I have written a simple program in MASM, like:
.386
.model flat, stdcall
option casemap:none
.data
szName db "MASM", 0
.code
start:
mov eax, DWORD PTR [szName]
ret
end start
The i check the code in OllyDbg debugger and i get:
CPU Disasm
Address Hex dump Command Comments
00401004 CC INT3
00401005 /. E9 06000000 JMP 00401010
0040100A | CC INT3
0040100B | CC INT3
0040100C | CC INT3
0040100D | CC INT3
0040100E | CC INT3
0040100F | CC INT3
00401010 |> A1 00404000 MOV EAX,DWORD PTR DS:[404000] ; ASCII "MASM"
00401015 \. C3 RETN
00401016 A1 DB A1
My question is which component patches these 11 bytes (00401005-0040100F) before the actual code (00401010) ? And why?
I use Windows XP SP3, MASM, and OllyDbg.
OK, here is the explanation (to whoever care): This code has been built in DEBUG mode and so the assembler/linker (don't know exactly which) adds these extra bytes. The JMP is there in order for the program to be able to run, because it has to bypass the series of INT 3 instructions. If the program was built in RELEASE mode then no such extra code is attached.
I think they're just alignment bytes, so the code is aligned on a 16 bytes boundary and runs slightly faster.