Acquiring an operand from an instruction

Question

Given the following x86 assembly instructions:

mov     esi, offset off_A
cmp     esi, offset off_B

how would I get the offsets (the second operand) at runtime ? This is the scenario: A program (injected into the process at runtime) replaces the offsets with a few of its own, resulting in:

mov     esi, offset off_X
cmp     esi, offset off_Y

This program allows plugins to be written and loaded through it but doesn't expose the replacement addresses. So, given the addresses at which the above instructions exist, how do I find offsets X and Y ?

Answer 1

I'm not sure what you are asking. The offset is the address. So that first line of code is moving the address of off_9F6FBC to esi.

If you mean how to get the absolute address(in combination with PIC and such) then this can not be known at disassembly time. It is only known at runtime and can change every run

Answer 2

I don't quite understand what this is for, but...

mov esi, ... is encoded as BE followed by the dword operand. If you've got the address of the mov instruction you can simply skip one byte ahead and see the address operand, off_A

cmp esi, ... is encoded as 81 FE followed by a dword operand, so here you can skip two bytes to see the operand.

Answer 3

There are many ways to encode MOV esi, immediate. Depending about your assembler and compiler, any of them might be used.

If you do it without using assembler mnemonics, as in hex. You could pinpoint the offsets there:

db 0xBE; off_X: dd normal_offset