I 've got an address that points to a portion in the memory in a register, ecx = 009F0000. How do I retrieve the data from that address, it's an DWORD that I will have to retrieve.

Any help is much appreciated,


Posted on 2009-05-07 02:57:54 by karthikeyanck
We already covered this.

Given that ECX = ptr to buffer,

mov eax,dword ptr ; eax = first dword of data from address pointed to by ecx
Posted on 2009-05-07 03:41:21 by Homer
Thanks Homer, sorry for repeating the question there  ;)

The memory @ location 009F0000 hold an value 172, but when I move it to the register as you have said each number gets padded with 3 and it is reversed as 323731, can you please advise how would I get the whole number 172?


Posted on 2009-05-07 03:53:03 by karthikeyanck
Maybe the data in the buffer is not a dword, maybe its a string that contains some numbers "172".
The HEX values for printing the ascii digits 0-9 are 30h-39h

If its a string, we grabbed the first four bytes of the string, in reverse order (due to machine byte ordering of dwords in memory).
They are probably "00, 32, 37, 31" in Hex.

Thats "172",0 as a string, in reverse.

It would make sense.

If we find this is a string (hey, try to MessageBox it!) we need to convert the integer string to dword integer.
You can find a function in the MASM32 includes for this, called something like "ATODW" (ascii to dword).

Posted on 2009-05-07 04:04:04 by Homer
Is there a way where we could convert the string to HEX?
Posted on 2009-05-07 04:51:42 by karthikeyanck

Hex is just a number system.
We can express in the same number in different number sytems.
Normally, we use the Decimal system, which is BASE 10.
Hex is BASE 16.
Binary is BASE 2.

There are infinite possible number systems, asm coders will use these three more than any others.

Posted on 2009-05-07 05:08:23 by Homer
The reason i'm asking this question is because I have the value 323731 in the memory which is actually ASCII 172. When I move this to the register the same value is passed to it for example,

mov ecx,DWORD PTR

ECX has now got 323731, If I have to allocate memory now I would think that ECX has 172 but it has actually got 323731. In this case the function would allocate those many bytes of memory, and ofcourse a huge part of it is wasted  ;)

Correct me if am wrong on that point, just found that to be a problem when I was debugging this using Olly.


Posted on 2009-05-07 08:19:00 by karthikeyanck
then you need to convert the text value don't you...
assembly doesn't magicaly convert '172' into 172
Posted on 2009-05-07 08:29:11 by evlncrn8
As I mentioned, the function to do that is called "atodw" - its sourcecode is located in the "m32lib" folder of the MASM32 package installation.

Posted on 2009-05-07 08:45:40 by Homer
Thanks Homer  :)
Posted on 2009-05-08 01:38:22 by karthikeyanck