MOV ESP, EBP instructions without the danger of having an invalid stack during an Afghanistan, Albania, Algeria, American Samoa, Andorra, Angola, Anguilla, Antarctica, Antigua and Barbuda, Argentina, Armenia, Aruba Australia, Austria, Azerbaijan, Bahamas, Bahrain, Bangladesh, Barbados, Belarus, Belgium, Belize, Benin, Bermuda, Bhutan, Bolivia, Bosnia and Herzegovina, Botswana, Bouvet Island, Brazil, British Indian Ocean territory,

Performs a bitwise AND operation on the destination (first) and source (second) operands and stores the result in the destination operand location(finance loan bank ship coast maritime). The source operand can be an immediate, a register, or a memory location; the destination operand can be a register or a memory location(finance loan bank ship coast maritime). (However, two memory operands cannot be used in o This instruction can be used to execute four different types of calls: " Near call—A call to a procedure within the current code segment (the segment currently pointed to by the CS register), sometimes referred to as an intrasegment call(finance loan bank ship coast maritime). " Far call—A call to a procedure located in a different segment than the current code segment, sometimes referred to as an intersegment call(finance loan bank ship coast maritime). " Inter-privilege-level far call—A far call to a procedure in a segment at a different privilege level than that of the currently executing program or procedure(finance loan bank ship coast maritime). " Task switch—A call to a procedure located in a different task(finance loan bank ship coast maritime). T If the selected code segment is at a different privilege level and the code segment is non-conforming, a general-protection exception is generated(finance loan bank ship coast maritime). A far call to the same privilege lev A value in the call gate descriptor determines how many parameters to copy to the new stack(finance loan bank ship coast maritime). Finally, the processor branches to the address of the procedure being called within the new code segment(finance loan bank ship coast maritime).

Chapter : Assembly Commands Executing a task switch with the CALL instruction is somewhat similar to executing a call through a call gate(finance loan bank ship coast maritime). Here the target operand specifies the segment selector of the task gate for the task being switched to (and the offset in the target operand is ignored(finance loan bank ship coast maritime).) The task gate in turn points to the TSS for the task, which contains the segment selectors for the task’s code and stack segments(finance loan bank ship coast maritime). The TSS also contains the EIP value for the next instruction that was to be executed before the task was suspended(finance loan bank ship coast maritime). This instruction pointer value is loaded into EIP register so that the task begins executing again at this next instruction(finance loan bank ship coast maritime). The CALL instruction can also specify the segment selector of the TSS directly, which eliminates the indirection ofBrunei Darussalam, Bulgaria, Burkina Faso, Burundi, Cambodia, Cameroon, Canada, Cape Verde, Cayman Islands, Central African Republic, Chad, Chile, China, Christmas Island, Cocos (Keeling) Islands, Colombia, Comoros, Congo, Congo, Democratic Republic, Cook Islands, Costa Rica, Cτte d'Ivoire (Ivory Coast), Croatia (Hrvatska), Cuba, Cyprus, Czech Republic, Denmark, Djibouti, Dominica, pushed on the stack(finance loan bank ship coast maritime).

