In ASM, what is fs? (20 chars)?

Question:

anonymous

2010-12-29 15:36:01 UTC

So, here's PE Explorer's dissassembly of GetDC:

GetDC:
mov eax,0000100Ah
lea edx,[esp+04h]
mov ecx,00000003h
call fs:[000000C0h]
retn 0004h

In the second to last line, there's the call fs:C0. What's that do? I recall reading in a book a quick explanation about the group which fs belongs to, but it was really brief, and I think was written under the assumption that I already knew what they were. What is fs, and how would the above instruction work, the the colon in it as such?

Three answers:

Ratchetr

2010-12-29 16:17:27 UTC

fs: is a data segment override. When and x86 CPU addresses memory, the physical address is always derived from 2 components: the segment register and the offset specified by the operand. There is a default segment register for each instruction. For example:

lea edx,[esp+04h] -- Segment register is SP for instructions that use esp.

mov eax, [C0h] -- Segment register would be DS for a memory reference.

call foobar -- Segment register would be CS for a call instruction.

But sometimes you want code to use a different segment register from the default, which is where segment overrides come in. They aren't used as much as they used to be. Back in the bad old days of 16-bit programming, using segment overrides was common (a segment was limited to 64K, so you had to use segment overrides to get around that barrier).

Windows uses the FS segment register to access a threads TIB (Thread Information Block). It's done this ever since...well, ever since before there was a Windows...it was inherited from OS/2 (See second link).

First link shows the layout of the TIB. If you scroll down to FS:[0xC0] entry, it says: Reserved for Wow32. Looks to me like it is also used by Wow64. And it looks like what is stored at FS:[0xC0] is a pointer to a function that does "gdi stuff". And if you put the magic value 100Ah in eax before you call that function, it will do the real work for GetDC.

So, fs:[000000C0h] says: Use the FS register + the constant 0xC0 to derive a physical address. Call the function who's address is stored there.

tfloto

2010-12-30 00:20:23 UTC

in the intel registers the there 32 bit registers for data and memory access. then there are the segment registers which extend the memory addressing. fs is a segment register. these are usually set up at the beginning of a program. so call fs;[...] is calling a routine indirectly through memory address fs;[000000C0h]

peteams

2010-12-30 00:20:18 UTC

All addresses are relative to a (segment) register. Normally for data thats the DS register, for code it's the CS register and for the stack it's the SS register.

The instruction you've highlighted calls code that is relative to your CS segment, but in one of the extra segment registers, in this case the FS register.

These registers came about in the days of 16-bit processors in order to able to address more than 16KB. Using them the original 8086 could address 1MB of memory.

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese