1

I have written a simple program in MASM, like:

.386
.model flat, stdcall
option casemap:none

.data
szName db "MASM", 0

.code
start:
mov eax, DWORD PTR [szName]
ret
end start

The i check the code in OllyDbg debugger and i get:

CPU Disasm
Address   Hex dump          Command                                  Comments
00401004      CC            INT3
00401005  /.  E9 06000000   JMP 00401010
0040100A  |   CC            INT3
0040100B  |   CC            INT3
0040100C  |   CC            INT3
0040100D  |   CC            INT3
0040100E  |   CC            INT3
0040100F  |   CC            INT3
00401010  |>  A1 00404000   MOV EAX,DWORD PTR DS:[404000]            ; ASCII "MASM"
00401015  \.  C3            RETN
00401016      A1            DB A1

My question is which component patches these 11 bytes (00401005-0040100F) before the actual code (00401010) ? And why?

I use Windows XP SP3, MASM, and OllyDbg.

OK, here is the explanation (to whoever care): This code has been built in DEBUG mode and so the assembler/linker (don't know exactly which) adds these extra bytes. The JMP is there in order for the program to be able to run, because it has to bypass the series of INT 3 instructions. If the program was built in RELEASE mode then no such extra code is attached.

Ponty
  • 645
  • 1
  • 7
  • 25

1 Answers1

0

I think they're just alignment bytes, so the code is aligned on a 16 bytes boundary and runs slightly faster.

BlackBear
  • 22,411
  • 10
  • 48
  • 86
  • 1
    ok let's say that for the alignment are the series of INT3 instructions, but why the JMP instruction? – Ponty Apr 07 '11 at 12:36
  • @Ponty: no idea. Perhaps masm placed those int3 for its debugger/tools – BlackBear Apr 07 '11 at 12:39
  • ok i figure out that i build for Debug and not Release, and that's why i got these extra 11 bytes in front of actual code. But still don't get the JMP instruction... – Ponty Apr 07 '11 at 12:53