WEBVTT

1
00:01.190 --> 00:02.900
Hello and welcome back.

2
00:02.900 --> 00:06.860
In this lesson, we are going to learn about LEA, LEA.

3
00:07.490 --> 00:10.910
LEA stands for Load Effective Address.

4
00:13.300 --> 00:17.560
In x64 assembly language, particularly on Windows PCs,

5
00:17.560 --> 00:21.400
the LEA instruction stands for Load Effective Address.

6
00:21.580 --> 00:28.480
Its primary purpose is to compute the address of a memory operand and store that address in a register.

7
00:28.930 --> 00:35.320
Unlike other instructions that might also access memory, such as MOV, LEA does not actually access

8
00:35.320 --> 00:38.140
the memory location to read or write data.

9
00:38.170 --> 00:41.980
Instead, it simply computes and stores the address itself.

10
00:43.800 --> 00:48.180
The LEA instruction is often used for several purposes.

11
00:48.210 --> 00:51.270
First, address calculation.

12
00:51.450 --> 00:57.480
It's commonly used to calculate the address of a variable or array element efficiently.

13
00:57.510 --> 01:05.130
Since LEA can perform addition and multiplication in a single instruction, it is useful for calculating

14
01:05.160 --> 01:08.280
offsets within data structures or arrays.

15
01:08.880 --> 01:17.160
Secondly, it is also used for arithmetic operations. Although not its original purpose,

16
01:17.190 --> 01:26.100
LEA can be used to perform certain arithmetic operations, such as addition or a combination of multiplication

17
01:26.100 --> 01:29.400
and addition, all in a single instruction.

18
01:29.730 --> 01:36.780
This can be particularly efficient in terms of instruction throughput and latency on many processors.

19
01:37.230 --> 01:44.400
Let us now take a look at a practical example of how LEA is used inside x64dbg.

20
01:47.180 --> 01:52.340
I have opened the template.exe file inside my x64dbg.

21
01:53.450 --> 01:58.460
Now let's move to the location where I'm going to input my instructions.

22
01:58.940 --> 02:03.140
Select dump one and then go to Memory Map to create our array.

23
02:04.590 --> 02:12.180
Right-click on the data segment, follow dump, and then scroll down to a suitable location which is

24
02:12.180 --> 02:12.690
empty.

25
02:13.410 --> 02:15.780
And here I will input my array.

26
02:16.020 --> 02:21.780
I will create a simple array consisting of four numbers: 11, 22, 33, and

27
02:21.780 --> 02:22.530
44.

28
02:23.330 --> 02:26.720
So I'll select the first QWORD.

29
02:28.370 --> 02:32.990
Right-click, Binary Edit, and then I'll key in 11.

30
02:35.440 --> 02:36.460
Okay, okay.

31
02:36.970 --> 02:39.670
Then I'll select the next element of the array.

32
02:40.950 --> 02:47.580
The next QWORD, right-click, binary edit, and key in 22.

33
02:48.120 --> 02:49.200
Click okay.

34
02:49.980 --> 02:54.540
Next, I'll select the third QWORD for the third element of the array.

35
02:59.060 --> 03:03.800
Right-click, binary edit, and key in 33.

36
03:05.300 --> 03:08.330
Click okay, and finally the last number.

37
03:15.860 --> 03:16.880
44.

38
03:17.060 --> 03:18.200
Click okay.

39
03:18.710 --> 03:22.460
Now, I've got my base address at this address here.

40
03:22.460 --> 03:26.090
And first element is this, 11.

41
03:26.120 --> 03:28.340
Second is this one here.

42
03:28.340 --> 03:30.470
And third one and fourth one here.

43
03:30.920 --> 03:32.630
So let's copy this address.

44
03:32.630 --> 03:36.110
Now copy this address.

45
03:36.350 --> 03:40.010
And we are going to move the base address to -.

46
03:48.900 --> 03:49.770
Click okay.

47
03:51.430 --> 04:00.190
Next, we are going to access the third element of the array, which is this element, 0, 1, 2.

48
04:00.490 --> 04:02.410
So this is what we are going to do.

49
04:02.440 --> 04:09.610
We are going to find a way to fetch the address here so that we can get the value stored at that address.

50
04:09.730 --> 04:15.580
So to do that, we will use the Load Effective Address to calculate this address.

51
04:15.610 --> 04:16.720
So let's try that.

52
04:16.720 --> 04:17.110
Now.

53
04:17.110 --> 04:22.720
Before that, let us, let's initialize our counter - to two.

54
04:23.170 --> 04:23.500
Why?

55
04:23.530 --> 04:26.740
Because this index is two. Zero

56
04:26.740 --> 04:28.180
is this address here.

57
04:28.480 --> 04:30.490
One is here and two is here.

58
04:30.490 --> 04:33.400
So let's initialize - with two.

59
04:33.700 --> 04:38.560
So we move -, two.

