I have a line of ASM which I am trying to work out how it does what it does.

The line reads: MOV EAX, [EBX+000002FC] and every time I step over it, it changes EAX to a single number i.e 00000008, why ?

The EBX register is always at 00EF1E8C when this line is executed. I need to know how it works out the value to put in the EAX register.

Cheers.

EBX is being used as the base of a lookup table, and 000002FC is the positive displacement (it used to be called the Base Pointer in prehistoric times) What is being moved to EAX is at the memory address pointed by EBX + 000002FC, or EF2188, so look at that memory address, and you should find the 00000008 value.

Thanks for that, how do I "look" at the address of 00EF1E8C ? and how did you come to get that address from the info I gave you ?

You cant (directly) see the contents of EBX during
disassembly, but you may be able to deduce it by
looking at surrounding code.

eg:
----
table dd 100h
dd 200h
... etc

mov ebx, offset table ;; get table base
mov eax, [ebx+4] ;; get 2nd entry (200h)
----
Alternatively, if you are debugging this code, just look at
the contents of the EBX register before you execute the
line, then compute the full address and use the debugger
to display the contents of that memory.

-Shadz

Yeah, I am debugging this code using sice, but I'm still a little lost. What I need to know is how to find the bit of code that puts the numbers (8 in this case) in to EBX which is then put into EAX when MOV EAX, [EBX+000002FC] is executed.

the 8 is in no way contained in EBX, it is POINTED by EBX + 000002FC. That is what the brackets mean. EBX in this case is a pointer, a memory address of another value.

Hi naides:

I took the small liberty of highlighting your comments in the markh51 quotes so they would stand out more clearly. Hope that's ok and that I marked the correct comments.

Regards

naides:

OK, I seem to get what you saying... so are the numbers contained at memory address 00EF2188 ? If so, how can I find the part in the code where the numbers are written to the memory address ? I have tried using a BPM at this address, but it just seems to break at different parts of the code.

Different parts than what? Than the ones you want? Than the ones you guessed? Maybe it is modified from all these different parts of code?

It is also possible that the array is created dynamically, and then the base address may be different each time, and you will end up having put a breakpoint in the heap, where random memory allocation for any code inside the program might have claimed this memory address and used it for other purposes. In that case you need to backtrack the code to see where the buffer is created (follow the value of ebx backwards in the code) and create the data breakpoint first at this point.

Besides what Delta suggested, If you are interested in the piece of code that writes the 00000008 at that memory location, perhaps a conditional BPM?

BPMD 00EF2188 W IF ( @00EF2188 == 00000008)
I am not certain it would work because I don't know if the IF clause is evaluated before or after the write action takes place, but is worth a shot.

most likely after, as it is the usual behavior of a read/write hardware breakpoint (for obvious reasons bpm X is different). SoftICE's handler evaluates your expression once it has control. And it gets control after the write has taken place.

so it looks ok.
--
I'd also recomment a good asm tutorial to markh51.

Thanks guys for all your suggestions on this, I have now worked it out.

Thanks again