References to variables and calls to functions in a program-EEWORLD

Collect

References to variables and calls to functions in a program

cseg segment
assume cs:cseg,ds:cseg
org 100
start:
mov bx,word ptr aaa
virus_start:
call get_start
mov ah,4ch
int 21h
get_start:
mov ax,offset virus_start
ret

aaa db ''abcd'',0
cseg ends
end start

After the above program is disassembled.
-u
13E7:0064 8B1E7300 MOV BX,[0073]
13E7:0068 E80400 CALL 006F
13E7:006B B44C MOV AH,4C
13E7:006D CD21 INT 21
13E7:006F B86800 MOV AX,0068
13E7:0072 C3 RET
13E7:0073 61 DB 61
13E7:0074 62 DB 62
13E7:0075 63 DB 63
13E7:0076 64 DB 64

It can be seen that when the program references the variable aaa, it references it through an absolute address.
13E7:0064 8B1E7300 MOV BX,[0073]
8b1e is the operation code, and 7300 is the operand. It can be seen that the operand is an absolute address.

When calling a function
13E7:0068 E80400 CALL 006F,
you may think that call 006f is calling a function through an absolute address.
However, this is after disassembly and has been processed.
What we want to see is the opcode and operand. In this instruction,
the opcode is e8 and the operand is 0400 (that is, 4), which shows that it is the
instruction offset relative to 13E7:006B B44C MOV AH,4C (the next statement of call 006f).

This knowledge is the most basic knowledge to write COM and other viruses

Appendix: Function calls are divided into near, short, and far.

Short is the worst, the called function and the calling point can only have an offset of 128 bytes.

Near can reach 64k (functions in this section can be called), which is enough for COM.

Far can call functions in any segment.

Reference address：References to variables and calls to functions in a program

Previous article：How to optimize C language code
Next article：Description of the USB (D12) data communication process between PC and MCU

Popular Resources
Popular amplifiers