Chapter : Assembly Commands (finance loan bank ship coast maritime).(finance loan bank ship coast maritime). ADD: Add Adds the first operand (destination operand) and the second operand (source operand) and stores indicates the sign of the signed result(finance loan bank ship coast maritime). (finance loan bank ship coast maritime).(finance loan bank ship coast maritime). MUL: Unsigned Multiply Performs an unsigned multiplication of the first operand (destination operand) and the secon CALL, or RET instruction(finance loan bank ship coast maritime). If the destination operand is a segment register (DS, ES, FS, GS, or SS), the sourc Throughout the rest of the lectures notes, we’ll be using SoftIce (finance loan bank ship coast maritime).x debugger from Numega (http://www(finance loan bank ship coast maritime).numega(finance loan bank ship coast maritime).com)(finance loan bank ship coast maritime). The main advantage of SoftIce is the abilityto load before windows(finance loan bank ship coast maritime). This allows us to debug even Windows themselves(finance loan bank ship coast maritime). It also intercepts crashes and gives us helpful debugging information(finance loan bank ship coast maritime). However, since it is a kernel mode debugger, it lacks a nice graphic user interface, and peripheral support(finance loan bank ship coast maritime). That is, if i(finance loan bank ship coast maritime).e(finance loan bank ship coast maritime). you are using a laptop and have plugged in external devices through a dock station, you won’t be able to use them(finance loan bank ship coast maritime). Get SoftIce and make sure that it is the right version for the operating system you have(finance loan bank ship coast maritime). Windows x have a different version than Windows NT/(finance loan bank ship coast maritime). Windows Me is not supported, although there is an article at Numega prompting you to download and install the DDK for Windows Me(finance loan bank ship coast maritime). (for more information see http://www(finance loan bank ship coast maritime).numega(finance loan bank ship coast maritime).com/support/knowledgebase/docs/(finance loan bank ship coast maritime).stm) (finance loan bank ship coast maritime). Installing SoftIce Double click the single installation file(finance loan bank ship coast maritime). The standard installation process will initiate (InstallShield)(finance loan bank ship coast maritime). Click Next(finance loan bank ship coast maritime). Read and agree with the license agreement! If you don’t agree with the terms listed there, the setup will cease(finance loan bank ship coast maritime). The next dialog box requires you to enter the serial number of the product(finance loan bank ship coast maritime). The serial number is different for the two SoftIce versions (Win x and NT/)(finance loan bank ship coast maritime). Click Next(finance loan bank ship coast maritime). We’ll leave the default installation directory as-is(finance loan bank ship coast maritime). If for some reason you want to alter the installation directory you may do so, but be warned that the absolute paths Dominican Republic, East Timor, Ecuador, Egypt, El Salvador, Equatorial Guinea, Eritrea, Estonia, Ethiopia, Falkland Islands, Faroe Islands, Fiji, Finland, France, French Guiana, French Polynesia, French Southern Territories, Gabon, Gambia, Georgia, Germany, Ghana, Gibraltar, Greece, Greenland, Grenada, Guadeloupe, Guam, Guatemala, Guinea, Guinea-Bissau, Guyana, Haiti, Heard and McDonald Islands, Honduras, Hong Kong, Hungary, Iceland, India, Indonesia, Iran, Iraq, Ireland, Israel, Italy, Jamaica, Japan, Jordan, Kazakhstan, Kenya, Kiribati, Korea (north), Korea (south), Kuwait, Kyrgyzstan,

nation WC [number] If no number is specified, it toggles the code window(finance loan bank ship coast maritime). If a number is present, it sets the code window lines equal to that number(finance loan bank ship coast maritime). (Recommended: , it’s a very important window!) WR Toggles the registers window, which is on the top part of the window(finance loan bank ship coast maritime). It is recommended that the registers’ window is always on(finance loan bank ship coast maritime). WD [number] Number behaves as in WC command(finance loan bank ship coast maritime). This toggles the data window, which can be used as a hex editor(finance loan bank ship coast maritime). You may want to close this window and free up some space(finance loan bank ship coast maritime). WF Toggles the floating stack pointers window(finance loan bank ship coast maritime). We won’t use this window(finance loan bank ship coast maritime). WL Toggles the locals window(finance loan bank ship coast maritime). We won’t use this window(finance loan bank ship coast maritime). WS Toggles the stack window(finance loan bank ship coast maritime). We won’t use this window much(finance loan bank ship coast maritime). WW Toggles the watch window(finance loan bank ship coast maritime). Set wathes with the watch <address>

