Iczelion writes: "assume edi:ptr IMAGE_DOS_HEADER" could somebody tell me what exactly this is doing? like I know you can't use: "mov edi, offset IMAGE_DOS_HEADER" I tried and it doesn't work. I know I must be missing some very basic concept here but what is it?
Hi there! This explanation won't be too technical..but i think it'll help :) The 'assume edi:ptr IMAGE_DOS_HEADER' gives you the opportunity to treat EDI as a 'holder' of a IMAGE_DOS_HEADER structure. Please don't misunderstand me here, this does not mean that the whole structure is inside the register, its like a pointer. So after the assume instruction you could do things like this: MOV EAX,.e_lfanew that will store in EAX the value of the e_lfanew member as you might have guessed :). Hope that helped. Ciao! Latigo
Thanks Latigo, This is very helpful and now I see what ASSUME doing. Now only thing I need to complete my understanding: is there any other way in assembly to do what ASSUME does in this case? Like why can't I move the address of the structure into eax and use that as pointer?
Although EAX wasn't used as a pointer, it doesn't mean it can't be. ASSUME is not a machine instruction--you must load the structure address into a register, EDI or EAX or whatever, with another instruction. Examples:
Instead of ASSUME EDI:xxxx, you could say ASSUME EAX:xxxx and use EAX.
mov edi,offset structure lea edi,structure mov edi, ; function argument
czDrillard, From my experience, assume is quite usefull if you have alot of work to do with a structure, especially when the structure name is long! If you only need to modify one item in a structure, then the alternative (as you suggested) would most likely be best. Below is the earlier case of why TO use assume, as well as an the alternate syntax if you didnt. An example:
Somewhere else in the code:
HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL struc IsUsed DWORD <> IsAdjusting DWORD <> StartPoint POINT <> EndPoint POINT <> EndHandle G_HANDLE <> StartHandle G_HANDLE <> RGB_COLOR DWORD ? HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL ends
The alternative to this would be:
; ebx points to an instance of the structure somewhere in memory assume ebx:PTR HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL mov .IsUsed, TRUE mov .IsAdjusting, FALSE lea ecx, SomeAddress mov .StartPoint, ecx lea ecx, SomeOtherAddress mov .EndPoint, ecx mov .EndHandle, hWnd mov .StartHandle, hInstance ; All done with the 'dirty' work, so free ebx of its assumption assume ebx:NOTHING
Dramatics asside, I think the point here is obvious :P BTW: Kool web page... NaN This message was edited by NaN, on 4/14/2001 2:04:10 AM
mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).IsUsed, TRUE mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).IsUsed, TRUE mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).IsAdjusting, FALSE lea ecx, SomeAddress mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).StartPoint, ecx lea ecx, SomeOtherAddress mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).EndPoint, ecx mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).EndHandle, hWnd mov (HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL PTR ).StartHandle, hInstance
NaN, If I don't like to ASSUME and just say
Am I wrong ??? forge
LEA ebx,HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL mov .IsUsed, TRUE mov .IsAdjusting, FALSE lea ecx, SomeAddress mov .StartPoint, ecx lea ecx, SomeOtherAddress mov .EndPoint, ecx mov .EndHandle, hWnd mov .StartHandle, hInstance
I've never tried, but as im reading it i would say yes. Your asking to CPU load into ebx the effective address of a non-instanciated stucture. My reasoning is this, if i decalaired:
How would the CPU be able to understand what my intentions were, should it be filling the memory at MemA, or MemB?? HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL is just a structure that the assembler uses to properly index to the right data fields, when a varible is defined as this. By using the structure as a template, and telling the compiler that ebx is a pointer to a varible created by this template, the operations will be translated to something like this (may be a bit different): Uncompiled Code:
.data? MemA HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL <> MemB HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL <> .code ... lea ebx, HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL mov .IsUsed, TRUE mov .IsAdjusting, FALSE etc...
assume ebx:PTR HORIFICALLY_LONG_STRUCTURE_NAME_GETS_ANNOYING_TO_FILL mov .IsUsed, TRUE mov .IsAdjusting, FALSE etc... assume ebx:NOTHING
Again, i didnt actually decompile to check, but im pretty sure this is what goes on, or at least something to this nature. NaN
mov , 1 mov , 0 etc...
Thanx people for all your input. This has been most helpful to me and it shows what a great forum we got here.