Moving Data - 1

The most common instruction used for moving data: mov

The allowed movements are-

• Immediate Data to Register or Memory

• Between Registers

• Memory to register and vice versa

💡 mov eax, message ; moves address of message into eax 💡 mov eax, [message] ; moves value of message to eax

💡 mov Destination, Source (As we are following Intel format)

Lets understand this via code.

Compiling the above program as we use to do before, loading in gdb and Defining the hook-stop, which will show value of eax,ebx,ecx register along with next 2 instruction to be executed.

• The first instruction, which will be executed would be: mov eax, 0xaaaadddd

• stepi (nexti can also be used), using this in gdb, we can execute single instruction.

• After execution, we can see the value of eax as 0xaaaadddd

• And we can see, the next instruction, which will be executed next, mov al,0xbb

We know, whats AX,AH and AL means

• 0xaaaadddd. In this, first 4 position, aaaa, is AX, next 2 position(dd) is AH, and last 2(dd) is AL.

• So, mov al, 0xbb . This should make the value of eax as 0xaaaaddbb.

Lets check this, by again executing stepi.

As expected, value of eax becomes 0xaaaaddbb.

Similarly we can check other instructions and the changes made by them.

Divided the whole by blue line into sections, for better understanding.

1. In 1st section, we see values of registers are 0 and instruction to be executed is mov al,ds:0x804a004

2. This, ds:0x804a004 , stand for data segement at 0x804a004 memory address.

3. x/2xb 0x804a004, shows 2 bytes from 0x804a004 address. 0x804a004 is pointing to 0xaa, and next address 0x804a005 will point to next byte, i.e. 0xbb.

4. stepi will execute this, and we can see eax value as 0xaa (highlighted in yellow). And next instruction to be executed is mov ah, BYTE PTR ds:0x804a005. Which will move 0xbb in ah.

5. stepi will execute and we can see value of eax as 0xbbaa (highlighted in green). And next instruction to be executed is mov ecx, DWORD PTR ds:0x804a000. Which will move data of anydata variable into ecx.

6. stepi will execute and value of ecx is set to 0x11111111 (highlighted in cyan color)

Same way we can step through and see how values are changed in register.

Divided this into 2 sections by blue line.

• In first section, instruction that will be executed is mov ds:0x804a004, al . And the content of sample(address 0x804a004) is 0xaa.

• stepi will execute and then the content of sample(address 0x804a004) becomes 0x66.

• In second section, instruction that will be executed is mov ds:0x804a004, eax. And 4 since we are moving eax (4 bytes), so we will check 4 bytes from sample variable using x/4xb &sample.

• stepi will execute and then the content in the 4 bytes from sample variable changes to 0x66 0x55 0x44 0x33 , which is 0x33445566 in little endian)

Same will happen for next instructions where value of anydata variable is set.

This way, we were able to see how data were moved from one register to other, memory to register and so on, via mov instruction.

In the next section, lets see how we can move any data using LEA, XCHG instruction.