20 replies to this topic

[tier]

0B04:0100 E8CA00        CALL	01CD                               

0B04:0103 E80000        CALL	0106                               

0B04:0106 58            POP	AX                                 

0B04:0107 054100        ADD	AX,0041                            

0B04:010A AB            STOSW	                                   

0B04:010B 33FF          XOR	DI,DI                              

0B04:010D 2D0900        SUB	AX,0009                            

0B04:0110 8BF0          MOV	SI,AX                              

0B04:0112 B91300        MOV	CX,0013                            

0B04:0115 F3            REPZ	                                   

0B04:0116 A5            MOVSW	                                   

0B04:0117 0E            PUSH	CS                                 

0B04:0118 06            PUSH	ES                                 

0B04:0119 1F            POP	DS                                 

0B04:011A 07            POP	ES                                 

0B04:011B 8BF8          MOV	DI,AX                              

0B04:011D B8B900        MOV	AX,00B9         

(after nasm debug, obviously..)

Not sure Why I can't get what I need to see - 5 rows of 40 bits writing ( a diagnonal) with 1 bit interval between them and 8 bit distance between every line in a diagnonal.. (in order 1 - 4 - 2 - 5 - 3 )

Thanks in advanced..

Attached Files

•  u.JPG   12.86K   20 downloads

Edited by tier, 28 December 2011 - 05:00 PM.

[dargueta]

What's at address 0x01cd?

[tier]

It's a relative (to segment) call \ jump..

[dargueta]

I know what the instruction is, but what does the function do? That has quite a bit of bearing on what happens. Either way, I get this:

0B04:0100 E8CA00        CALL    01CD
0B04:0103 E80000        CALL    0106           ;   Get address of next instruction
0B04:0106 58            POP    AX              ;   AX = 0x0106 (return address)
0B04:0107 054100        ADD    AX,0041         ;   AX = 0x0147
0B04:010A AB            STOSW                  ;   ES:[DI] = AX
0B04:010B 33FF          XOR    DI,DI           ;   DI = 0
0B04:010D 2D0900        SUB    AX,0009         ;   AX = 0x013D
0B04:0110 8BF0          MOV    SI,AX           ;   SI = AX
0B04:0112 B91300        MOV    CX,0013         ;   CX = 0x13
0B04:0115 F3            REPZ
0B04:0116 A5            MOVSW               ;   0x13 words from ES:[DI] = AX
0B04:0117 0E            PUSH    CS
0B04:0118 06            PUSH    ES
0B04:0119 1F            POP    DS              ;   DS = ES
0B04:011A 07            POP    ES              ;   ES = CS
0B04:011B 8BF8          MOV    DI,AX           ;   DI = AX
0B04:011D B8B900        MOV    AX,00B9         ;   AX = 0x00B9
;
;   AX = 00B9
;   CX = 0
;   CS = 0B04
;   DS = ES
;   ES = 0B04
;   SI = 013D
;   DI = 0026

[tier]

Thanks for posting, but I have no idea about the function's role also (that's my real problem here).
Given the "output", what can be the function here (for example)?
How can I find out?

[dargueta]

Disassemble whatever's at 0B04:01CD and post that.

[tier]

How do I disassemble a specific line with NASM?

[dargueta]

Are you using objdump? NASM is an assembler, not a disassembler.

[tier]

Hmm.. Think I got it..

0B04:01CD E80000        CALL	01D0                               

0B04:01D0 58            POP	AX                                 

0B04:01D1 054100        ADD	AX,0041                            

0B04:01D4 AB            STOSW	                                   

0B04:01D5 33FF          XOR	DI,DI                              

0B04:01D7 2D0900        SUB	AX,0009                            

0B04:01DA 8BF0          MOV	SI,AX                              

0B04:01DC B91300        MOV	CX,0013                            

0B04:01DF F3            REPZ	                                   

0B04:01E0 A5            MOVSW	                                   

0B04:01E1 0E            PUSH	CS                                 

-u


0B04:01E2 06            PUSH	ES                                 

0B04:01E3 1F            POP	DS                                 

0B04:01E4 07            POP	ES                                 

0B04:01E5 8BF8          MOV	DI,AX                              

0B04:01E7 B8B900        MOV	AX,00B9                            

0B04:01EA BA7AF3        MOV	DX,F37A                            

0B04:01ED BBCCCC        MOV	BX,CCCC                            

0B04:01F0 8BCB          MOV	CX,BX                              

0B04:01F2 CD87          INT	87                                 

0B04:01F4 81C72604      ADD	DI,0426                            

0B04:01F8 8BEF          MOV	BP,DI                              

0B04:01FA 33F6          XOR	SI,SI                              

0B04:01FC A5            MOVSW	                                   

0B04:01FD B86800        MOV	AX,0068                            

0B04:0200 BBFC03        MOV	BX,03FC                            

-u


0B04:0203 B90200        MOV	CX,0002                            

0B04:0206 FFE5          JMP	BP

---------- Post added at 11:04 PM ---------- Previous post was at 10:59 PM ----------

I use "debug" option..
Btw - how can I be sure what is a part of the code and what is not \ where it ends? Last line makes sense for ending, but what about the other parts? ( for example - in the beginning -

-u


0B04:0100 E8CA00        CALL	01CD                               

0B04:0103 E80000        CALL	0106                               

0B04:0106 58            POP	AX                                 

0B04:0107 054100        ADD	AX,0041                            

0B04:010A AB            STOSW	                                   

0B04:010B 33FF          XOR	DI,DI                              

0B04:010D 2D0900        SUB	AX,0009                            

0B04:0110 8BF0          MOV	SI,AX                              

0B04:0112 B91300        MOV	CX,0013                            

0B04:0115 F3            REPZ	                                   

0B04:0116 A5            MOVSW	                                   

0B04:0117 0E            PUSH	CS                                 

0B04:0118 06            PUSH	ES                                 

0B04:0119 1F            POP	DS                                 

0B04:011A 07            POP	ES                                 

0B04:011B 8BF8          MOV	DI,AX                              

0B04:011D B8B900        MOV	AX,00B9                            

-u


0B04:0120 BA7AF3        MOV	DX,F37A                            

0B04:0123 BBCCCC        MOV	BX,CCCC                            

0B04:0126 8BCB          MOV	CX,BX                              

0B04:0128 CD87          INT	87                                 

0B04:012A 81C72604      ADD	DI,0426                            

0B04:012E 8BEF          MOV	BP,DI                              

0B04:0130 33F6          XOR	SI,SI                              

0B04:0132 A5            MOVSW	                                   

0B04:0133 B86800        MOV	AX,0068                            

0B04:0136 BBFC03        MOV	BX,03FC                            

0B04:0139 B90200        MOV	CX,0002                            

0B04:013C FFE5          JMP	BP                                 

0B04:013E A5            MOVSW	                                   

0B04:013F A5            MOVSW	 

[dargueta]

Short answer - don't use debug.exe. It' can't tell where code starts or ends; you'll have to follow all execution paths and infer where the code jumps to.

Are you disassembling a .COM program, or .EXE? Check out ndisasm, which is much more sophisticated.
The Netwide Assembler: NASM
For Windows: http://www.nasm.us/p...0-installer.exe

[tier]

.com..
I don't get it - I've tried using what you offered (thanks), but the ndisasm shell wasn't opened.
How do I open it \ show my .com file? (ending and relevant parts)

Thanks again.

[dargueta]

Ugh. .com programs are extremely annoying to disassemble; I don't think ndisasm can handle those properly. (You did install it properly, right?)

What does the .com program do?