tags:

views:

38

answers:

1
Q: 

How to calculate DS:[0040207A] manually?

alt text

alt text

How to get the result 77D507EA manually from DS:[0040207A] according to register info above? UPDATE

memory map

+1  A: 

I see your using OllyDbg, so to make it a little relavent to your situation:

DS indicates that it(the address) is in the data segment, [0040207A] is the address in the data segment. if you goto (crtl + g in olly) address 0x40207A, you'll see some bytes, this is the pointer to MessageBoxA. just note that your missing the size of element pointed to by the address (in this case its DWORD PTR), the full instruction should be MOV EAX, DWORD PTR DS:[0040207A]

In the data dump(window in the bottom left), it should look something like: 0040207A EA 07 D5 77

In the CPU window, it might get properly analysed by olly(depends on the plugins and confings), in which case it'll look something like: 0040207A MessageBoxA EA 07 D5 77 User32.MessageBoxA

Also not, the address 0040207A might not be static, so going there will olly in a different session might not work, due to windows rebasing the virtualized binary

Update

It would appear that both your assembly knowledge and knowledge of x86 architecture is really poor, as such I would recommend that you read up on these subjects, wikipedia is a good start, else your not going to understand how addressing and pointers are handled on an assembly level

Necrolis  2010-09-30 09:03:01
`0040207A = base_of_DS + 0040207A`,but how can I see `base_of_DS` in the first place?
COMer  2010-10-08 07:25:12
@COMer: "base of DS" is defined in the PE of the image your examining, and it only applies to the image your exaiming. under olly you can use memory map(crtl-M iirc) to view the various memory mapped sections, `.data` is the Data Segment(just note though, thats not really true, 'DS:' can be used on anything, its just an accessing/addressing mode). you'll do well to give the art of assembly a read(its free these days)
Necrolis  2010-10-08 07:36:44
The base of DS should be `77D507EA-0040207A=7794E770`,but I've checked the memory map(see my updated post),there is no such address :(
COMer  2010-10-08 08:42:00
@COMer: no, `77D507EA` is a kernel function address, it has nothing to do with this, other than the fact its stored at `0040207A`. have a look at the segment registers section here: http://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture `DS:` indications that it'll be data(it a hint, it can be ignore, data can be read from a code segment too). in your image the data segement(as set by the linker) starts at `0402000`, so you really have: `0402000` + `7A` = `0040207A`.
Necrolis  2010-10-08 09:23:40

related questions

MIPS Assembly Pointer to a Pointer?
Grub and getting into Real Mode (low level assembler question)
What can cause MASM to display "junk"?
Pseudo random generator, Assembler
How can I multiply two 64bit numbers using x86 assembly language?
what interrupt would you hook from DOS to get the real-time clock
Is learning Assembly Language worth the effort?
Prefetch instructions on ARM
What was the name of the Mac (68000) assembler?
What is the fastest way to convert float to int on x86
Comprehensive List of x86_64 Assembly Instructions
Assembly CPU frequency measuring algorithm
Is there a way to insert assembly code into C?
JIT code generation techniques
What is the meaning of "non temporal" memory accesses in x86
How do I get the assembler output from a C file in VS2005
Is GCC broken when taking the address of an argument on ARM7TDMI?
8086 Assembler Tutorial
Is it worth it to learn a dialect of assembly?
Assembler IDE/Simulator for beginner
What is the best way to learn Assembly? Specifically, for someone who has experience in dynamic languages.
Incrementing from 0 to 100 in assembly language.
Mixing 32 bit and 16 bit code with nasm
x86 Assembly on a mac...
Good x86 assembly book