1

I've written a simple 'Hello World' program in assembly:

global  _main
extern  _printf

section .text
_main:
    push  offset  message
    call  _printf
    add   esp, 4
    ret
section .data
    message db  'Hello, World2', 10, 0

I've opened the compiled .EXE in Ghidra tool (freeware IDA alternative) and when I look at the generated assembly code listing, there is something like this:

 push  message
 call  _printf
 add   esp,0x4

My question is: why is there no offset keyword there (like in the source)? Is it optional or so? Moreover when I'd like to patch the instruction, the tool doesn't allow me to type the offset keyword...

Sep Roland
  • 33,889
  • 7
  • 43
  • 76
Daros911
  • 435
  • 5
  • 14
  • 3
    The syntax depends on the tool. Some assemblers use `offset`, some don't. Those that don't, usually require `[]` brackets for memory references to differentiate it from an address. – Jester Feb 08 '21 at 16:45
  • 1
    What assembler did you use in the first place to build your program? That looks like NASM syntax, except that there's an `offset` in there which isn't valid for NASM. – Peter Cordes Feb 08 '21 at 21:29
  • How does Ghidra disassemble an instruction like `push [disp32]` instead of `push imm32`? e.g. NASM `push dword [message]` vs. NASM `push message`. Every assembly syntax needs *some* way to differentiate those two forms. – Peter Cordes Jun 02 '21 at 21:04

1 Answers1

2

Assemblers belong to one of two believes.

Assemblers that require square brackets to read/write memory will not need the offset tag to reference the offset of the label. This is the NASM style.
These assemblers can allow or prohibit the use of offset.

Assemblers that don't require square brackets to read/write memory will need the offset tag to reference the offset of the label. This is the MASM style.

Sep Roland
  • 33,889
  • 7
  • 43
  • 76
  • Ok Guys, but the _Ghidra_ doesn't allow either the `offset` syntax nor `[]`. Here is what I can insert as an operand for the PUSH instruction when patching:[link](https://imgur.com/a/DZJCygi) – Daros911 Feb 08 '21 at 17:02
  • It does work for me. However it's not obvious how it shows you can't use `[]`. Anyway, if you want an address you do not need the `[]` nor the `offset`. – Jester Feb 08 '21 at 17:09
  • OK, so that means that the assembler buid-in the tool doesn't require offset and [] syntax? – Daros911 Feb 08 '21 at 17:15
  • It would require `[]` for memory references or maybe something like `push word ptr [si]`. It certainly needs a way to differentiate pushing an address vs a value. – Jester Feb 08 '21 at 17:17
  • 2
    You might also just assemble `push [si]` or similar and see how ghidra disassembles that. – Jester Feb 08 '21 at 17:24