Fooling Around With LEA

Yesterday it hit me. I just realized something so funny that I had to post it right here. I have been using LEA for years now and so have you I guess. Most of the times LEA is used to load an offset of a local variable in a function, for example:

void f()
{
int x;
g(&x);
}

The parameter &x for calling g will use LEA to load the address of x and pass it to g so g can change it inside. But this is nothing new.

You can write something like this:
LEA EAX, [0x12345678]
And you know what?
EAX will be now 0x12345678
This is somewhat trivial when you get to think about it, but when do you??
I wonder how good it is as anti-disassemblers stuff, I think it will get the disassembler a bit crazy, it worth a test… because now instead of loading immediates with MOV, you can use LEA…

This entry was posted on Wednesday, March 5th, 2008 at 7:52 am and is filed under Assembly. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “Fooling Around With LEA”

  1. mxatone says:
    March 5, 2008 at 9:34 am

    I never seen any use of it with only a imm value. Maybe I would take some time to look how IDA manage that.

    x86 assembly is so interresting ! ;)

  2. Yoni says:
    March 5, 2008 at 8:02 pm

    Any good *disassembler* is not going to be affected – as long as the opcodes are valid it has to be disassembled correctly. And I have a feeling lea is fully implemented in any self-respecting disassembler…

    The question is whether this might trick program flow analysis tools, which most disassemblers are not.

    int main() { return (int) &((int*)0x12345678)[0] ; }

    While the compiler will probably optimize the lea and turn it into a mov, code like this *might* confuse code analysis tools. Like perhaps suppressing deserved compiler warnings or emitting undeserved ones. Hmm. Didn’t test it myself.

  3. arkon says:
    March 6, 2008 at 4:29 am

    well, your line is too messy and won’t compile, though i understand what you tried to do. a good compiler will just return the integer.
    anyhow, when i say disassembler i also mean flow analysis tools… like you can do lea to load an address and then jmp to that address. ofc good tools should be excited about it…

  4. Erez says:
    March 7, 2008 at 6:44 am

    I doubt that a good disassembler will be thrown off by this.

  5. arkon says:
    March 7, 2008 at 7:30 am

    then let me tell you that both ida and olly don’t like this one:
    push 0
    lea eax, [ExitProcess]
    push eax
    ret

    they don’t show where eax points to, unless you change it to a ‘mov’.

  6. Masfo says:
    April 3, 2008 at 5:09 pm

    This is weird. VC++ 2005 does not like Arkons code. As soon as I put line

    lea eax, [ExitProcess]

    the whole compiler crashes.

    “fatal error C1001: An internal error has occurred in the compiler.
    (compiler file ‘F:\SP\vctools\compiler\utc\src\P2\main.c[0x10B5E6A0:0x02E40690]’, line 182)”

  7. arkon says:
    April 3, 2008 at 9:57 pm

    Wow this is really weird then, I will try it :) v. interesting.

Leave a Reply