0

I was looking at the following snippet of code (below) and couldn't understand the purpose of executing two mov instructions where in both cases the destination operand is the exact same register namely rcx. My guess is that the second mov statement adds whatever its source operand points to, to the value that is already contained in rcx by way of the first mov instruction. Please correct my assumption with the correct meaning of these two mov statements.

...   
mov     rcx,qword ptr gs:[20h]
mov     rcx,qword ptr [rcx+6180h]
call    nt!RtlCaptureContext (fffff802`c1d4c7b0)
JkT
  • 103
  • 7
  • Looks like the first instruction is redundant. This can happen, especially with unoptimised code. – fuz Oct 30 '22 at 17:03
  • 8
    Isn't this a double pointer dereference? The first move read a pointer to `RTL_USER_PROCESS_PARAMETERS` from the PEB and the second read something (undocumented?) from it. The destination is the same but `rcx` is used in the second *source* operand. I'm tired though, I may be missing something obvious. – Margaret Bloom Oct 30 '22 at 17:35
  • 2
    @MargaretBloom Yes the second `mov` uses the destination of the first `mov` as a part of the memory addressing for the source operand. – ecm Oct 30 '22 at 18:12
  • 5
    One `mov` overwrites the result of the other, but as already pointed out, the result of the former is used by the latter. This is very common in assembly -- that CPU registers oft repurposed. This is a fundamental difference between assembly/machine code with its physical resources, and high level languages with their logical variables and complex expressions, where we often don't need to declare temporary variables, but if we choose to, we just grab a new one instead of repurposing some existing one. – Erik Eidt Oct 30 '22 at 19:16
  • 2
    @ErikEidt Current x86 processors of course see this machine language as a higher language and reinterpret the instructions again to internally use a different register than twice `rcx` to make pipelining easier. – Sebastian Oct 30 '22 at 20:10
  • 1
    Near duplicate of [Step-by-step explanation of basic C / x86 assembly code for pointer dereference and multiply](https://stackoverflow.com/q/73731396) except it happens to be reusing the same register instead of loading the pointer into one and the pointed-to data into another. Also duplicate of unanswered [x86-64 ASM. Best way to choose register usage](https://stackoverflow.com/q/63412973) – Peter Cordes Oct 30 '22 at 20:35
  • 1
    @Sebastian, yes of course, there's more layers below the ISA, yet that doesn't change the relationship between physical resources of the ISA and logical variables of, say C, that I'm highlighting for the OP. – Erik Eidt Oct 30 '22 at 21:39

0 Answers0