Log in

View Full Version : ollydbg - explanation of short piece of assebly

jamiemac2005
June 3rd, 2007, 18:23
okay, i'm getting started on ollydbg and i have a short piece of assembly i cant understand where its reffering to.. the assembly code is:

MOV DWORD PTR SS:[ESP+14],ECX

i know that it makes DWORD PTR SS:[ESP+14] equal to ECX but i dont know what DWORD PTR SS:[ESP+14] is reffering to, i know DWORD is double word but i dont understand what PTR means
nor SS:
and i dont know what [ESP+14] refers to, i know that ESP is in the registers and before the code is executed ESP is 0012F054 and ECX is an ASCII string

later on in the program there are another few instances of slightly variated versions of this code the differences being after ESP+ the hex changes to 24 then 1C

can someone please explain to me where this is pointing?

cheers much,
Jamey
naides
June 3rd, 2007, 19:12
MOVe
DWORD: A byte is 8 bits
A word is 2 bytes, 16 bits
A DWORD 2 words, 4 bytes, 32 bits, the standard size of a 32 bit register such as ECX.

PTR: Pointer, This prefix means taht what comes afterwards in square brackets is an ADDRESS, where the value contained in ECX will be MOVed

SS: Stack segment this is a selector that indicates that the pointed address you are MOVing to is located in the Stack.

What is the stack? An area in memory where local variables are located. see this explanation
http://www.woodmann.com/forum/showthread.php?t=5849&highlight=stack+dynamics

ESP: Extended stack pointer: This is a 32 bit register that contains the address of the stack frame bottom. ESP+14 points to a memory address 0x14 bytes above the ESP.


If you are really into understanding this business, I suggest you buy or download (From the ExeTools E-books list, link below) Hacker Disassembling Uncovered by Kris Kaspersky.
Polaris
June 4th, 2007, 00:35
Kris Kaspersky's book is available for free on Kris' ftp site:

ftp://nezumi.org.ru/

jamiemac2005
June 4th, 2007, 11:58
oh, i see now, thanks for the explanation it helped alot. yeah i've started downloading lots of ebooks etc on ollydbg but i dont have much free time at the moment(i'm taking my GCSE exams throughout this month) but after i'll get down to reading, cheers much

Jamey =]
FrankRizzo
June 4th, 2007, 17:59
Now that Naides has covered the semantics of what it is, I can cover what it does.

More than likely, that's the code's way of setting a local variable to a value.

(Local meaning it's only in scope for the current function/subroutine).

(Sorry if you already knew this, but there is more to understanding assembly than just understanding what the mechanics are, you have to sometimes understand what the code is that generated it.)

OK, I've stepped out this far, might as well finish it off.

Code:
function()

{

  long fred;   // 32 bit variable, local in scope



  fred = 0;   // Set it to a value

}


This code COULD produce something like this: (The pertinent bits at least).

Code:
XOR ECX, ECX ; Set ECX to 0

MOV DWORD PTR SS:[ESP+14],ECX  ; Save it


where ESP+14 would be "fred", and once the function returned, fred would be "out of scope" and destroyed on the stack.
LLXX
June 5th, 2007, 03:44
Read the Intel reference manuals, always recommended.