cdb.exe misinterpretation

Index > Windows > cdb.exe misinterpretation

Author

Thread

lemask

Joined: 04 Oct 2010
Posts: 19

lemask 05 Oct 2010, 06:56

Dear readers!

While working with cdb.exe, several misinterpretations of the disassembly by this debugging application, which is part of the MS Debugging Tools for Windows Set, may occur. Does anyone of you can give me some hints how to get rid of these misinterpretations (while still using cdb.exe, of course!)?

Part of program:

Code:

    wmsg    equ dword[ebp+0x18+4]
       mov     eax,wmsg
    cmp     ax,0x110

Misinterpretation:

Code:

038b451c663d       add     ecx,dword ptr [ebx+0x3D661C45]
1001          adc     byte ptr [ecx],al

Thank you in advance for any info!

05 Oct 2010, 06:56

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20617
Location: In your JS exploiting you and your system

revolution 05 Oct 2010, 09:20

lemask: You probably have either some data before the instruction, or you have tried to disassemble within the middle of an instruction.

Basically your disassembler has begun disassembly at the wrong place. Just shift the disassembly start position forward by one byte.

05 Oct 2010, 09:20

lemask

Joined: 04 Oct 2010
Posts: 19

lemask 05 Oct 2010, 09:25

That is exactly the problem; the disassembler starts in the middle of an "int 3" instruction. When i skip forward one byte, disassembling works fine. So i tried to insert a "nop" after "int 3", but it won't work either (of course).
Is this a feature of cdb.exe or is my program misaligned?

05 Oct 2010, 09:25

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20617
Location: In your JS exploiting you and your system

revolution 05 Oct 2010, 09:30

Try using the int3 opcode (that's without the space, all one word).

05 Oct 2010, 09:30

lemask

Joined: 04 Oct 2010
Posts: 19

lemask 05 Oct 2010, 09:37

Yeah!!! Work's fine! Thank you (once) again, revolution!
Everytime i ask something in this forum, i can count on your problem-solving answer!

05 Oct 2010, 09:37

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid 05 Oct 2010, 10:14

Seems the incorrectly presume breakpoint is always generated by CC (int3), never CD 03 (int 3). Not a surprising bug, really. From my experiences, it would be waste of time trying to report this.

05 Oct 2010, 10:14

lemask

Joined: 04 Oct 2010
Posts: 19

lemask 05 Oct 2010, 11:31

Well, i don't really care wether to use int3 or "int 3"; i just didn't know about that! Probably it is a feature.

05 Oct 2010, 11:31

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4624
Location: Argentina

LocoDelAssembly 05 Oct 2010, 13:47

Quote:

Seems the incorrectly presume breakpoint is always generated by CC (int3), never CD 03 (int 3). Not a surprising bug, really. From my experiences, it would be waste of time trying to report this.

They may take some months but eventually they will acknowledge the bug. At least I've tried and succeeded Razz

(the bug remains unfixed though).

05 Oct 2010, 13:47

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum