2

looking at the following code:
(ebp-0x8 -> int)
(ebp-0x4 -> int*)

=> 0x80483f3 <main+6>:  mov    DWORD PTR [ebp-0x8],0x0
   0x80483fa <main+13>: mov    DWORD PTR [ebp-0x4],0x0
   0x8048401 <main+20>: mov    DWORD PTR [ebp-0x8],0xa

   0x8048408 <main+27>: lea    eax,[ebp-0x8]
   0x804840b <main+30>: mov    DWORD PTR [ebp-0x4],eax

   0x804840e <main+33>: mov    eax,0x0
   0x8048413 <main+38>: leave  
   0x8048414 <main+39>: ret

Is the LEA command at really needed? I know the following expression is wrong and not valid, regardless the wrong addresses on the left, but is there no similarly way to make it like this?

=> 0x80483f3 <main+6>:  mov    DWORD PTR [ebp-0x8],0x0
   0x80483fa <main+13>: mov    DWORD PTR [ebp-0x4],0x0
   0x8048401 <main+20>: mov    DWORD PTR [ebp-0x8],0xa

   0x804840b <main+30>: mov    DWORD PTR [ebp-0x4],ebp-0x8

   0x804840e <main+33>: mov    eax,0x0
   0x8048413 <main+38>: leave  
   0x8048414 <main+39>: ret

I think its not possible but I wanted to get sure.

And last question, the expression ebp-0x8 would theoretically return the "content of the ebp register minus 0x8". So the expression [ebp-0x8] would return the content of the memory at the address "content of the ebp register minus 0x8". Now I am wondering how the LEA command can get the memory address if its only get the content of some bytes in the memory.

Sorry if there are some dumb questions but the [ ] can sometimes be very confusing.

fuz
  • 88,405
  • 25
  • 200
  • 352
Michael
  • 595
  • 5
  • 19
  • Why is this tagged as [C]? This question is not about C. I removed the tag for you. – fuz Oct 04 '15 at 10:48
  • Oh Sorry, its because the code is generated by GCC from C source and originally I wanted to add it, too. – Michael Oct 04 '15 at 11:29

2 Answers2

3

In order to make your second code snippet work, you would need to do the subtraction as a separate instruction. In other words, instead of 

DWORD PTR [ebp-0x4],ebp-0x8

you would need

mov eax,ebp
sub eax,0x8
mov DWORD PTR [ebp-0x4],ax

The advantage of using lea is that it combines an arithmetic operation with a mov instruction. So instead of two instructions

mov eax,ebp
sub eax,0x8

you can use the single instruction

lea eax,[ebp-0x8]

The lea instruction means "load the effective address". The second operand specifies the address, and any calculations necessary to compute that address are done by the address generation logic in the processor.

The sub instruction, on the other hand, uses the general purpose arithmetic logic unit (ALU) of the processor.

In summary, the lea instruction combines two instructions into one by using the address generation logic of the processor to perform a mathematical calculation that would otherwise need to be done in the ALU.

user3386109
  • 34,287
  • 7
  • 49
  • 68
2

No, it's invalid expression, you can't do mathematical expression with memory address in mov source operand, except if you specify [] brackets, which is being other meaning which is to dereferencing value from memory address (which exactly like dereferencing C pointer to get its value)

The way to make mathematical expression with address is to use LEA instruction, which in your example is :

lea    eax,[ebp-0x8]
mov    DWORD PTR [ebp-0x4],eax

Note that lea works very different from mov instruction.

This is first definition from Intel manual for lea instruction :

Computes the effective address of the second operand (the source operand) and stores it in the first operand (destination operand).

mov is known to be data transfer instruction, while lea is used mostly to compute address using mathematical operation

This is a few examples of different between mov and lea

mov eax, [ebp-0x8]   ; compute new address ebp-0x8 and get its value from new address
mov eax, ebp-0x8     ; this is invalid
lea eax, [ebp-0x8]   ; compute new address ebp-0x8 and give it to eax
Mohd Shahril
  • 2,257
  • 5
  • 25
  • 30