Assembler system () called in C
So, I made a very simple C program to learn how C works internally. It only has 1 line in main (), excluding return 0:
system("cls");
If I use ollydebugger to parse this program, it shows something like this (the text after the comma is the comments generated by ollydebugger.
MOV DWORD PTR SS:[ESP],test_1.004030EC ; ||ASCII "cls"
CALL <JMP.&msvcrt.system> ; |\system
Can someone please explain what this means and if I want to change the "cls" called in system () to a different command where "cls" is stored? And how can I change it?
source to share
You are using a 32-bit Windows system with the appropriate ABI (assumptions used when calling functions).
MOV DWORD PTR SS:[ESP],test_1.004030EC
Equivalent to an instruction push 4030ech
that simply stores the address of the cls string on the stack.
This is how the function is passed to the function and tells us the cls string is at the address 4030ech
.
CALL <JMP.&msvcrt.system> ; |\system
This is a function call system
from the CRT.
The JMP in the title relates to how linking works by default with Visual Studio compilers and linkers.
Thus, these two lines simply pass the address of the line to the function system
.
If you want to change it, you need to check if it's in the writeable section (I think not) by checking the PE sections, your debugger has a tool to do that. Or you can just try the following anyway:
Inspect the memory on 4030ech
, you will see a line, try to edit it (it depends on the debugger).
Note . I am using TASM notation for hex numbers, i.e. 123h
means 0x123
in C.