0

enter image description here

Given the above code, i am struggling to understand what happens in line 5 and 6

As i understand it, in line 5 the Adress of the ESP is loaded into the EAX register. While there may be the value 4 stored at ESP at that point, the adress is not known. So given this uncertainty, how can we know in line 6 what the value of EAX is, if we do not know the adress of ESP in Line 5?

Fluctuation10111
  • 1
  • Hi and welcome to RE.SE. Basically line 5 reads some sort of size/length field (probably a length of 2-byte elements) and line 6 loads the address of where esp points plus eax elements (likely of 2-byte size) + 4 ... so it's reaching into some sort of structure, I suppose. What's unclear about line 6? The first lines look like the prologue of a function, so esp will point to the top of the stack which we can assume to be already populated ... – 0xC0000022L Apr 26 '21 at 20:37
  • 1
    I know we are not supposed to ask new contributors to search so obliging to that rule here is a possible answer – blabb Apr 27 '21 at 04:09

1 Answers1

2

I'm not 100% sure but I think you're misunderstanding line 5, it's not reading the address of esp into eax, but the value stored at wherever esp is pointing to, that's what the dword ptr [xxx] is indicating.

In this snippet, that would be the value 4 because it was pushed to the stack last.

Commenting the lines from 6 onward:

lea eax, [esp + eax * 2 + 4]        ; eax = esp + 4*2 + 4 = esp + 12
sub eax, 8                          ; eax = esp + 12 - 8 = esp + 4
mov eax, dword ptr [eax]            ; eax = value at [esp+4] = 2 (pushed in line 3)
pop ebx                             ; pop the 4 off the stack into ebx
add esp, 4                          ; pop the 2 off the stack by simply moving the stack pointer
add eax, ebx                        ; eax = 2 + 4

So the code is just juggling the two pushed numbers around and adds them eventually in eax.

Johann Aydinbas
  • 1,391
  • 7
  • 11