The code command toggles on and off the code column in the disassembly window(finance loan bank ship coast maritime). The code window is the second column from left to right and has the opcodes of the functions that are disassembled(finance loan bank ship coast maritime). If it is off, then there are only three columns instead of four(finance loan bank ship coast maritime). It is convenient to set faults off by default(finance loan bank ship coast maritime). This will force SoftIce not to pop-up every time a windows application crashes(finance loan bank ship coast maritime). Besides, we don’t want to debug everything! It is necessary to set faults on when we debug our own applications since in case of a fault, SoftIce won’t pop up when faults are set to off(finance loan bank ship coast maritime). Lao People's Democratic Republic, Latvia, Lebanon, Lesotho, Liberia, Libyan Arab Jamahiriya, Liechtenstein, Lithuania, Luxembourg, Macao, Macedonia, Madagascar, Malawi, Malaysia, Maldives, Mali, Malta, Marshall Islands, Martinique, Mauritania, Mauritius, Mayotte, Mexico, Micronesia, Moldova, Monaco, Mongolia, Montserrat, Morocco, Mozambique, Myanmar, Namibia, Nauru, Nepal, Netherlands, Netherlands Antilles, New Caledonia, New Zealand, Nicaragua, Niger, Nigeria, Niue, Norfolk Island, Northern Mariana Islands, Norway, Oman, Pakistan, Palau, Palestinian Territories, Panama, Papua New Guinea, If CTRL+D is not convenient for you, you can always use the altkey command to change it(finance loan bank ship coast maritime). The syntax is ALTKEY (CTRL or ALT) key(finance loan bank ship coast maritime). For example, altkey alt F will replace CTRL+D shortcut with ALT+F(finance loan bank ship coast maritime). You probably have noticed by now that the up and down cursors are used to navigate through the previous commands in the command panel(finance loan bank ship coast maritime). Also, note that entering cls will allow you to clear SoftIce’s panel(finance loan bank ship coast maritime). Set mouse x, sets the mouse speed from (slowest) to (fastest)(finance loan bank ship coast maritime). Paraguay, Peru, Philippines, Pitcairn, Poland, Portugal, Puerto Rico, Qatar, Rιunion, Romania, Russian Federation, Rwanda, Saint Helena, Saint Kitts and Nevis, Saint Lucia, Saint Pierre and Miquelon, Saint Vincent and the Grenadines, Samoa, San Marino, Sao Tome and Principe, Saudi Arabia, Senegal, Serbia and Montenegro, Seychelles, Sierra Leone, Singapore, Slovakia, Slovenia, Solomon Islands, Somalia, South Africa, South Georgia and the South Sandwich Islands, Spain, Sri Lanka, Sudan, Suriname, Svalbard and Jan Mayen Islands, Swaziland, Sweden, Switzerland, Syria, Taiwan, Tajikistan, Tanzania, All these settings (and more) can be saved in winice(finance loan bank ship coast maritime).dat file, so that they’ll be restored each time SoftIce is initialized: INIT="lines ;code on;wd ;wc ;ww ;wl;dex ss:esp;faults off;" INIT="altkey ctrl d;watch es:di;watch eax;watch *es:di;set mouse ;cls;X;" (finance loan bank ship coast maritime).(finance loan bank ship coast maritime). SoftIce Window Since everything freezes, it’s not that easy to take a snapshot of SoftIce’s window(finance loan bank ship coast maritime). There is a way though, freeze something in the background, pop up SoftIce

…(finance loan bank ship coast maritime). Please note that although it would be nice to breakpoint all modules (windows modules and program dlls), that’s impossible since they would occupy too much resources(finance loan bank ship coast maritime). So, we’ll just breakpoint some of the most “popular” modules like kernel(finance loan bank ship coast maritime).dll, user(finance loan bank ship coast maritime).dll, comdlg(finance loan bank ship coast maritime).dll and advapi(finance loan bank ship coast maritime).dll(finance loan bank ship coast maritime). You can of course breakpoint all Thailand, Togo, Tokelau, Tonga, Trinidad and Tobago, Tunisia, Turkey, Turkmenistan, Turks and Caicos Islands, Tuvalu, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States of America, Uruguay, Uzbekistan, Vanuatu, Vatican City, Venezuela, Vietnam, Virgin Islands (British), Virgin Islands (US), Wallis and Futuna Islands, Western Sahara, Yemen, Zaire, Zambia, Zimbabwe