What does new operator return in assembly?

Question

Here is my code in assembly:

.text:00401000                 push    ebp
.text:00401001                 mov     ebp, esp
.text:00401003                 sub     esp, 8
.text:00401006                 push    4               ; unsigned int
.text:00401008                 call    ??2@YAPAXI@Z    ; operator new(uint)
.text:0040100D                 add     esp, 4
.text:00401010                 mov     [ebp+var_8], eax
.text:00401013                 mov     eax, [ebp+var_8]
.text:00401016                 mov     [ebp+var_4], eax
.text:00401019                 mov     ecx, [ebp+var_4]
.text:0040101C                 mov     dword ptr [ecx], offset aHttpWww_practi ; "http://www.practicalmalwareanalysis.com"...
.text:00401022                 mov     ecx, [ebp+var_4]
.text:00401025                 call    sub_401040
.text:0040102A                 xor     eax, eax
.text:0040102C                 mov     esp, ebp
.text:0040102E                 pop     ebp
.text:0040102F                 retn    10h
.text:0040102F _WinMain@16     endp

But I'm little confused here. After

call ??2@YAPAXI@Z ; operator new(uint)

EAX register is set to some address which as I guess is address of a newly created object, I jump into that location and it contains nothing.

But

mov [ebp+var_8], eax

what should this instruction do? Should it put address of object into var_8 or the content(first 4 bytes) of object(which is nothing) into var_8? Well I checked and this is what I got.

I can't understand why this value is stored in var_8.

As I understand the code, It creates an object and puts the

http://www.practicalmalwareanalysis.com

string in it. But after this instruction below

mov dword ptr [ecx], offset aHttpWww_practi ; "http://www.practicalmalwareanalysis.com"...

I checked the address of object and this is what I have. It seemed to me that this is the address where string should be, so I jumped at 305040 and there was nothing. Then I jumped on 405030 and thats where I found the string. Why is the address "reversed"(if this is the right word to describe)?

P.S Sorry if my questions sound silly, I'm new with assembly. Thanks.

You don't need to understand assembly, but to read documentation of `::operator new`. It takes a `size_t` and returns a `void*` — Basile Starynkevitch, Sep 28 '17 at 16:33
As I understand it should be in `EAX` register right? but instead `EAX` is set to some address which contains nothing. The main question is why does some random data appear at `var_8` after `mov [ebp+var_8], eax`. — Ojs, Sep 28 '17 at 16:45
Then you need to read [calling conventions](https://en.wikipedia.org/wiki/Calling_convention) and [ABI](https://en.wikipedia.org/wiki/Application_binary_interface) for your system. — Basile Starynkevitch, Sep 28 '17 at 16:48
You may want to ask your compiler to dump assembler. With [GCC](http://gcc.gnu.org/) use `gcc -S -fverbose-asm -O` — Basile Starynkevitch, Sep 28 '17 at 16:50
x86 is little-endian CPU, so 32 bit value 0x12345678, when stored in one go, is split into four bytes as `78 56 34 12`, starting with 256^0 partial value (ones), and ending with 256^3 partial value. On big endian CPU (MIPS, ARM, when configured to be big-endian) the memory would be set to `12 34 56 78`, x86 can't be configured to big endian at all, but it has `bswap` instruction for simpler import of big-endian data. (and this doesn't apply to "addresses", but to any integer value, which doesn't fit into single byte) — Ped7g, Sep 28 '17 at 19:15
@Ojs: Compile with `-O3` or whatever the equivalent is for your compiler, so the disassembly isn't full of hard-to-follow store/reloads. See also https://stackoverflow.com/questions/38552116/how-to-remove-noise-from-gcc-clang-assembly-output — Peter Cordes, Sep 28 '17 at 20:11

score 4 · Accepted Answer · answered Sep 28 '17 at 16:38

4

call    ??2@YAPAXI@Z    ; operator new(uint)

eax is the address of the new object, it doesn't yet contain anything until the string is copied into it. Thus it's just pointing to a bunch of 0's.

mov     [ebp+var_8], eax

This stores the address in eax to the stack at [ebp+var_8] (var_8 is some consistent offset/constant in the subroutine acting as a local variable).

mov     dword ptr [ecx], offset aHttpWww_practi ;

Moves the offset (heap address) of the string into the block of memory pointed to by the address contained in ecx.

call    sub_401040

This actually copies the data from the offset now stored at the address ecx is pointing to, into the new object created in the first part. Presumably anyway, unless that happens after the ret.

answered Sep 28 '17 at 16:38

Scott Mudge

957
6
18

Thanks for reply. But after `mov [ebp+var_8], eax` As you can see I don't have address of eax in `var_8`. – Ojs Sep 28 '17 at 16:42
ebp+var_8 is an address. [ebp+var_8] dereferences it. The image of ebp+var_8 you linked shows the address of the pointer, not the data stored at the address the pointer is "pointing" to, which should contain the address value contained in eax. – Scott Mudge Sep 28 '17 at 16:44
So you are saying that the image shows the address of a pointer which would contain the data right? In this example `7042F165`? – Ojs Sep 28 '17 at 16:48
I mean it's difficult for me to be sure without disassembling it myself, but that's the idea. Just keep in mind addresses are stored in reverse order. So 65h should go first. – Scott Mudge Sep 28 '17 at 16:54

What does new operator return in assembly?

1 Answers1