose you want to exchange the values of two registers without using the XCHG command or a third temporary register: What you do is, "push" the value of one onto the stack, give one register the value of the other, and "pop" back the value from the stack, i.e. temporary storage. Some instructions such as CALL and RET also use the stack (to save and restore the IP of the calling function, respectively). It is a different topic altogether, and I'm sure lots of experts (with better explaining capabilities than me :) would help you understand it if you asked.

Anyway, SS is used together with SP (Stack Pointer) to pin-point to the top of the stack. SS points to the big block of memory reserved for the stack and doesn't change very often, whereas SP points to the "top" of the stack within that big block of memory, and is changed with every stack operation (PUSH or POP).
0
 
LVL 2

Author Comment

by:BUCHAS
ID: 11935525
But what if I put the code simply this way:

> jmp [00402808]

Wouldn't it make the same effect as before? Also, what do the 3 letters "ptr" mean?
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 7

Assisted Solution

by:aib_42
aib_42 earned 20 total points
ID: 11939313
That is the way you simply put the code, isn't it?

"ptr" means "pointer", and it again refers to the fact that "00402808" is merely a pointer, and you are reading something (in this case a DWORD) from the place it points.

The debugger is correct and so are you, think of this as you typing:

mov eax, 12345678

and the debugger showing it as:

mov eax, DWORD 12345678
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 11959340
You still might have a question about this:

    jmp dword ptr ds:[<&user32.MessageBoxA>]

Why jump to an address that is specified somewhere else?  Why not simply:

    jmp MessageBoxA

?  That is because MessageBoxA is a function in an external DLL.  The DLL gets loaded into memory at runtime.   When the compler compiles the code, it does not know the correct address.   So it allocates a fixed location in local memory for storage of the correct address.   Then when the system loads the program, the loader needs only to place the address in one place, rather than going through the entire program to update each opcode that jumps to that function.
0
 
LVL 9

Accepted Solution

by:
BeyondWu earned 80 total points
ID: 12328689
>>>But what if I put the code simply this way:
>>>> jmp [00402808]
>>>Wouldn't it make the same effect as before?

Well, you can't code "jmp [00402808]" directly in your code, in most case it will crash your program.
Because "jmp dword ptr [00402808]" has different effect with "jmp dword ptr ds:[<&user32.MessageBoxA>]"
What you are asking is about PE format, it has nothing to do with Asm language...

We call IAT(Import Address Table), when you are coding for a windows application, you may write:
MessageBox(blahblah....); in C++.
or maybe with ASM
PUSH blahblah...
CALL MessageBoxA
As you know, you haven't implement the function MessageBoxA, it has been implemented in a system DLL, user32.dll
And the compiler(whatever c or asm) actually don't know the acutal address of MessageBoxA function at that time,
because the DLL can be relocated at any address, and also different version windows platform have different version user32.dll and they may have different address of MessageBoxA function.

So the compiler or linker just leave it into a table which called IAT.
MessageBox(blahblah....); will be translated to something like "call xxx" and xxx point to a jump table, in your case the jump table contains "jmp dword ptr [00402808]", here 00402808 actually is a pointer to a IAT item, which contains the DLL name and funtion name, that's why your debugger knows "jmp dword ptr ds:[<&user32.MessageBoxA>]", actually at that time, the real address of MessageBoxA should be saved at [00402808], but to make the exe file more portable the linker hasn't filled in the real address of MessageBoxA at that time, at runtime, the loader(OS) will load User32.dll and it maybe relocated, the loader knows where it is, and the loader will fill all relevant addresses through the IAT table, and then pass the control to your program's entry point, at that time, every thing is OK...

OK, it's  really a looooong story, hope this can help you.
for more detailed information, please refer to http://personal5.iddeo.es/ret007ow/PE.TXT

Good Luck
0
 
LVL 2

Author Comment

by:BUCHAS
ID: 12538712
Thank you very much all who participated this topic. All your help is very appreciated. Whoever I "rewarded" the answers that more effectively pointed me to the solution.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Convert from C to MIPS 14 1,378
Assembly Code 1 788
MIPS Assembly 8 528
Top cover replacement dell latitude d620 12 79
An article on effective troubleshooting
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question