theguy

Joined: 22 Jan 2015
Posts: 10
theguy 08 Feb 2015, 19:12
Here's the code, and read the comment in the code because that's the question.

Code:
```lea eax,[esp+4]  ; eax = 0006ff90 .....but mov eax,[esp+4] = 7ffd8000
```

I am using ollydbg and i'm guessing lea loads the address into eax and the mov instruction along with the brackets, loads what is contained at address 0006ff90. Is that what is happening?
redsock

Joined: 09 Oct 2009
Posts: 430
Location: Australia
redsock 08 Feb 2015, 19:16
Code:
`lea eax, [esp+4]    `
is the same as
Code:
```mov eax, esp
add eax, 4    ```
versus
Code:
`mov eax, [esp+4]    `
which loads the dword at the address referenced by esp+4 into eax, entirely different operations.
revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20248
Location: In your JS exploiting you and your system
revolution 09 Feb 2015, 01:10
theguy wrote:
... i'm guessing lea loads the address into eax and the mov instruction along with the brackets, loads what is contained at address 0006ff90. Is that what is happening?
Yes. LEA is short for Load Effective Address.

And you can use the instruction to do arithmetic operations also:
Code:
`lea ecx,[edx+eax*8+0x24] ;ecx = eax * 8 + edx + 0x24    `
lucifer

Joined: 24 Nov 2014
Posts: 4
lucifer 09 Feb 2015, 20:32
It's best to think of the lea instruction as an arithmetic function. It's used a lot for performing calculations on addresses as well as doing a bunch of calculations on a number all in a single instruction.

For further information it might be useful to read the operation pseudocode in the Intel manuals. For the lea instruction, the brackets aren't really for dereferencing anything as the instruction only deals with the address values.
neville

Joined: 13 Jul 2008
Posts: 507
Location: New Zealand
neville 11 Feb 2015, 08:59
redsock
Code:
`lea eax, [esp+4]    `
is the same as
Code:
```mov eax, esp
add eax, 4    ```
There is actually a subtle but significant difference: the LEA instruction does not alter any flags. So the 2nd code fragment should be preceded by a PUSHF and followed by a POPF.

I generally avoid using LEA, but being able to perform arithmetic without affecting the flags has sometimes been useful.

_________________
FAMOS - the first memory operating system
