Differences in OllyDbg and IDA PRO for MOVSX EDX, BYTE PTR [ESP+ECX+8] command

Question

While disassembling the same program using OllyDbg and IDA PRO I have one line of code disassembled in different ways.

OllyDBG:

    MOVSX EDX,BYTE PTR [ESP+ECX+8]

IDA:

    MOVSX EDX, [ESP+ECX+68h+String]

Can someone explain what does IDA PRO mean here? I am frustrated by 68h+String part here. Can I assume that 68h+String always means BYTE PTR?

Answer 1

ida should have declared STRING to be a LOCAL variable with a value of -60h look at the start of function / procedure

( 68 + STRING ) == ( 68 + (- 60 ) ) == (68-60) == 8 it is same as what ollydbg shows .

IDA's disassembly syntax tends to be confusing

as an example ollydbg will show

00405712     8B4424 30       MOV     EAX, DWORD PTR SS:[ESP+30]

while ida would show

text:00405712                 mov     eax, [esp+1Ch+arg_4]

because at the start of function ida has defined arg_4 as

.text:004056E0 arg_4           = dword ptr  14h

that is

14h + 1ch == 30h

if you do not prefer ida syntax but would like to see a straight [esp+30]

you can run this script

shift +f2 paste and press ok 

beware all ida idc functions are too slow for any mass operations instead of MaxEA() curtail it to some smaller block for a faster result in the snippet below

auto i;

for (  i = MinEA() ; i < MaxEA() ; i = NextHead(i, MaxEA()) )
{
    OpHex(i,-1);
}

Answer 2

IDA tries to set this command in relation to a local variable. [ESP+ECX+8] points to the same address as [ESP+ECX+68h+String]. You can read IDA's output as [ESP+ECX+8+String+60h].I'm confused too that IDA makes no difference between BYTE PTR and WORD PTR, both result in different commands.

Answer 3

Looking for a similar IDA issue. IDA list this instruction correct as:

inc byte ptr ds:900h

but when you put a label on the offset, it does

inc ds:byte_900

Effectively the ptr and byte reference is gone by naming an offset.. :shrug: