1

Assempbly pic

00007FF6FB15A7C0 | 48:8B05 594C6700           | mov rax,qword ptr ds:[7FF6FB7CF420]

So how does computer calculate this 7FF6FB7CF420? I want to get data myself from there so I need a pointer. Something to do with those bytes? Adding them to Exe module start currently at 0x7FF6FABF0000 doesn't wield anything sensible.

ayes l
  • 53
  • 5
  • It is an absolute address, do not add it to anything. Set a breakpoint on this instruction, break on it, and then inspect this address. – arrowd Dec 12 '22 at 05:50
  • 1
    From the machine code, looks like RIP-relative addressing. (You can tell that it must be, because the address bytes are different from the last 4 of the machine code. Also, the absolute address calculated by the disassembler is wider than 32-bit, but there's only a 4-byte rel32 displacement. – Peter Cordes Dec 12 '22 at 05:51
  • Also, copy/paste text into `code formatting`, not pictures of text. – Peter Cordes Dec 12 '22 at 05:53
  • 1
    The offset in the instruction is relative to the IP address (instruction pointer) where the next instruction starts. 59 4c 67 00 needs to be reversed to 0x00674c59. Add that to 0x7ff6fb15a7c0 (the IP of the MOV instruction) and add 7 for the instruction length of the instruction to get to the next instruction. That gives 0x7FF6FB7CF420 – Michael Petch Dec 12 '22 at 05:53
  • 2
    An excerpt of the Intel instruction set documentation for RIP relative addressing and its encoding can be found here: https://xem.github.io/minix86/manual/intel-x86-and-64-manual-vol2/o_b5573232dd8f1481-72.html – Michael Petch Dec 12 '22 at 06:08
  • 1
    Thank you that instruction pointer thing and RIP was explanation that I was looking for. – ayes l Dec 12 '22 at 06:17
  • Effectively it means "look ahead `0x00674c59 + 7` bytes from where we are now, read the 8 bytes at that address and copy them to `rax`" – puppydrum64 Dec 21 '22 at 14:52

0 Answers0