2

I am working through an exercise in the shellcoders handbook. 

Section .text

  global _start

_start:

  jmp short GotoCall

shellcode:
  pop esi
  xor eax, eax
  mov byte [esi + 7], al
  lea ebx, [esi]
  mov long [esi + 8], ebx
  mov long [esi + 12], eax
  mov byte al, 0x0b
  mov ebx, esi
  lea ecx, [esi + 8]
  lea edx, [esi + 12]
  int 0x80

GotoCall:

  Call shellcode
  db ‘/bin/shJAAAAKKKK’

This code works fine, but I'm not understanding the lines lea ebx, [esi] and mov ebx, esi, they both store the same value into ebx. In fact if I run it through gdb I can see that the register values do not change.

I understand that mov accesses the value at the address and lea accesses just the address. If the mov instruction in this scenario had brackets around the esi as in mov ebx, [esi] - Then I can see the difference, but that's not the case, what am I missing?

a1ph4byte
  • 73
  • 5
  • There is no difference in this case, they are equivalent. `LEA` is more flexible however. – Jester Feb 13 '15 at 17:10
  • any ideas why the author would have included it? – a1ph4byte Feb 13 '15 at 17:11
  • 4
    Why not? Better question is, why did he load `ebx` twice with the same value. – Jester Feb 13 '15 at 17:14
  • 1
    possible duplicate of [What is the difference between MOV and LEA](http://stackoverflow.com/questions/1699748/what-is-the-difference-between-mov-and-lea) – phuclv Feb 13 '15 at 17:26
  • http://stackoverflow.com/questions/1658294/whats-the-purpose-of-the-lea-instruction?rq=1 – phuclv Feb 13 '15 at 17:27
  • Definitely not the same question. Those question are fundamental misunderstanding of how LEA and MOV are used. My questions aims to get an understanding of the code authors intent. – a1ph4byte Feb 13 '15 at 17:31
  • 1
    The encodings are different: `89 f3` vs `8d 1e`. One possibility is that the shellcode only functions under constraints which require the use of one choice or the other - although it's not clear whether this is the case here. – gsg Feb 13 '15 at 18:58

0 Answers0