Assembly is Too High Level: Load InEffective Address 1


lia05

The LEA (Load Effective Address) instruction allows us to copy the address of a memory location (in the memory addressing format you would find in ModR/M encoding) into a register. This instruction is also often used as a multiplication math hack used in place of MUL when LEA can be used instead. With the memory (pointer) encoding of the ModR/M byte (and the SIB) bytes, we are able to add 3 different numbers (two of them registers, one of them an immediate), and one of those numbers (one of the registers) can be multiplied by 2,4, or 8. For example, we could use LEA to compute (30 * 8) + 5 + 10. It would look like this:

lia01

The answer in hex is 0xff, which is 255 in decimal; the expected value.

Those are some ‘effective’ ways to use LEA, but let’s explore an impossible way to do it (there will be errors). Even though the Instruction format in the manual shows ‘LEA r32,m‘ (assuming the 32 bit version), it still shows the /r for the Opcode section. This implicitly means that we can encode for ‘LEA r32, r32/m‘; both operands can be encoded as a register. For this LEA instruction to work how it’s supposed to, the source operand (2nd one) needs to be a memory address (not a register).

As you probably can guess by the theme of any of these “Assembly is Too High Level” posts, we probably can’t do this in assembly…

lia02

Not that it will be useful (unless you like having errors thrown in obscure ways), but we will encode the above instruction directly in machine code. Running this instruction will cause an error. The edb debugger shows the 2nd operand as invalid (astute observation) and then you get an illegal instruction fault (true).

lia03

 

objdump shows a more interesting output, it splits the operand byte off and interprets it as its own instruction (rolb).

lia04

Either way you cut it, as advertised, it’s not very effective.


Leave a comment

Your email address will not be published. Required fields are marked *

One thought on “Assembly is Too High Level: Load InEffective Address

  • Robert Clausecker

    lea without a memory operand has always been an illegal instruction with various different effects over time. I thought the encoding 0x8d 0xC0–0xFF (i.e. lea without a memory operand) is being used as a part of the VEX encoding scheme, but I erred there, 0x8F (pop) with an extended opcode field unequal to 0 is used instead.