1.5. HELLO, WORLD!
0x00400604 0c01 0000 1400 0000 0000 0000 017a 5200 .............zR.
0x00400614 0178 1001 1b0c 0708 9001 0710 1400 0000 .x..............
0x00400624 1c00 0000 08fe ffff 2a00 0000 0000 0000 ...............
0x00400634 0000 0000 1400 0000 0000 0000 017a 5200 .............zR.
0x00400644 0178 1001 1b0c 0708 9001 0000 2400 0000 .x..........$...
0x00400654 1c00 0000 98fd ffff 3000 0000 000e 1046 ........0......F
0x00400664 0e18 4a0f 0b77 0880 003f 1a3b 2a33 2422 ..J..w...?.;3$"
0x00400674 0000 0000 1c00 0000 4400 0000 a6fe ffff ........D.......
0x00400684 1500 0000 0041 0e10 8602 430d 0650 0c07 .....A....C..P..
0x00400694 0800 0000 4400 0000 6400 0000 a0fe ffff ....D...d.......
0x004006a4 6500 0000 0042 0e10 8f02 420e 188e 0345 e....B....B....E
0x004006b4 0e20 8d04 420e 288c 0548 0e30 8606 480e. ..B.(..H.0..H.
[0x004005c4]> oo+
File a.out reopened in read-write mode
[0x004005c4]> w hola, mundo\x00
[0x004005c4]> q
dennis@bigbox ~/tmp % ./a.out
hola, mundo
Here’s what’s going on: I searched for the “hello” string using the/command, then I set thecursor(seek,
in rada.re terms) to that address. Then I want to be sure that this is really that place:pxdumps bytes
there.oo+switches rada.re toread-writemode.wwrites an ASCII string at the currentseek. Note the\00
at the end—this is a zero byte.qquits.
Softwarelocalizationof MS-DOS era
This method was a common way to translate MS-DOS software to Russian language back to 1980’s and
1990’s. Russian words and sentences are usually slightly longer than its English counterparts, so that is
whylocalizedsoftware has a lot of weird acronyms and hardly readable abbreviations.
Perhaps this also happened to other languages during that era, in other countries.
1.5.2 x86-64
MSVC: x86-64
Let’s also try 64-bit MSVC:
Listing 1.21: MSVC 2012 x64$SG2989 DB 'hello, world', 0AH, 00H
main PROC
sub rsp, 40
lea rcx, OFFSET FLAT:$SG2989
call printf
xor eax, eax
add rsp, 40
ret 0
main ENDP
Inx86-64, allregisterswereextendedto64-bit, andnowtheirnameshaveanR-prefix. Inordertousethe
stack less often (in other words, to access external memory/cache less often), there is a popular way to
pass function arguments via registers (fastcall)6.1.3 on page 735. I.e., a part of the function’s arguments
are passed in registers, and the rest—via the stack. In Win64, 4 function arguments are passed in theRCX,
RDX,R8, andR9registers. That is what we see here: a pointer to the string forprintf()is now passed not
in the stack, but rather in theRCXregister. The pointers are 64-bit now, so they are passed in the 64-bit
registers (which have theR-prefix). However, for backward compatibility, it is still possible to access the
32-bit parts, using theE-prefix. This is how theRAX/EAX/AX/ALregister looks like in x86-64: