1

I need to find an address in a game and am not sure how segement offsets are handled.

in ollydbg it shows me a datastructure is at:

ss:[esp+28]

esp = 0019DF94
ss = 002B

so what is the actual addres of the structure? is it ss+esp+28?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Luke
  • 1,768
  • 2
  • 20
  • 30
  • No, definitely not `+ ss`. If this is 32-bit code, you're in protected mode so SS is a segment selector, not a segment base value directly. And the SS base will always be 0 on Windows and other normal OSes that use a flat memory model. TL:DR: ignore the SS, segmentation isn't really used. – Peter Cordes Oct 10 '19 at 20:13
  • so its just esp + the offset (28)? – Luke Oct 10 '19 at 20:14
  • 1
    yup, pretty simple. – Peter Cordes Oct 10 '19 at 20:25
  • [Addressing mode in IA-32](//stackoverflow.com/q/25567990) explains that segmentation can be ignored under 32-bit / 64-bit flat memory model OSes like Windows so it's a good duplicate for this. – Peter Cordes Oct 10 '19 at 21:20

1 Answers1

-1

esp + 28 gives you the virtual address, which is the one you'll use from within your program. In protected mode (which is what you're using in Windows) segment registers are segment selectors, which are indexes for the GDT. If you wanted the global address of your data you would need to look up the value of SS in the GDT, read the base address and then add that to esp + 28 (See this question). In real mode the segment registers are simply shifted left by 4 and then added to your address (see this article).

0x777C
  • 993
  • 7
  • 21
  • 4
    No, if you want to take segmentation into account, ESP+28 gives you the *offset* part of the address. The segment base (from the indexed GDT entry) gives you the base for base+offset, and *that's* the linear virtual address. You left out the step of translating virtual to physical via the page tables. ("global address" doesn't have any standard meaning, but if you meant physical address then you forgot paging. Paging is optional in Protected mode but mandatory for long / compat mode. But regardless, Windows enables paging.) – Peter Cordes Oct 10 '19 at 20:59