0
votes

Hummm,hope i will express my question clearly.

Now i have an assembly statement string like:

movss ****,xmm0; (intel style)

After this assembly statement being executed, a piece of the process's memory changed. So **** must be the memory address, it could be something like:

DWORD PTR [eax],
DWORD PTR [eax + 0x4],
DWORD PTR [ebp - 0x4]
...Some style i have not seen, if you know that, please do tell me.

My problem is how to programmatically get the memory address through analyzing the assembly statement string.

For example: if **** to be :

DWORD PTR [eax]

Perhaps I could search the string, and find EAX register, then get the data from EAX register, maybe it is the memory address, maybe not, it depends on the Addressing System, am i right? Finally,how could i get the exact address?

1
I don't understand what you're trying to achieve. Why can't you just stick in there your DWORD PTR [eax], what prevents you from doing just that? - Alexey Frunze
@Alex Actually,the assembly statement not belong to my process, i read the machine instruction from other running process's memory space,then translate it to assembly statement. I want to know that where this machine instruction writes to in the running process's memory space. - timestee
Then you need to have the register state of that process and disassemble its instructions. You most likely need to use some debugging and/or virtualizing tools in order to be able not only to disassemble but also know all operands at run time. - Alexey Frunze
Now i could programmaticall yget the register state and could disassemble its instructions, actually i write a small debugger refer to gdb source code. But after i get the assembly statement, i don't know how to do next step =_=. - timestee
You read the CPU manual to see how different instructions access memory and get actual addresses from the instruction (most instructions use the MOD R/M byte optionally followed by SIB byte optionally followed by a displacement) and registers. Every [eax], [ebx+4], [ecx*4+edi+3], [bp+si] has a special encoding. You need to know if an instruction accesses memory and how. The manual has all the info about it. - Alexey Frunze

1 Answers

1
votes

Is it possible for you to use the LEA "Load Effective Address" instruction ? I'm sorry, I'm not too familiar with Intel assembly, but that's what I would try.

This may help: http://en.wikibooks.org/wiki/X86_Assembly/Data_Transfer#Load_Effective_Address

Hope this helps!