what is fs:[register+value] meaning in assembly?
The xor opcode sets EBX to 0. So the mov opcode accesses a DWORD at fs:[3]. This accesses the last byte of the Win32 Thread Information Block's Current Structured Exception Handling (SEH) frame located from fs:[0] to fs:[3] (4 bytes) and the first three bytes of the Stack Base variable, the initial value of ESP.
Unless you are confronted with some sophisticatedly constructed and obfuscated virus or anti-debugging-technique which combines these 3+1 bytes to something useful, this would just be a somewhat random number.
Another possibility is, that the "segment" register FS has been modified prior to these instructions to contain a sensible base address. In that case, this may be an useful instruction like many others. It is undecidable by the code snippet you provided.
For example
mov eax, fs
inc eax
mov fs, eax
...
xor ebx,ebx
mov eax,DWORD PTR fs:[ebx+0x3]
would return the 'Stack Base' in EAX - '(FS+1)+(0+3)' = real-FS:[4] = 'Stack Base' location.
Addition: For completeness: why it doesn't assemble has been mentioned in the comments by 'Ross Ridge': It's MASM syntax and not NASM syntax.
user3671325
Updated on June 04, 2022Comments
-
user3671325 almost 2 years
xor ebx,ebx mov eax,DWORD PTR fs:[ebx+0x3]I know first line of this code, but what's
fs:[ebx+0x3]? and why it giving me an error while compiling ?test.asm:2: error: comma, colon, decorator or end of line expected after operand