News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Opcode Segment Encoding

Started by theunknownguy, November 04, 2010, 11:11:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

theunknownguy

November 04, 2010, 11:11:50 PM
Hey guys, got a simple question that i am trying to understand according to sandpile.org the MOD byte can represent a list of regs (EAX to EDI), XMM, CR0, etc

Including the segments like:

CS, DS, GS, etc

Now lets check the encoding of DS segment on EAX:

Code Select
83 00 01  ADD DWORD PTR "DS":[EAX], 1


Ok now trying the encoding with SS segment on EAX:

Code Select
36 83 00 01 ADD DWORD PTR "SS":[EAX], 1


Prefix 36 (SS segment) added. But why i am forced to set this prefix if i can compile the opcode like this:

Code Select
830424 01                                ADD DWORD PTR "SS":[ESP],1

Trying to force the encoding on the SIB byte extra:

Code Select
110  000 (30 hex) = SS segment with EAX reg (according to sandpile)

Ollydbg shows me:

Code Select
004018A2                                                                   830430 01                                ADD DWORD PTR DS:[EAX+ESI],1


Is this a rule?, that ESP is the only reg i can use for SS segment without adding the prefix 36?.

Thanks






dedndave

#1
November 05, 2010, 12:16:20 AM
the different general registers are all associated with default segment selectors
if you don't specify a segment over-ride, the default is used
also, in cases where you DO specify a segment over-ride, but it is the same as the default, masm will not place any over-ride
for most of the general registers, DS is the default, with the following exceptions:

BP/EBP when used alone, will use SS
if combined with one of the other general registers (like [EBX+EBP]) then the default is DS

SP/ESP will use SS

DI/EDI will use ES when used with a string instruction (MOVS, CMPS, SCAS, STOS, LODS)
otherwise, it will use DS

in 32-bit code, the segment registers CS, DS, ES, SS all point to the same address space
so there is, quite often, no need for segment over-rides

also - when accessing a memory location with a literal address, the assembler wants a segment over-ride prefix
for example:
Code Select
        mov     eax,[00400100h]
will generate an assembly error
a segment over-ride prefix is required, even if it is the default (DS)
Code Select
        mov     eax,DS:[00400100h]
i can't really say why they did it that way - lol
i guess they want to be sure you know what you are doing   :P
it may be because there is no default segment register assigned to absolute address space   ::)

theunknownguy

#2
November 05, 2010, 12:27:45 AM
Quote from: dedndave on November 05, 2010, 12:16:20 AM
the different general registers are all associated with default segment selectors
if you don't specify a segment over-ride, the default is used
also, in cases where you DO specify a segment over-ride, but it is the same as the default, masm will not place any over-ride
for most of the general registers, DS is the default, with the following exceptions:

BP/EBP when used alone, will use SS
if combined with one of the other general registers (like [EBX+EBP]) then the default is DS

SP/ESP will use SS

DI/EDI will use ES when used with a string instruction (MOVS, CMPS, SCAS, STOS, LODS)
otherwise, it will use DS

in 32-bit code, the segment registers CS, DS, ES, SS all point to the same address space
so there is, quite often, no need for segment over-rides

also - when accessing a memory location with a literal address, the assembler wants a segment over-ride prefix
for example:
Code Select
        mov     eax,[00400100h]
will generate an assembly error
a segment over-ride prefix is required, even if it is the default (DS)
Code Select
        mov     eax,DS:[00400100h]
i can't really say why they did it that way - lol
i guess they want you to be sure you know what you are doing

As usual very thankful for your help dedndave.

I noted that you can change the segment with opcodes like:

Code Select
MOV DS, AX

Under the 32-bit code i see no reasons why, but there is some kind of "trick" that some one could do, for changing DS segment and still access memory location on a valid matter?.

I try:

Code Select
MOV DS, AX
AX == 00

No error happen on the instruction, otherwise when accesing memory i have exception (of course). But trying:

Code Select
MOV DS, AX
AX == 16

I cant execute the instruction (access violation). Got any idea of why this behaviour?.



dedndave

#3
November 05, 2010, 12:45:13 AM
well - you are accessing protected address space - thus, the exception

you should understand that, in 32-bit code, segment registers are what they are - lol
they are accessed only in special applications, like drivers or when accessing memory outside the assigned address space
this is because your EXE is assigned 4 Gb of address space - a lot of room to work
you shouldn't have to worry too much about them until you are an advanced programmer

in 16-bit programs, where you could only address 64 Kb at a time, the segment registers were extremely important
they were modified regularly so that programs could access more than one 64 Kb memory segment

theunknownguy

#4
November 05, 2010, 01:53:53 AM
Quote from: dedndave on November 05, 2010, 12:45:13 AM
well - you are accessing protected address space - thus, the exception

you should understand that, in 32-bit code, segment registers are what they are - lol
they are accessed only in special applications, like drivers or when accessing memory outside the assigned address space
this is because your EXE is assigned 4 Gb of address space - a lot of room to work
you shouldn't have to worry too much about them until you are an advanced programmer

in 16-bit programs, where you could only address 64 Kb at a time, the segment registers were extremely important
they were modified regularly so that programs could access more than one 64 Kb memory segment

Thanks dedndave, i worry about them not caused i liked to, my sandbox is for analyzing process, so there might be a little chance that some coders play with the segment or do some tricks for avoid the scaner to work.

Thats why i am doing alot of questions about them  :(

For example the last exception of moving into DS segment the 16 value, my scanner could not handle the exception, thus making the whole thing goes wrong. Thats why i need to put myself on every crazy situation hehehe

sinsi

#5
November 05, 2010, 02:35:58 AM
In real mode a segment register points to a 64K chunk of memory, in 32-bit protected mode it is a selector - an index into the descriptor table.
The table has the range of memory that the selector can access, as well as a lot of protection flags (e.g. CS is usually read/execute, so writing
with a CS: override causes an exception). Combined with the selector's IOPL bits means exceptions can occur for a lot of reasons (our old friend C0000005)...
In 64-bit long mode the segment registers (except for FS/GS in a special case) are ignored.
Light travels faster than sound, that's why some people seem bright until you hear them.

theunknownguy

#6
November 05, 2010, 02:42:29 AM
Quote from: sinsi on November 05, 2010, 02:35:58 AM
In real mode a segment register points to a 64K chunk of memory, in 32-bit protected mode it is a selector - an index into the descriptor table.
The table has the range of memory that the selector can access, as well as a lot of protection flags (e.g. CS is usually read/execute, so writing
with a CS: override causes an exception). Combined with the selector's IOPL bits means exceptions can occur for a lot of reasons (our old friend C0000005)...
In 64-bit long mode the segment registers (except for FS/GS in a special case) are ignored.

Can i access this descriptor table under 32 bit protected mode? So i can gather some info about the segments?

Also the FS segment wich point to the TIB (if i am not wrong) changes on every process, does this happen with another segment?

Thanks
Print
Go Up Pages1
User actions