2

I just had a question I couldn't seem to find a decent answer to.
I'm given this code:

0020 mov eax, [ebp+0x0c]; value inside = 0x000000ff
0023 mov cl, [ebp+ox08]; value inside- 0x82
0026 cmp al, cl  
0028 jl label             ;label is at address 003c, jl is signed
002a nop
002b
...
003c label:sub al,cl

If the value in [ebp+0x08] is 0x82 and ecx is 0xabcd1234 before executing this code, what is the value of eax after executing this code?
Would it clear the upper bits so that ecx is 0x00000082 or would ecx be 0xabcd1282?

Also what's the address from which the offset to the jl instruction is calculated?
And how would you determine the value of the offset for the jl instruction?

Isn't the value of al greater than cl? So wouldn't jl not jump?

thanks in advance

Fifoernik
  • 9,779
  • 1
  • 21
  • 27
Monica
  • 33
  • 5
  • `jl` is a *signed* less-than. You need to interpret your numbers as signed 2's complement. i.e. `0xff - 256` and `0x82 - 256`, because they both have their sign bit set. – Peter Cordes Oct 06 '17 at 05:01
  • 1
    writing low8 / low16 registers doesn't modify the upper bytes. This is different from writing 32-bit register, which does zero the full 64-bit register. https://stackoverflow.com/questions/11177137/why-do-most-x64-instructions-zero-the-upper-part-of-a-32-bit-register – Peter Cordes Oct 06 '17 at 05:02
  • You have at least 3 totally separate questions here. Please don't do that, see [ask]. If you want to see how the assembler calculates the jmp displacement from the end of the instruction, assemble that code and then look at disassembly + hexdump of the machine code bytes. See also https://stackoverflow.com/tags/x86/info for links to manuals and guides. Intel's x86 manuals cover all the details of instruction encoding. – Peter Cordes Oct 06 '17 at 05:06
  • My bad. These are all questions related to the same code, so I thought it wouldn't make sense to ask three related questions about the same code three separate times. I'm taking a college course where I don't really write code, it is just primarily understanding the concepts. So I'm unaware how to run any of this. However, Thank you for your input Peter. – Monica Oct 06 '17 at 18:35
  • 1
    If you strip out the addresses, it will assemble with NASM or MASM. If you have a Linux machine, see https://stackoverflow.com/a/39551489/224132 for a Hello World example and the commands to use to build it into an executable. Put in these instructions with appropriate stores to create the right values in memory (after `mov ebp, esp`), then single-step in GDB. (example of using gdb at the bottom of https://stackoverflow.com/a/39551489/224132). – Peter Cordes Oct 06 '17 at 18:54

1 Answers1

3

The value in ecx after loading cl is 0xabcd1282.

cl (signed -126 / unsigned 130) is less than al (signed -1 / unsigned 255) regardless of whether it is treated as signed or unsigned. (In this case, it is treated as signed by jl.) So the jump is not taken. Since we don't know what instructions are between 0x2b and 0x3c, there's no way to know what the final values of eax and ecx are.

The offset for the jump is 0x12 (0x3c - 0x2a, the address of the destination minus the address of the next instruction).

Fifoernik
  • 9,779
  • 1
  • 21
  • 27
prl
  • 11,716
  • 2
  • 13
  • 31