flat assembler
Message board for the users of flat assembler.

Index > Windows > LEA Assembled

Author
Thread Post new topic Reply to topic
Hicel



Joined: 09 Sep 2004
Posts: 55
Hicel
Hey, this question may sound stupid but I assembled a LEA instruction and need to know what I've done. But I don't know the arguments anymore. I just got the HEX Values:
$8D; $85; $0; $0; $0; $0

8D is LEA and the $0's are the DWORD
I tried every combination like

value dd ?
LEA eax,[value+eax*4]

is $8D; $4; $85; $0; $0; $0; $0

But I don't get the rid of the $4..

Please help.. if you can get this you save my whole project Wink
Post 01 Sep 2005, 03:49
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17666
Location: In your JS exploiting you and your system
revolution
Code:
lea eax,[ss:ebp]    
But the funny part is you can't assemble that with FASM, because FASM will optimise it to 8dH,45H,0H.

However if you meant ANY dword constant when you put 4 0's then the instruction is:
Code:
lea eax,[ss:ebp+012345678h]    
Post 01 Sep 2005, 04:18
View user's profile Send private message Visit poster's website Reply with quote
Hicel



Joined: 09 Sep 2004
Posts: 55
Hicel
Thanks for your quick reply.. looks like I got the wrong hex values.. Wink I don't even understand what ss:ebp+2000 means. So it is impossible that I wrote it. But can you explain what lea eax,[ss:ebp+...] does? or any link which explains that instruction? i know ss is the stack segment but ebp+...???
Post 01 Sep 2005, 04:59
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17666
Location: In your JS exploiting you and your system
revolution
ebp is a general purpose register that can be used for addressing and arithmetic. I don't have any links but try searching for x86 assembly tutorials. Also you might want to search the Intel and AMD sites for the documentation that explains all the instructions in infinite detail.
Post 01 Sep 2005, 05:54
View user's profile Send private message Visit poster's website Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1608
Location: Ukraine
shoorick
to understand this you should read about addressing in 386.
ss:ebp+2000 means offset in stack segment, calculated by adding ebp value and 2000. ss even can be omited since ebp uses with it by default.
mov eax,[ss:ebp+2000] will calculate offset and load value from it into eax
lea eax,[ss:ebp+2000] will calculate offset and load it into eax (eg. you got a pointer in eax) lea - load effective adress
Post 01 Sep 2005, 06:10
View user's profile Send private message Visit poster's website Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2140
Location: Estonia
Madis731
db 8Dh,85h, 0 , 0 , 0 , 0
is actually LEA EAX,[EBP+00000000h] because there is no way it can assemble to lea with one register and no immediate.
db 8Dh,45h, 0
defines LEA EAX,[EBP+00h] with one byte immediate
Post 01 Sep 2005, 09:14
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 977
Location: Czechoslovakia
MazeGen
Not quite right, only [EBP] can't be assembled with no immediate:

Code:
8D03 lea eax,[ebx] ; no immediate    
Post 01 Sep 2005, 11:51
View user's profile Send private message Visit poster's website Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2140
Location: Estonia
Madis731
yes - only for EAX,ECX,EDX,EBX,ESI,EDI with 8D00,8D01,8D02,8D03,8D06,8D07 respectively
8D04 is eax+eax and 8D05 is immediate only
Post 01 Sep 2005, 12:07
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
Hicel



Joined: 09 Sep 2004
Posts: 55
Hicel
Thanks to you all.. you really helped me! Just wondering how fast you find out what these hex values are? Anyway big thanks.
Post 01 Sep 2005, 19:31
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2140
Location: Estonia
Madis731
You can use hexeditor, too bad this link I'm looking for is down:
http://www.google.com/search?hl=en&q=icy+hexplorer&btnG=Google+Search
you can see only Google's cache Sad
but I think you will find good hexeditors for yourself Wink

The other thing is OllyDbg, where you can find an empty space and start inserting your code, or just try different hex strings and see what OllyDbg makes of it.
Post 02 Sep 2005, 18:11
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
UCM



Joined: 25 Feb 2005
Posts: 285
Location: Canada
UCM
i retrieved Icy Hexplorer's exe installer from archive.org's cache altho they didn't have a web cache for the zip.
Posted it here. (446 KiB, packed using 7-zip cause its smaller by like 40KiB and the forum doesn't allow executables)

EDIT: attachment removed since it is on SourceForge

_________________
This calls for... Ultra CRUNCHY Man!
Ta da!! *crunch*
Post 03 Sep 2005, 01:15
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.