Assembly analyzing system() function called in C

Question

So I made a very simple C program to study how C works on the inside. It has just 1 line in the main() excluding return 0:

system("cls");

If I use ollydebugger to analyze this program It will show something like this(text after the semicolons are comments generated by ollydebugger.

MOV DWORD PTR SS:[ESP],test_1.004030EC     ; ||ASCII "cls"
CALL <JMP.&msvcrt.system>                ; |\system

Can someone explain what this means, and if I want to change the "cls" called in the system() to another command, where is the "cls" stored? And how do I modify it?

Answer 1

You are using 32 bit Windows system, with its corresponding ABI (the assumptions used when functions are called).

MOV DWORD PTR SS:[ESP],test_1.004030EC  

Is equivalent to a push 4030ech instruction, that simply store the address of the string cls on the stack.
This is the way parameters are passed to functions and tell us that the string cls is at address 4030ech.

CALL <JMP.&msvcrt.system>                ; |\system

This is the call to the system function from the CRT.
The JMP in the name is due how linking works by default with Visual Studio compilers and linkers.

So those two lines are simply passing the address of the string to the system function.

If you want do modify it you need to check if it is in a writable section (I think is not) by checking the PE Sections, your debugger may have a tool for that. Or you could just try anyway the following:
Inspect the memory at 4030ech, you will see the string, try editing it (this is debugger dependent).

Note: I use the TASM notation for hex numbers, i.e. 123h means 0x123 in C notation.