what does [ARG.1] mean in ollydbg?
https://stackoverflow.com/questions/11481804
-
20-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am analyzing a program in ollydbg, and some instructions get disassembled as [ARG.1], eg: MOV ESI,[ARG.1]
I tried searching for this command in assembly books, but seems as if it's only used in ollydbg and is not a standard assembly code. am I right? and what does it mean?
Solution
I suspect ollydbg is trying to be helpful by reverse engineering your stack layout for you, and that [ARG.1] is really [EBP+0x08] or the like -- the first argument on the stack if you're in a function called with the C calling convention.
Not having used ollydbg in a while, I'm sure there's a way to convince ollydbg to show you more literally what the exact opcode is.
OTHER TIPS
You can switch off showing ARGs and LOCALs from: Options -> Debugging options -> Analysis 1 -> "Show ARGs and LOCALs in procedures".
Then it's possible to see the real representation of ARGs and LOCALs.
