Results 1 to 2 of 2

Thread: How does Ollydbg calculate 32bit values of segment

  1. #1
    1bitshort
    Guest

    How does Ollydbg calculate 32bit values of segment

    In Ollydbg when you look at the segment registers you might see something like this:
    ES 0023 32bit 0(FFFFFFFF)
    CS 001B 32bit 0(FFFFFFFF)
    SS 0023 32bit 0(FFFFFFFF)
    DS 0023 32bit 0(FFFFFFFF)
    FS 003B 32bit 7FFDE000(FFF)

    Does anybody know how OllyDbg is able to calculate 7FFDE000 from 3B, and 0 from 23, 1B etc?? I see no correlation

    Thanks for any help
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    focht
    Guest

    How does Ollydbg calculate 32bit values of segment

    Greetings,

    what you are looking at is 32 bit protected mode (and virtual 86 mode to some extend, DOS/BIOS legacy code emulation).

    Memory handling in protected mode is not easy to understand, partly because a number of similar items exist in both the segment mechanism and the paging mechanism, often with just enough difference that unless you work with it constantly, you usually need to look things up again to be sure of exactly how each part works.

    Win32 makes virtually no use of segmentation at all.
    The segments are always set up to allow addressing of the entire 4Gig address space.
    Within that address space, there will frequently be parts that 1) aren't present at all, and 2) are only accessible in specific ways.
    Certain parts will be executable only, others read only, others read/write, some generally won't be accessible at all unless you happen to have 4Gig of RAM installed.

    Now to the values itself:

    0x23 consists of the selector 0x20 and the privilege level 3 (this is for user mode).
    The selector 0x20 is an index into a table called the global descriptor table (GDT) containing segment descriptions.
    The most common one is Base 0, Length 0xffffffff and some flags for right
    management etc.

    Now armed with that knowlegde we can decode the "rows"

    [segment reg] [selector value] [segment size bit = 16/32 bit] [segment base address] [sizeof segment]

    If you really want to know more: get some protected mode primers

    http://www.internals.com/articles/protmode/protmode.htm might be useful...

    More? -> google is your friend

    Regards,

    A. Focht
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Executing segment codes from MASM with JMP
    By Unity in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: August 5th, 2013, 17:31
  2. C++ calculate size of method
    By b3n in forum The Newbie Forum
    Replies: 8
    Last Post: April 14th, 2007, 01:21
  3. access memory via segment:[offset]
    By Smith Goga in forum OllyDbg Support Forums
    Replies: 2
    Last Post: February 17th, 2006, 02:41
  4. How to calculate which jump I want to use...
    By Six Black Roses in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 12th, 2002, 19:28
  5. How do I calculate target in vbox?
    By dec in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: May 28th, 2001, 20:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •