Hey guys, got a simple question that i am trying to understand according to sandpile.org the MOD byte can represent a list of regs (EAX to EDI), XMM, CR0, etc
Including the segments like:
CS, DS, GS, etc
Now lets check the encoding of DS segment on EAX:
83 00 01 ADD DWORD PTR "DS":[EAX], 1
Ok now trying the encoding with SS segment on EAX:
36 83 00 01 ADD DWORD PTR "SS":[EAX], 1
Prefix 36 (SS segment) added. But why i am forced to set this prefix if i can compile the opcode like this:
830424 01 ADD DWORD PTR "SS":[ESP],1
Trying to force the encoding on the SIB byte extra:
110 000 (30 hex) = SS segment with EAX reg (according to sandpile)
Ollydbg shows me:
004018A2 830430 01 ADD DWORD PTR DS:[EAX+ESI],1
Is this a rule?, that ESP is the only reg i can use for SS segment without adding the prefix 36?.
Thanks
the different general registers are all associated with default segment selectors
if you don't specify a segment over-ride, the default is used
also, in cases where you DO specify a segment over-ride, but it is the same as the default, masm will not place any over-ride
for most of the general registers, DS is the default, with the following exceptions:
BP/EBP when used alone, will use SS
if combined with one of the other general registers (like [EBX+EBP]) then the default is DS
SP/ESP will use SS
DI/EDI will use ES when used with a string instruction (MOVS, CMPS, SCAS, STOS, LODS)
otherwise, it will use DS
in 32-bit code, the segment registers CS, DS, ES, SS all point to the same address space
so there is, quite often, no need for segment over-rides
also - when accessing a memory location with a literal address, the assembler wants a segment over-ride prefix
for example:
mov eax,[00400100h]
will generate an assembly error
a segment over-ride prefix is required, even if it is the default (DS)
mov eax,DS:[00400100h]
i can't really say why they did it that way - lol
i guess they want to be sure you know what you are doing :P
it may be because there is no default segment register assigned to absolute address space ::)
Quote from: dedndave on November 05, 2010, 12:16:20 AM
the different general registers are all associated with default segment selectors
if you don't specify a segment over-ride, the default is used
also, in cases where you DO specify a segment over-ride, but it is the same as the default, masm will not place any over-ride
for most of the general registers, DS is the default, with the following exceptions:
BP/EBP when used alone, will use SS
if combined with one of the other general registers (like [EBX+EBP]) then the default is DS
SP/ESP will use SS
DI/EDI will use ES when used with a string instruction (MOVS, CMPS, SCAS, STOS, LODS)
otherwise, it will use DS
in 32-bit code, the segment registers CS, DS, ES, SS all point to the same address space
so there is, quite often, no need for segment over-rides
also - when accessing a memory location with a literal address, the assembler wants a segment over-ride prefix
for example:
mov eax,[00400100h]
will generate an assembly error
a segment over-ride prefix is required, even if it is the default (DS)
mov eax,DS:[00400100h]
i can't really say why they did it that way - lol
i guess they want you to be sure you know what you are doing
As usual very thankful for your help dedndave.
I noted that you can change the segment with opcodes like:
MOV DS, AXUnder the 32-bit code i see no reasons why, but there is some kind of "trick" that some one could do, for changing DS segment and still access memory location on a valid matter?.
I try:
MOV DS, AX
AX == 00No error happen on the instruction, otherwise when accesing memory i have exception (of course). But trying:
MOV DS, AX
AX == 16I cant execute the instruction (access violation). Got any idea of why this behaviour?.
well - you are accessing protected address space - thus, the exception
you should understand that, in 32-bit code, segment registers are what they are - lol
they are accessed only in special applications, like drivers or when accessing memory outside the assigned address space
this is because your EXE is assigned 4 Gb of address space - a lot of room to work
you shouldn't have to worry too much about them until you are an advanced programmer
in 16-bit programs, where you could only address 64 Kb at a time, the segment registers were extremely important
they were modified regularly so that programs could access more than one 64 Kb memory segment
Quote from: dedndave on November 05, 2010, 12:45:13 AM
well - you are accessing protected address space - thus, the exception
you should understand that, in 32-bit code, segment registers are what they are - lol
they are accessed only in special applications, like drivers or when accessing memory outside the assigned address space
this is because your EXE is assigned 4 Gb of address space - a lot of room to work
you shouldn't have to worry too much about them until you are an advanced programmer
in 16-bit programs, where you could only address 64 Kb at a time, the segment registers were extremely important
they were modified regularly so that programs could access more than one 64 Kb memory segment
Thanks dedndave, i worry about them not caused i liked to, my sandbox is for analyzing process, so there might be a little chance that some coders play with the segment or do some tricks for avoid the scaner to work.
Thats why i am doing alot of questions about them :(
For example the last exception of moving into DS segment the 16 value, my scanner could not handle the exception, thus making the whole thing goes wrong. Thats why i need to put myself on every crazy situation hehehe
In real mode a segment register points to a 64K chunk of memory, in 32-bit protected mode it is a selector - an index into the descriptor table.
The table has the range of memory that the selector can access, as well as a lot of protection flags (e.g. CS is usually read/execute, so writing
with a CS: override causes an exception). Combined with the selector's IOPL bits means exceptions can occur for a lot of reasons (our old friend C0000005)...
In 64-bit long mode the segment registers (except for FS/GS in a special case) are ignored.
Quote from: sinsi on November 05, 2010, 02:35:58 AM
In real mode a segment register points to a 64K chunk of memory, in 32-bit protected mode it is a selector - an index into the descriptor table.
The table has the range of memory that the selector can access, as well as a lot of protection flags (e.g. CS is usually read/execute, so writing
with a CS: override causes an exception). Combined with the selector's IOPL bits means exceptions can occur for a lot of reasons (our old friend C0000005)...
In 64-bit long mode the segment registers (except for FS/GS in a special case) are ignored.
Can i access this descriptor table under 32 bit protected mode? So i can gather some info about the segments?
Also the FS segment wich point to the TIB (if i am not wrong) changes on every process, does this happen with another segment?
Thanks