3

I have the following assembly line and I have my problems to understand it, because until now I have always seen lines like this: mov eax, 0 and so on. But now, I have the following (I use IDA PRO):

 mov ds:dword_4870058 , offset loc_4048E0

When I click on offset loc_4048E0, I see: 

 loc_4048E0:
 mov al, 10h
 jmp sub_402774

when I interpret dword_4870058 as a global variable, can I assume that dword_4870058 gets the value 10h (if I regard al as a return value register) . This is the only thing that I can imagine.

Is it a right or wrong assumption ?

perror
  • 19,083
  • 29
  • 87
  • 150
user3097712
  • 1,541
  • 1
  • 25
  • 44
  • No. loc_4048E0 SEEMS to be a function. if so dword_4870058 is a function pointer (and a global variable as you already found out), if not it is a pointer to data that for some reason IDA seems to think of as a function (No idea how likely IDA mislabels that) – user45891 Sep 11 '14 at 23:45
  • I thought that the mov-instruction is for storing data/content. Is it different when it is a function pointer, or ? I mean, is there a reason why the compiler pick mov instead of lea ? – user3097712 Sep 12 '14 at 00:43
  • lea / mov difference is covered pretty well here..

    http://stackoverflow.com/questions/1658294/whats-the-purpose-of-the-lea-instruction

     – evlncrn8 Sep 12 '14 at 02:55

1 Answers1

2

The cleaner version would be: 

mov [dword_4870058] , offset loc_4048E0

Then, a variant:

mov [address], value

Where, the [ ] signifies its a memory address contained within the [] and the value put in it for this case is another memory address (in the code section).

To move it to a register it would be:

mov register, value ; eg : mov eax, 12345678h

The value portion can be a value, a pointer, a constant... They're all the same ... just numbers.

Little thing to pay in mind, in x86 you cant do memory to memory moves. So, the "can I assume that dword_4870058 gets the value 10h" is completely wrong, the function at that address has NOT been called has it ? So, it cant get the value 10h...

Its simply storing one value (the address of a function) into another memory block.

perror
  • 19,083
  • 29
  • 87
  • 150
evlncrn8
  • 111
  • 3
  • And presumably, the OP would find something like call ds:[dword_4870058] somewhere else in the code. Whether or not that will call this particular function needs a full flow trace to find out if it's a constant (once written, never modified), or only can be determined during run-time. – Jongware Sep 13 '14 at 10:14