0

I came across the following lines of code:

assume esi:ptr IMAGE_NT_HEADERS

lea esi,[esi].OptionalHeader

and for the second day I can’t figure it out: 1.why you don’t need to specify the data type before ptr here.

2.why assume with ptr is used here. I read that this directive requires a data type, but I don't quite understand how it works. I studied masm on a dos system, and there this directive connected two registers, what it does here - I do not quite understand.

Why can't you just refer to IMAGE_NT_HEADERS as:

lea esi, [IMAGE_NT_HEADERS].OptionalHeader

in Windows, a flat model is used and there is no need to bind segment registers and IMAGE_NT_HEADERS is a regular structure or did I misunderstand?

Improve this question
6
  • You can have the assembler show you the difference: Write it one way, then write it the other way, and compare the output. Commented Mar 23, 2023 at 12:02
  • ASSUME as used here just tells MASM that esi points to a structure of type IMAGE_NT_HEADERS so you can use the syntax [esi].OptionalHeader instead of a magic constant [esi+xx]. See this. This has nothing to do with segmentation, the PTR after ASSUME is what makes the difference. Commented Mar 23, 2023 at 12:28
  • @MargaretBloom ok, I understand that, but why is it not necessary to specify the data type before ptr? if it automatically assigns it, which one? Commented Mar 23, 2023 at 13:51
  • @Jekgley IMAGE_NT_HEADERS is a type. The syntax is ASSUME <register>: PTR <type>. Commented Mar 23, 2023 at 17:16
  • The MASM grammar says the syntax is ASSUME assumeList where assumeList is a list of assumeReg, and assumeReg is register : assumeVal. assumeVal is either a qualifiedType or the magic words ERROR or NONE. A qualifiedType is either a type or an optional distance, then the magic word PTR, and then another optional qualifiedType. In assume esi:ptr IMAGE_NT_HEADERS, esi is the register and IMAGE_NT_HEADERS is the type. You are in fact required to put the PTR before the type. Commented Mar 23, 2023 at 17:45
Related questions
147
How does this milw0rm heap spraying exploit work?
1
Explained polymorphic obfuscation using the difference within two asm codes
1
Question about "Link Map" output and "Assume" directive of MASM assembler
Load 5 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.