Log in

View Full Version : ;STATUS_BREAKPOINT ?

m0sk
April 2nd, 2001, 19:48
hi,

I have two questions regarding the following snippet:

Code:


 :0040BFB0       mov     edx, ecx

 :0040BFB2       and     edx, 80000003h     ;STATUS_BREAKPOINT

 :0040BFB8       jns     40BFBF

 :0040BFBA       dec     edx

 :0040BFBB       or      edx, 0FFFFFFFCh

 :0040BFBE       inc     edx

>:0040BFBF       inc     edx


* What does SoftIce mean with that ``STATUS_BREAKPOINT'' comment? I searched through the Sice docs, but couldn't find anything about it. It can't be some leftover debug info, as there is none... It doesn't seem too important though, but I'm curious to find out (btw: I am on NTIce now, and didn't see this comment in win98---at least as far as I can remember ;-))

* Regarding the code itself: what could be the meaning of lines 40BFBA..40BFBE? I know they're only executed when the result of the AND sets the sign flag, but what's the use? Note: edx contains the reamainder of an IDIV (in this case always a positive integer, jns is always taken). Obviously, the compiler put these instructions there to deal with negative results of the signed division...but what exactly do they mean ???

Any insight appreciated ;-)

Regards,

m0sk
tom
April 2nd, 2001, 21:05
status breakpoint == 80000003h, its an exception code .. int 3 causes this exception .. dont think it has any meaning with the code u have though . just ignore NTice's auto comments :-)

dec edx / inc edx == decrease edx, increase edx

edx = edx - 1

edx = edx + 1

!

r.e.
Note: edx contains the reamainder of an IDIV (in this case always a positive integer, jns is always taken).

nope, edx contains ecx .. look at the damn code !

:0040BFB0 mov edx, ecx
:0040BFB2 and edx, 80000003h ;STATUS_BREAKPOINT


goodnight
m0sk
April 2nd, 2001, 21:34
tom,

thanks for your answer on STATUS_BREAKPOINT

Quote:
tom (04-02-2001 19:05):
nope, edx contains ecx .. look at the damn code !

:0040BFB0 mov edx, ecx
:0040BFB2 and edx, 80000003h ;STATUS_BREAKPOINT


lol, hehe, you're right of course (stupid me)

However, my question still remains: why did the compiler put in these extra lines (and what do they do)... ecx is a counter going from 0x0..0x14 --> these instructions will never be executed

???

m0sk
DinDon
April 3rd, 2001, 04:24
Hi m0sk,

the purpose of the snippet you provided is simply that of remapping a signed integer, stored in EDX (the remainder of an IDIV as you said), into a restricted range of signed values surrounding the zero.

In the case of positive values for EDX the result is rather obvious: it spawns in the range 1 - 4, as we can see from the following table

input -> EDX and 80000003 -> result
-----------------------------------
input 0 -> 00000000 -> 1
input 1 -> 00000001 -> 2
input 2 -> 00000002 -> 3
input 3 -> 00000003 -> 4
input 4 -> 00000000 -> 1
input 5 -> 00000001 -> 2
input 6 -> 00000002 -> 3
input 7 -> 00000003 -> 4
and so on...

In the case of negative values, the code you are asking about simply brings the results near the 0. But there is a further trick to overlap some results to the results obtained from the positive cases (I don't know why, since I don't know the target of this stuff).

I explain myself better with some examples. First comment out the instructions
"0040BFBA dec edx" and "0040BFBE inc edx" before and after the "0040BFBB or edx, 0FFFFFFFCh". In that case the mapping between input and result is linear, without overlappings, as you can see by the following table:

input -> after AND -> after OR -> result
----------------------------------------
input -1 -> 80000003 -> ffffffff -> 0
input -2 -> 80000002 -> fffffffe -> -1
input -3 -> 80000001 -> fffffffd -> -2
input -4 -> 80000000 -> fffffffc -> -3
input -5 -> 80000003 -> ffffffff -> 0
input -6 -> 80000002 -> fffffffe -> -1
input -7 -> 80000001 -> fffffffd -> -2
input -8 -> 80000000 -> fffffffc -> -3
and so on...

But after inserting again the two instructions we commented out, the overlapping is manifest from this new table:

input -> after AND -> after DEC+OR+INC -> result
----------------------------------------
input -1 -> 80000003 -> ffffffff -> 0
input -2 -> 80000002 -> fffffffe -> -1
input -3 -> 80000001 -> fffffffd -> -2
input -4 -> 80000000 -> 00000000 -> 1
input -5 -> 80000003 -> ffffffff -> 0
input -6 -> 80000002 -> fffffffe -> -1
input -7 -> 80000001 -> fffffffd -> -2
input -8 -> 80000000 -> 00000000 -> 1
and so on...

As we can see, the result -3 is no more present, and it is replaced by +1. Why this?
We must look at the overall target of the code to understand this...

Regards.
m0sk
April 3rd, 2001, 11:37
Thanks a lot DinDon! I've figured it out thanks to your help 8)

The lines do simply the following (both for pos. and neg. values):

edx := (edx MODULO 4) + 1


Simple huh? ;D
Thanks again & happy reversing!

Regards,
m0sk
DinDon
April 4th, 2001, 02:45
Good! I missed your last inference!

The beauty of reversing is to find the light from the darkness of chaos!

Bye...