How do I de-reference a PTR in assembly?

Question

I'm running into some issues with a piece of software I'm trying to debug for a friend..

Long story short I need to know how to get the address of a function out of a pointer...

So for example if I have...

MOV ECX, DWORD PTR DS : [82738119]

Then I need to be able to reverse this without actually knowing the address location, something like this...

// I'm looking for a way to make EAX 82738119, using only the pointer in ECX....
MOV EAX, SOME_COMMAND[ECX];

score 2 · Answer 1 · answered Aug 03 '16 at 12:45

You can't do that without reading the instruction itself as the memory location is "embedded" in the instruction's opcodes.

example:

CPU Disasm
Address   Hex dump             Command
00DA2A6D  A1 A861DA00          MOV EAX,DWORD PTR DS:[0DA61A8]

See how the memory location (0x0DA61A8) in the instruction can also be seen in the opcodes (little endian: A8 61 DA 00).

There's no way getting the memory location from EAX in the above example.

A possible "trick" is to read the memory location in the instruction :

CPU Disasm
Address   Hex dump           Command                              Comments
00DA35B8      A1 A861DA00    MOV EAX,DWORD PTR DS:[0DA61A8]       ; example instruction (we want to read 0x0DA61A8)
00DA35BD      E8 00000000    CALL 00DA35C2                        ; call next instruction
00DA35C2      59             POP ECX                              ; pop this instruction address in ecx
00DA35C3      83E9 09        SUB ECX,9                            ; ecx points on 0x0DA35B9 (memory location)
00DA35C6      8B01           MOV EAX,DWORD PTR DS:[ECX]           ; eax = [00DA35B9] = 0x0DA61A8

Another way to state the first part: in `MOV ECX, [82738119]`, the `ecx` register is output-only. — Peter Cordes, Aug 03 '16 at 15:07

How do I de-reference a PTR in assembly?

1 Answers1