0

I disassembled a crackme with IDA Freeware and this line was amongst others:

mov     eax, ss:success_str[ebp]

I know that:

mov     eax, ss:success_str

Would basically mean eax = ss * 0x10 + success_str, however I can't find out what is the meaning of the [ebp] part at the end.

I had a look at the bytes of the instruction: 8B 85 94 30 40 00

This table states that opcode 8B is mov r16/32 r/m16/32. So basically I guess (please correct me if I'm wrong) that the line above is equivalent to:

mov    eax, [00403094h] ; 0x403094 is actually the address of success_str

But even if I'm right, why that fancy syntax and how to read it?

GuiTeK
  • 1,561
  • 5
  • 20
  • 39
  • 6
    You are unlikely to be in real mode so just ignore the `ss` prefix. `ebp` is a register. You will need to find out how it's set, but presumably it's just a local variable. It's definitely not what you decoded. – Jester Feb 14 '18 at 19:02
  • 2
    Segment registers are only added like this when you are in real mode. I honestly doubt that this is a real mode program. `success_str[ebp]` indicates that the address is `success_str + ebp`. – fuz Feb 14 '18 at 19:03
  • 1
    @fuz, although in a sane universe (or OS) that will be true, it is of course possible for the SS selector to point to a descriptor that has a non-zero base. Of course that's almost always 0 but it is possible for it not to be. – Michael Petch Feb 14 '18 at 20:30
  • @MichaelPetch Yes I know. However, if OP would be debugging a 16 bit Windows binary, he might have considered to tell us. – fuz Feb 15 '18 at 00:05
  • @fuz : My comment was in the context of 32-bit protected mode as I mentioned selector and descriptors and the base. Nothing in his question said"real mode". except for his equation that he thought may have applied outside of protected mode. – Michael Petch Feb 15 '18 at 00:47

1 Answers1

1

See calculation of effective address of Intel x86 memory operands. "ss" is the segment part of the logical address, in this case a name of a segment register. Only in real mode it affects physical address just as you assumed. In the most of protected memory modes (which all modern OSes use), it is not so; instead, the segment base value is kept in an internal segment table; it is loaded with special instructions in advance. However, in application mode context (i.e., if you are not considering functions of an OS for physical address isolation and stuff) you can safely ignore segmentation in many cases.

why that fancy syntax and how to read it?

Because it is Intel IA-32 and Intel 64 architecture, and it has very complex addressing modes (the example you have is not of even medium complexity given how operands are addressed in the AVX-512 ISA extension). The notation you see is called "Intel syntax". There is also so called "AT&T syntax" which is used as often and which some people consider even more unintuitive (I am used to work with both variants and frankly do not care). To learn how to read it, download the "Intel Software Development Manual" here and read first chapters of volume 2A.

Grigory Rechistov
  • 2,104
  • 16
  • 25