0

When analyzing the assembly listing in Ghidra, the following instructions are not clear to me:

MOV    ECX,dword ptr [R13 + 8192]
LEA    RDX,[R13 + RSI*0x1 + 8196]

In the MOV, I assume that the register ECX will get the value pointed to the register R13 + 8129 positions (or 2048 bytes). Is this assumption current?

In the LEA, the pointer of the R13 + value of RSI + 8196 position (2049 byte) is assigned to RDX. Is it correct?

Otherwise, how should I interpret those instructions?

Giacota
  • 11
  • 1
  • What does your processor's instruction manual say? Is there something that you don't understand from the documentation of the instructions? – the busybee Feb 10 '22 at 08:07
  • I understand the instructions for x64 processor. My doubts are about the last numbers, i.e., 8192 and 8196, How should I interpret them? Like moving of 2048 and 2049 bytes in the memory? – Giacota Feb 10 '22 at 09:49
  • Why do you think that a displacement of 8192 (BTW, typo in your question) gives 2048 bytes? Why the divisor of 4? – the busybee Feb 10 '22 at 13:11
  • Because Ghidra in the decompiling window for the first instruction it says to me something like: `var1= puVar2[2048];` – Giacota Feb 10 '22 at 16:00
  • You need to look at the element type of that array. Its size is 4, for example `long` or `float`, or so. If you want an extension of my answer for that, please add it to your question. How is `puVar2` declared? – the busybee Feb 10 '22 at 17:46
  • Ghidra shows me that it is an **int** pointer and the data type is **Integer** 4 bytes – Giacota Feb 11 '22 at 08:28

1 Answers1

-1

The numbers are called "displacement", they are added to the values left of them.

mov ecx, dword ptr [r13 + 8192] adds the value of r13 and 8192, and copies the 32 bit value at the resulting address into ecx.

lea rdx, [r13 + rsi*0x1 + 8196] adds the value of r13, the result of the multiplication of the value of rsi by 1 (giving the value of rsi), and 8196, and loads the sum into rdx.

These displacements are offsets for the addressable memory units, here bytes. A displacement of 8192 means the byte address 8192 bytes away from the base address.

the busybee
  • 10,755
  • 3
  • 13
  • 30