I have a code in OllyDBG:
MOV DWORD PTR GS:[396FF4],EBX
But OllyDBG shows:
EBX=00000B07
GS:[00396FF4]=???
So how is calculated final address to which EBX will be written? I have free memory at address $004B0000. What I should put to code instead of $396FF4 to make EBX is written e.g. to address $004B0000.
Sorry for all the confusion. The real answer seems to be as follows:
On Windows (and other modern OS), the segmentation model is no longer used the same way as in old real-mode and protected-mode applications. Instead, the memory model is mostly "flat" (not segmented), with paging for easier management and protection. In fact, the x86-64 in 64-bit mode no longer even allows using segments any of the old ways.
The exception being FS and GS segments, which are intended for internal use by the OS. On Windows, the GS segment refers to the thread-local storage. As far as I'm aware, you can't break out of the segment - it's (hardware-) protected memory.
So your only way is to either change the segment (to one of those no longer used, like DS - it doesn't matter anymore which you choose, they all start at zero and cover the whole virtual memory you can ever use).
MOV DWORD PTR DS:[4B0000], EBX should work fine, as well as removing the segment register entirely (MOV DWORD PTR [4B0000], EBX).