Hello, I'm wondering why this command "mov eax, [eax]" changes the content of eax from rubbish to a readable string in the following code:

___:004160CB arg_0= dword ptr  4
___:004160CB
___:004160CB mov     eax, [esp+arg_0]
___:004160CF push    esi
___:004160D0 mov     esi, ecx
___:004160D2 cmp     esi, eax
___:004160D4 jnz     short loc_4160DA
___:004160D6 mov     eax, esi
___:004160D8 jmp     short loc_416151
___:004160DA ; ---------------------------------------------------------------------------
___:004160DA
___:004160DA loc_4160DA:
___:004160DA mov     eax, [eax]    ; HERE <<<<<<<<<<<<<<<<<<<<<
___:004160DC test    eax, eax
___:004160DE push    edi
___:004160DF jz      short loc_4160E6
___:004160E1 lea     edi, [eax-0Ch]
___:004160E4 jmp     short loc_4160E8
___:004160E6 ; ---------------------------------------------------------------------------
___:004160E6
___:004160E6 loc_4160E6:
___:004160E6 xor     edi, edi
___:004160E8
___:004160E8 loc_4160E8:
___:004160E8 test    edi, edi
___:004160EA jnz     short loc_416110
___:004160EC mov     eax, [esi]
___:004160EE test    eax, eax
___:004160F0 jz      short loc_41614E
___:004160F2 lea     edi, [eax-0Ch]
___:004160F5 push    edi                             ; lpAddend
___:004160F6 call    InterlockedDecrement
___:004160FC test    eax, eax
___:004160FE jg      short loc_41610B
___:00416100 push    edi
___:00416101 mov     ecx, offset dword_AB6500
___:00416106 call    sub_406151
___:0041610B
___:0041610B loc_41610B:
___:0041610B and     dword ptr [esi], 0
___:0041610E jmp     short loc_41614E
___:00416110 ; ---------------------------------------------------------------------------
___:00416110
___:00416110 loc_416110:
___:00416110 cmp     dword ptr [edi], 0FFFFFFFFh
___:00416113 jnz     short loc_416121
___:00416115 push    0FFFFFFFFh                      ; Size
___:00416117 push    eax                             ; Str
___:00416118 mov     ecx, esi
___:0041611A call    FormatString
___:0041611F jmp     short loc_41614E
___:00416121 ; ---------------------------------------------------------------------------
___:00416121
___:00416121 loc_416121:
___:00416121 push    ebx
___:00416122 push    edi                             ; lpAddend
___:00416123 call    InterlockedIncrement
___:00416129 mov     eax, [esi]
___:0041612B test    eax, eax
___:0041612D jz      short loc_416148
___:0041612F lea     ebx, [eax-0Ch]
___:00416132 push    ebx                             ; lpAddend
___:00416133 call    InterlockedDecrement
___:00416139 test    eax, eax
___:0041613B jg      short loc_416148
___:0041613D push    ebx
___:0041613E mov     ecx, offset dword_AB6500
___:00416143 call    sub_406151
___:00416148
___:00416148 loc_416148:
___:00416148 add     edi, 0Ch
___:0041614B mov     [esi], edi
___:0041614D pop     ebx
___:0041614E
___:0041614E loc_41614E:
___:0041614E mov     eax, esi
___:00416150 pop     edi
___:00416151
___:00416151 loc_416151:
___:00416151 pop     esi
___:00416152 retn    4
___:00416152 CGame__ShowMessage endp

Before the command is ran, EAX is some rubbish that isn't readable. But when the command is ran, EAX clears up to a readable string! I was wondering how, why and where the string comes from :s.

Can anyone help me with this? Thank you.

Rubbish? You mean a pointer to data memory?

mov eax,[eax]

moves the contents of memory pointed to by eax into the eax register!

You don't have enough information, for more detail other then eax is loaded from the stack as a passed argument, but its compared to other registers that don't have source or value information!

Thanks for your reply, wildgoose :)

Here's the stack:

004160C6 000023F3
004160CA 24448BC3
004160CE F18B5604
004160D2 0475F03B
004160D6 77EBC68B
004160DA C085008B
004160DE 8D057457
004160E2 02EBF478
004160E6 FF85FF33
004160EA 068B2475
004160EE 5C74C085
004160F2 57F4788D
004160F6 C21C15FF
004160FA C085009D
004160FE B9570B7F
00416102 00AB6500 ___:dword_AB6500

or

EAX: 00DB8928
EBX: 00DB88CC
ECX: 0018FEEC
EDX: 7EFDD000
ESI: 0018FEEC
EDI: 0018FEEC
EBP: 0018FEA4
ESP: 0018FE78
EIP: 004160DA
EFL: 00000283

I hope that this is the information you need :x I'm not that good with IDA :p

Yep, EAX, and EBX look like data addresses to me!

Your stack is out of context!

You need to set the breakpoint at function start. Dump the data referenced by the pointers on the stack. Dump the registers at that time.

ECX, ESI, EDI, EBP, ESP appear to be stack index references!

This article has been dead for over six months. Start a new discussion instead.