0

I saw this case from a website:

cmpl $0x0,-0x20(%ebp)

jne xxx (program terminated   so -0x20(%ebp) == 0)

cmpl $0x1,-0x1c(%ebp)

jne xxx (program terminated   so -0x1c(%ebp) == $1)

then:

lea -0x18(%ebp),%ebx

mov -0x4(%ebx),%eax

The website said %eax = -0x4(%ebx) = -1c(%ebp) == $0

So I don't know why -0x4(-0x18(%ebp)) will equal to -1c(%ebp) Please help, thank you!

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
James
  • 39
  • 2
  • 9
  • 1
    0x18 + 0x4 = 0x1c. (In decimal, 24+4 = 28). Is that all you're asking? – Peter Cordes Oct 09 '17 at 03:40
  • 1
    it sounds like the website is trying to convey that you can read the same memory location from two different base addresses stored in registers ebx and ebp, but who knows you did not provide enough info. – Rafael Oct 09 '17 at 03:42
  • 1
    Does it really say that -1c(%ebp) is 0, or is that a typo? Because in the comment at line 4 of the code, it says that it is 1. – prl Oct 09 '17 at 05:37
  • @Rafael the `ebx` is loaded from `ebp` base -0x18 by `lea`, I think the provided info is sufficient. It's just wrong (the resulting value referenced by [ebx-4] is 1, not 0). – Ped7g Oct 09 '17 at 14:07

1 Answers1

2

So I don't know why -0x4(-0x18(%ebp)) will equal to -1c(%ebp) Please help, thank you!

The literally taken -0x4(-0x18(%ebp)) means nothing in x86 assembly syntax, so it can't equal to -1c(%ebp) either.

So it depends, what you understand under "-0x4(-0x18(%ebp))".

There are two logical ways how to evaluate that (guessing what you meant).

1) dereference ebp-0x18, and use that value from memory (unknown from your question) as memory address, adjust it by -4 and dereference that address again = that makes no sense together with rest of your question text and code provided, so if you understand it like this, you are going in wrong direction.

2) calculate value ebp-0x18, then add another -0x4, then dereference that value as memory address (load value from memory) = that's the more sensible one, correlating with the other stuff you posted. I.e. only one dereferencing happens. It's not making that expression valid ASM syntax, it just makes sense when evaluated like this.

Then the final address is equal to ebp - 0x18 - 0x04, which can be simplified to ebp - 0x1C. As Peter Corder commented, it's as simple as 24 + 4 = 28 (0x18 + 0x04 = 0x1C).

If you did understand it as described in 1), then you probably misunderstood lea instruction? There are already some SO questions about it:
What's the purpose of the LEA instruction? (there are several good answers, each adding some details)
What is the difference between MOV and LEA?

In summary, the lea does use the same syntax for memory operand as mov, but after it will calculate the memory address (in the same way as mov instruction would), it stops there and puts the address value itself into destination register as result. It doesn't contact memory chip for value (no dereferencing). The mov instruction continues onward, fetching the final value from memory, and storing that into destination register.

Finally as prl commented, going by the first part of code the memory value at address ebp-0x1c is 1, not 0. Must be either typo on your side, or by the web author. Maybe in first version he did use -0x1c for lea, and then the mov would fetch 0 from ebp-0x20. Then made it less obvious by introducing third offset -0x18 and forgot to adjust mov offset to -8 or result to 1? Just guessing.

Ped7g
  • 16,236
  • 3
  • 26
  • 63