Ok, I went here:
Clicked on the first "download the installer"
Deselected everything except "Debugging Tools for Windows"
That got me windbg.exe (and there are also some others
like cdb.exe that might be useful).
In windbg I chose "Open Crash Dump" and selected
my dump file.
Then I did "!analyze -v" as suggested by windbg, and
lo and behold, I got a stack trace:
WARNING: Stack unwind information not available. Following frames may be wrong. 0061ff20 00401b68 00000001 004098d0 0061ff50 pdptest!main+0x38
0061ff50 0040100d 00000000 00000000 00000000 pdptest!_start+0x4f8
0061ff70 772cfa29 0030c000 772cfa10 0061ffdc pdptest!mainCRTStartup+0xd 0061ff80 77717a9e 0030c000 44e9b9e2 00000000 kernel32!BaseThreadInitThunk+0x19 0061ffdc 77717a6e ffffffff 77738a33 00000000 ntdll!__RtlUserThreadStart+0x2f 0061ffec 00000000 00401000 0030c000 00000000 ntdll!_RtlUserThreadStart+0x1b
Not sure what it's complaint about "stack unwind information"
not being available is about. It looked correct to me.
Anyway, here is my generated assembler:
movl $LC0, -36(%ebp)
movl $LC1, -40(%ebp)
movl $0, -44(%ebp)
movb $0, 0
printf("welcome to pdptest\n");
*(char *)0 = 0;
gccwin -S -O2 -D__WIN32__ -D__STATIC__ -D__NOBIVA__ -I . -I../src -o pdptest.s pdptest.c
And when assembled with:
aswin -a -o pdptest.o pdptest.s >temp.txt
72 01f9 C745D815 movl $LC1, -40(%ebp)
73 0200 C745D400 movl $0, -44(%ebp)
74 0207 E8000000 call _puts
75 020c C6050000 movb $0, 0
76 0213 59 popl %ecx
Not the offset I need, because of constants.
So here is the important line:
57 01d1 8D7600 .align 4
58 .globl _main
60 01d4 55 pushl %ebp
So 1d1 plus the reported offset 38 gives me 209.
Not what I expected, but getting close.
Oh. That "1d4" is the first instruction. That's what I need.
Let's try again.
1d4 + 38 = 20C.
And Houston, we have liftoff.
It has reported the line of code that faulted. I was actually
expecting it to point to the next line (213) after the error,
but that's fine, so long as I know "the rules".
One other thing I ideally need is the module load point
so that I'm not dependent on symbols. In fact, how does
windbg even know my function is called "_main"? I thought
symbols were being stripped?
ldwin -s -o pdptest.exe w32start.o pdptest.o pdpwin32.a ../src/kernel32.a
Looks like stripping to me.
I have this:
0071E0 61627300 6C646976 006D6169 6E006D61 abs.ldiv.main.ma
0071F0 696E4352 54537461 72747570 006D616C inCRTStartup.mal
near the end of the file.
006FD0 746F7574 005F5F69 73627566 005F5F6D tout.__isbuf.__m
006FE0 61696E00 5F5F705F 5F656E76 69726F6E ain.__p__environ
So one "main" with 2 underscores, one with none. But
mine is just 1. Not sure what that is about.
Anyway, from the map I have:
ldwin -M -s -o pdptest.exe w32start.o pdptest.o pdpwin32.a ../src/kernel32.a >temp.txt
.text 0x00401000 0x5e00
.text 0x00401000 0x20 w32start.o
.text 0x00401020 0x520 pdptest.o
.text 0x00401540 0x870 pdpwin32.a(start.o)
So the "main" I'm interested in is at offset 4011f4 - 401000 = 1f4.
I have this address:
0061ff20 00401b68 00000001 004098d0 0061ff50 pdptest!main+0x38
not sure if that (61ff20) is of "main" or the failing location.
If I know the load point I'll be in business. Does windbg give me that?
It gives me registers, which is great:
eax=00000000 ebx=00000000 ecx=fe388eab edx=0000000a esi=00000003 edi=00000003 eip=77722f8c esp=0061ef58 ebp=0061f0e8
Gives me the instruction too:
0040122c c6050000000000 mov byte ptr ds:,0 ds:002b:00000000=??
Repeats the address:
ExceptionAddress: 0040122c (pdptest!main+0x00000038)
Ok, the other command I know is "lmv"
That gives me:
start end module name
00400000 00412000 pdptest (export symbols) pdptest.exe
That's strange. I thought there was address space
randomization. Why is it loaded at 400000? There
should be relocation information for this executable.
I think this (.reloc) is what proves that:
objdump -p pdptest.exe
The Data Directory
Entry 0 0000f000 000009ab Export Directory [.edata (or where ever we found it)] Entry 1 00010000 0000027c Import Directory [parts of .idata]
Entry 2 00000000 00000000 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00011000 000002ac Base Relocation Directory [.reloc]
Anyway, with exception address of 0040122c it means I'm
looking for offset 122c in my module.
I have this:
But I thought it would be just 1f4.
Regardless, 11f4 + 38 gives me the 122C I am looking for.
I just need to find out what the missing 1000 is about.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)