1

I am new to assembly & Ghidra and I am seeing a => on some lines for PUSH in a binary I am looking at and I cant seem to find what Ghidra is doing for instructions like this:

0040298b 56  PUSH   ESI=>DAT_004046c8
eltabre
  • 23
  • 5
  • 1
    As we can see from the machine code ([single byte `56`](https://www.felixcloutier.com/x86/push)), it's a normal `push esi` instruction, pushing the register to the ESP stack. I don't know what the `=>DAT_004046c8` annotation means; possibly that it's done some static analysis to figure out the necessary value of the register at that point? Is there a previous instruction like `mov esi, OFFSET DAT_004046c8`? – Peter Cordes Jun 18 '22 at 04:03
  • (I retitled your question because it has no meaning in *assembly*, i.e. in source code that you'd feed to an assembler to get machine code. Most assemblers would reject it as invalid characters at the end of a line. It's still perhaps an interesting question about Ghidra's disassembly / analysis, although the later part of the question guessing about that instruction doing something else is something you might want to edit out.) – Peter Cordes Jun 18 '22 at 04:07
  • 2
    Ok thanks! You're right it was most likely an addition that Ghirda made after the automatic analysis was run and I was looking for a => operator in assembly and not in Ghidra documentation. There is a previous instruction that is ```mov esi, OFFSET DAT_004046c8``` – eltabre Jun 18 '22 at 04:09
  • 2
    Ok, then yeah it's just tracking register values for you. I'd guess it might use the same annotation for a `mov [esp], esi` instruction (if stack space for a function arg was already reserved, like `gcc -maccumulate-outgoing-args`) – Peter Cordes Jun 18 '22 at 04:17

1 Answers1

4

This is Ghidra annotating the assembly because it could statically infer that the value of ESI is OFFSET DAT_004046c8 (from the previous instruction). This is a typical feature for Reverse Engineering tools, so you don't have to mentally keep track of all known values and the meaning of a certain offset yourself. This becomes especially if you rename the location DAT_004046c8 to something more meaningful like custom_variable_name(once you found out what the "real" variable name could have been), the disassembly will show

0040298b 56  PUSH   ESI=>custom_variable_name
Florian Magin
  • 576
  • 3
  • 6