If I do step through the debugger in Ollydbg I see
MOV EAX,DWORD PTR DS:[ESI+EBP*8]
and register ESI = 0040855C and EBP = 00000000.
My problem is I dont know 2 register * 8
Asked
Active
Viewed 6,682 times
0
-
Not sure what confuses you. It just loads a dword from memory at address `esi+ebp*8`, which is of course `0040855C` since `ebp` is zero. (Multiplication takes precedence as you might remember from school.) – Jester Nov 26 '14 at 17:19
2 Answers
3
MOV EAX,DWORD PTR DS:[ESI+EBP*8]
MOV - move
EAX - to EAX (generally this will be a value you just calculated)
DWORD PTR - from the value pointed at by
[DS: - in the data segment]
[ESI+EBP*8] - ESI plus 8 times EBP.
Move the value in EAX into the address pointed at by ESI + EBP*8 (ESI plus 8 times EBP, it means exactly how it's written)
This is probably being used to load data from an array, where the 8 is there to scale up the counter (which is EBP) to the size of the thing being stored (8 bytes), and ESI contains the address of the start of the array. So if EBP is zero, you store the data in ESI+0, if EBP=1, you end up storing at ESI+8, etc.
cactus1
- 629
- 5
- 8
-
The last paragraph of your answer is wrong! You have to exchange ESI and EBP. Additionally normal INTEL syntax dictates that the first operand is the destination. (See my answer) – Sep Roland Nov 27 '14 at 11:37
-
Ah, my bad, fixed! I haven't messed with Intel assembly in a long time, and I kinda assumed EBP base pointer plus ESI indexing because that's the more common way to use them. – cactus1 Nov 27 '14 at 14:00
2
In normal INTEL syntax this instruction moves a value from memory into EAX.
MOV EAX,DWORD PTR DS:[ESI+EBP*8]
It is usually used to extract a value from an array.
The array is situated in memory at DS:ESI.
The elements are indexed through EBP.
The scale of 8 means that every element is 64 bit long and this instruction only reads the low dword.
Sep Roland
- 33,889
- 7
- 43
- 76