Results 1 to 6 of 6

Thread: ollydbg - explanation of short piece of assebly

  1. #1
    jamiemac2005
    Guest

    Question ollydbg - explanation of short piece of assebly

    okay, i'm getting started on ollydbg and i have a short piece of assembly i cant understand where its reffering to.. the assembly code is:

    MOV DWORD PTR SS:[ESP+14],ECX

    i know that it makes DWORD PTR SS:[ESP+14] equal to ECX but i dont know what DWORD PTR SS:[ESP+14] is reffering to, i know DWORD is double word but i dont understand what PTR means
    nor SS:
    and i dont know what [ESP+14] refers to, i know that ESP is in the registers and before the code is executed ESP is 0012F054 and ECX is an ASCII string

    later on in the program there are another few instances of slightly variated versions of this code the differences being after ESP+ the hex changes to 24 then 1C

    can someone please explain to me where this is pointing?

    cheers much,
    Jamey
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    MOVe
    DWORD: A byte is 8 bits
    A word is 2 bytes, 16 bits
    A DWORD 2 words, 4 bytes, 32 bits, the standard size of a 32 bit register such as ECX.

    PTR: Pointer, This prefix means taht what comes afterwards in square brackets is an ADDRESS, where the value contained in ECX will be MOVed

    SS: Stack segment this is a selector that indicates that the pointed address you are MOVing to is located in the Stack.

    What is the stack? An area in memory where local variables are located. see this explanation
    http://www.woodmann.com/forum/showthread.php?t=5849&highlight=stack+dynamics

    ESP: Extended stack pointer: This is a 32 bit register that contains the address of the stack frame bottom. ESP+14 points to a memory address 0x14 bytes above the ESP.


    If you are really into understanding this business, I suggest you buy or download (From the ExeTools E-books list, link below) Hacker Disassembling Uncovered by Kris Kaspersky.

  3. #3
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Kris Kaspersky's book is available for free on Kris' ftp site:

    ftp://nezumi.org.ru/

    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  4. #4
    jamiemac2005
    Guest
    oh, i see now, thanks for the explanation it helped alot. yeah i've started downloading lots of ebooks etc on ollydbg but i dont have much free time at the moment(i'm taking my GCSE exams throughout this month) but after i'll get down to reading, cheers much

    Jamey =]
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Now that Naides has covered the semantics of what it is, I can cover what it does.

    More than likely, that's the code's way of setting a local variable to a value.

    (Local meaning it's only in scope for the current function/subroutine).

    (Sorry if you already knew this, but there is more to understanding assembly than just understanding what the mechanics are, you have to sometimes understand what the code is that generated it.)

    OK, I've stepped out this far, might as well finish it off.

    Code:
    function()
    {
      long fred;   // 32 bit variable, local in scope
    
      fred = 0;   // Set it to a value
    }
    This code COULD produce something like this: (The pertinent bits at least).

    Code:
    XOR ECX, ECX ; Set ECX to 0
    MOV DWORD PTR SS:[ESP+14],ECX  ; Save it
    where ESP+14 would be "fred", and once the function returned, fred would be "out of scope" and destroyed on the stack.

  6. #6
    Read the Intel reference manuals, always recommended.

Similar Threads

  1. piece of code i don't understand
    By simonzack in forum The Newbie Forum
    Replies: 8
    Last Post: January 5th, 2010, 09:26
  2. SWF Encrypt explanation.
    By unlimitedorb in forum Malware Analysis and Unpacking Forum
    Replies: 59
    Last Post: April 25th, 2009, 11:02
  3. A very short history of this place.
    By Woodmann in forum Off Topic
    Replies: 29
    Last Post: August 18th, 2007, 09:33
  4. a piece code of a unknow cryptogrphics
    By kbug in forum RCE Cryptographics
    Replies: 16
    Last Post: September 30th, 2005, 03:02
  5. CrackZ explanation of hiding dongle response codes
    By corus-corvax in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: August 11th, 2005, 18:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •