Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

x86 assembly "push OFFSET ..." and mnemonics?

I'm trying to teach myself a bit of assembly by creating small C programs in Visual Studio 2012 Express, and then disassembling them in Immunity Debugger. But I've obviously run into something I do not understand:

012A13F0   68 58582A01      PUSH OFFSET Hello_Wo.??_C@_0M@KPLPPDAC@H>; ASCII "Hello World"
012A13F5   FF15 BC922A01    CALL DWORD PTR DS:[<&MSVCR110D.printf>]  ; MSVCR110.printf

I'm confused by both of these instructions. In fact, the opcodes make more sense to me than the actual instructions depicted by the debugger.

Obviously, the first instruction pushes an address onto the stack. When I follow the address in the dump, it shows me an area which contains some hexadecimals that comprise the string Hello World. I believe this is the .data segment. Am I correct?

And also; I guess Hello_Wo.??_C@_0M@... is just a visual aid provided to me by the debugger, so I could better understand that this is... Something...

But what does the OFFSET mean in this push instruction? I haven't been able to find anything on Google on it.

I would also like to ask about the other instruction...

As far as I understand, it is trying to call a routine by using the 4-byte value located at the address DS:[102A92BC] (&MSVCR110D...), as the address of the call?

The debugger tells me that DS:[102A92BC] = 5C0A93A0. And that memory range is reserved for MSVCR110's .text segment.

I'm very sorry, but I had a hard time making this question, as I wasn't even really sure how I should ask it. I hope you understand. And thank you.

Off-topic: I have one last question that is a bit stupid, and off-topic, but I hope you don't mind: You aren't suppose to read data segments as disassembled code, ever, are you? the imports data segment made me confused in my search for 5C0A93A0.

like image 226
Volatile Avatar asked Jul 13 '13 21:07

Volatile


1 Answers

In x86 architecture, every address has two parts - segment and offset. So, OFFSET means simply that the offset of the address of some variable "Hello_Wo.??_C@_0M@KPLPPDAC@H" is pushed in the stack. This directive is from the MASM syntax where "push variable" means push the value of the variable and "push offset variable" means push the offset of the variable.

Mentioned ".data" and ".text" are not segments, but sections. It's completely different. The section is just a part of the executable file that has separate memory protection. The C/C++ compilers usually use ".text" for the program code. Don't ask me why.

In the modern protected mode OSes, flat memory model is used. That means all code and data is placed in one big segment, so you never has to work with DS, ES, etc. segment registers. Their values are managed by the OS.

P.S. Beginning to learn assembly language with reversing HLL programs is not the best strategy.

Better try to read and write some native assembly code. There are many places in Internet where you can download such examples - very simple and very complex, depending on your progress. I would suggest using FASM. There is a message board, with tons of useful information and people that can answer your questions.

like image 173
johnfound Avatar answered Sep 28 '22 08:09

johnfound