Easy newbie question about opcode

Hi

The following code:


jmp dword ptr [00402808]


in the debugger it's written this way:

jmp dword ptr ds:[<&user32.MessageBoxA>]


I want to know what they both mean, I only know jmp is an unconditional jump. Also I seek information on these registers that I can't seem to understand:

CS - code seg.
DS - data seg.
SS - ??

Please, detailed explanations/links. Thanks a lot gentlemen
LVL 2
BUCHASAsked:
Who is Participating?
 
BeyondWuConnect With a Mentor Commented:
>>>But what if I put the code simply this way:
>>>> jmp [00402808]
>>>Wouldn't it make the same effect as before?

Well, you can't code "jmp [00402808]" directly in your code, in most case it will crash your program.
Because "jmp dword ptr [00402808]" has different effect with "jmp dword ptr ds:[<&user32.MessageBoxA>]"
What you are asking is about PE format, it has nothing to do with Asm language...

We call IAT(Import Address Table), when you are coding for a windows application, you may write:
MessageBox(blahblah....); in C++.
or maybe with ASM
PUSH blahblah...
CALL MessageBoxA
As you know, you haven't implement the function MessageBoxA, it has been implemented in a system DLL, user32.dll
And the compiler(whatever c or asm) actually don't know the acutal address of MessageBoxA function at that time,
because the DLL can be relocated at any address, and also different version windows platform have different version user32.dll and they may have different address of MessageBoxA function.

So the compiler or linker just leave it into a table which called IAT.
MessageBox(blahblah....); will be translated to something like "call xxx" and xxx point to a jump table, in your case the jump table contains "jmp dword ptr [00402808]", here 00402808 actually is a pointer to a IAT item, which contains the DLL name and funtion name, that's why your debugger knows "jmp dword ptr ds:[<&user32.MessageBoxA>]", actually at that time, the real address of MessageBoxA should be saved at [00402808], but to make the exe file more portable the linker hasn't filled in the real address of MessageBoxA at that time, at runtime, the loader(OS) will load User32.dll and it maybe relocated, the loader knows where it is, and the loader will fill all relevant addresses through the IAT table, and then pass the control to your program's entry point, at that time, every thing is OK...

OK, it's  really a looooong story, hope this can help you.
for more detailed information, please refer to http://personal5.iddeo.es/ret007ow/PE.TXT

Good Luck
0
 
__init__Commented:
> jmp dword ptr [00402808]

This is an indirect unconditional jump. Go to the address specified in the dword at address 00402808

> CS - code seg.
> DS - data seg.
SS - stack seg
ES,FS,GS - auxiliary segs

The most authoritative source is http://developer.intel.com/design/pentium/manuals/
0
 
aib_42Commented:
"dword ptr" and the [braces] basically mean:
read (the braces) a DWORD (the ptr) from the given address and jump to it. The DWORD variable at location 00402808 through 0040280B contains the address of the code (which is MessageBox in this case) to jump to.
The "DS:" is implicit. Since you're reading the value of a variable and variables are in DS, you are actually reading DS:00402808; the debugger barely reminds you of this fact.

SS is short for "Stack Segment" and is the segment of the memory where the stack for the current task is located. The stack is a "push value in, pop value out when needed" kind of temporary storage for... well, anything temporary. Suppose you want to exchange the values of two registers without using the XCHG command or a third temporary register: What you do is, "push" the value of one onto the stack, give one register the value of the other, and "pop" back the value from the stack, i.e. temporary storage. Some instructions such as CALL and RET also use the stack (to save and restore the IP of the calling function, respectively). It is a different topic altogether, and I'm sure lots of experts (with better explaining capabilities than me :) would help you understand it if you asked.

Anyway, SS is used together with SP (Stack Pointer) to pin-point to the top of the stack. SS points to the big block of memory reserved for the stack and doesn't change very often, whereas SP points to the "top" of the stack within that big block of memory, and is changed with every stack operation (PUSH or POP).
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
BUCHASAuthor Commented:
But what if I put the code simply this way:

> jmp [00402808]

Wouldn't it make the same effect as before? Also, what do the 3 letters "ptr" mean?
0
 
aib_42Connect With a Mentor Commented:
That is the way you simply put the code, isn't it?

"ptr" means "pointer", and it again refers to the fact that "00402808" is merely a pointer, and you are reading something (in this case a DWORD) from the place it points.

The debugger is correct and so are you, think of this as you typing:

mov eax, 12345678

and the debugger showing it as:

mov eax, DWORD 12345678
0
 
DanRollinsCommented:
You still might have a question about this:

    jmp dword ptr ds:[<&user32.MessageBoxA>]

Why jump to an address that is specified somewhere else?  Why not simply:

    jmp MessageBoxA

?  That is because MessageBoxA is a function in an external DLL.  The DLL gets loaded into memory at runtime.   When the compler compiles the code, it does not know the correct address.   So it allocates a fixed location in local memory for storage of the correct address.   Then when the system loads the program, the loader needs only to place the address in one place, rather than going through the entire program to update each opcode that jumps to that function.
0
 
BUCHASAuthor Commented:
Thank you very much all who participated this topic. All your help is very appreciated. Whoever I "rewarded" the answers that more effectively pointed me to the solution.
0
All Courses

From novice to tech pro — start learning today.