60
04:40.280 --> 04:42.500
Now we do the Load Effective Address.

61
04:43.010 --> 04:47.480
So we load effective address -.

62
05:01.540 --> 05:05.830
This is a formula we learned in the previous lesson, so we just redo it here.

63
05:06.760 --> 05:13.300
Now notice that even though we have the square bracket here, it does not mean we are dereferencing

64
05:13.300 --> 05:15.100
it to fetch the value stored there.

65
05:15.640 --> 05:17.500
This is just a convention.

66
05:17.500 --> 05:20.500
When we use LEA, we need to put a square bracket here.

67
05:20.920 --> 05:22.720
What it does is just to calculate.

68
05:22.720 --> 05:25.300
It's just an arithmetic operation here.

69
05:25.300 --> 05:28.480
It is not a dereference to get a value stored at the address.

70
05:28.630 --> 05:37.180
So it will take the hex address, the base address is -, and then calculate the offset plus -

71
05:37.840 --> 05:40.960
times eight and store the new address in -.

72
05:40.960 --> 05:42.790
So - is storing the new address.

73
05:42.790 --> 05:45.490
It is not storing the value stored at that address.

74
05:46.240 --> 05:49.810
Let's confirm this by running and stepping over.

75
05:50.590 --> 05:59.530
So it loads the base address to -, 403000 is the base address.

76
06:00.280 --> 06:02.440
Now it's going to move two to -.

77
06:02.680 --> 06:05.170
So step over and - is now two.

78
06:05.620 --> 06:09.220
Now it's going to calculate the effective address and store in -.

79
06:10.000 --> 06:13.840
And if we check -, we get 4030F0.

80
06:14.410 --> 06:15.940
We are not getting 33.

81
06:16.870 --> 06:18.550
So that is very important.

82
06:18.850 --> 06:26.980
Please bear this in mind when you use LEA. With the square bracket, it will not dereference the address.

83
06:27.490 --> 06:33.310
It will get the calculation and then store the result of the calculation inside your register.

84
06:34.600 --> 06:39.700
So if you wanted to get the value stored at the address, you have to dereference -.

85
06:40.030 --> 06:44.470
So to do that, we can do it this way.

86
06:45.460 --> 06:51.220
Let's say we are going to store the value in -.

87
06:51.220 --> 06:58.570
So we are going to dereference the address of -.

88
07:02.190 --> 07:02.400
Okay?

89
07:02.400 --> 07:02.760
Okay.

90
07:02.760 --> 07:09.600
So now if you step over, you find that it's going to fetch the value stored at -, which is 33, and

91
07:09.600 --> 07:10.800
store it in -.

92
07:11.190 --> 07:15.180
So I step over and you will see - now has got the value 33.

93
07:16.290 --> 07:26.010
Next, we are going to now see how we can use LEA for its second purpose, which is to calculate, just

94
07:26.010 --> 07:28.260
as a calculator, this one.

95
07:29.770 --> 07:32.470
So far, we have already seen how it can be used.

96
07:32.740 --> 07:34.750
We can use it as an address calculator.

97
07:34.780 --> 07:37.360
Now we are going to use it as an arithmetic calculator.

98
07:38.500 --> 07:39.880
So let's try that now.

99
07:41.530 --> 07:48.010
Assuming I want to perform an arithmetic operation, let's say - times two plus three.

100
07:48.640 --> 07:49.960
So how do I do that?

101
07:50.260 --> 07:51.700
So this is how you will do it.

102
07:53.050 --> 07:55.810
LEA, we're going to store the result in -.

103
07:56.290 --> 07:59.230
And then we are going to perform the calculation.

104
08:03.360 --> 08:06.150
So over here, we will type in -.

105
08:06.450 --> 08:08.880
And then we are going to multiply with two.

106
08:10.380 --> 08:12.330
And then we are going to plus with three.

107
08:15.430 --> 08:16.660
And then we click okay.

108
08:17.740 --> 08:23.410
So again, over here we are not dereferencing an address because - is not an address anyway.

109
08:23.560 --> 08:29.770
What we are doing is using it as a calculator to calculate this expression and store the result in -.

110
08:30.580 --> 08:31.930
So let's step over.

111
08:32.230 --> 08:34.540
Now you check, - has got the value seven.

112
08:34.540 --> 08:37.420
So let's confirm that. - is two.

113
08:37.450 --> 08:39.880
Two times two is four, four plus three is seven.

114
08:39.880 --> 08:42.460
So - holds the value seven.

115
08:42.880 --> 08:48.460
So this exercise demonstrates how we can use LEA in two different ways.

116
08:48.490 --> 08:53.740
The first way is to use it to calculate the effective address.

117
08:53.740 --> 08:57.790
And the second way is to use it as a simple calculator.

118
08:58.720 --> 09:00.490
So that's all for this video.

119
09:00.490 --> 09:01.720
Thank you for watching.