Quick Insight Run Through

I explained how debuggers single-step your programs in Chapter 5, and Insight works the same way. Let's load Listing 5-1 into Insight and see what it can do, especially with respect to looking at memory data. Open Kate and its session for the eatsyscall project. Make sure that the project has been built and that an executable is present in the project directory. Then launch Insight:

insight eatsyscall

The only views you want this time are the main window (the source code view) plus the Registers view and the Memory view. Close any others that may have opened. What you see should look something like Figure 6-12.

Eile Euii View Curilrul Erefertiíiuetí hLeäp

4 i} ï? if

ïll !»

M a m <®, Sîl s

~ m «s

|pnr sysrfll 1 _ nsm

t] |_K|-*rr T)

; section containing initialised data

EatMsg: db "Eat at Joe's I",10 EatLen: equ S-EatMsg

; section containing initialised data

EatMsg: db "Eat at Joe's I",10 EatLen: equ S-EatMsg rnov caí, 4

rnov 1

int 80H

; Section containing uninitialised data } Section I ;I <■ .. i i i. i co de i Linker, needs LLis if lind tile entry fjuijit!

Specify sys_write call

Specify File Descriptor 1: Standard Output Pass offset of the message Pass the length of the me3sage } Make kernel call

Code for Exit Syecall Return a code of zero

; Make kernel call

Program not running. Click on rui icon to start.

Figure 6-12: Insight's source code window

Insight's windows are not as nicely drawn as those of KDbg, but on the upside, all of its controls have ''hover help.'' When you hover the mouse pointer over one of the controls, a label pops up that tells you what the control is. Insight's defaults are fairly good, and you generally don't have to do any setup before single-stepping a program.

When it loads an executable for debugging, Insight highlights the first executable instruction. This looks like execution is paused at a breakpoint, but not so: There are no breakpoints set by default, and the program is not running. The highlight simply tells you where execution will begin when you run the program.

As with KDbg, an initial breakpoint must be set. You set a breakpoint by clicking on the dash character in the leftmost column of the source-code display. A dash is present on each line that contains an instruction and therefore can accept a breakpoint. (You can't set a breakpoint on data definitions, or anything but an instruction.) Breakpoints are toggles: click the dash, and the breakpoint is shown by the presence of a red square; click the red square, and the breakpoint is removed, with the display returning to the dash.

Click on the dash next to the mov eax,4 instruction. You'll get your breakpoint, and now you can run the program. Insight's navigation controls are the leftmost two groups of buttons in the toolbar. You start the program by clicking the Run icon (which shows a running man) or pressing R. Execution will begin, and pause at your breakpoint. Two other things will happen:

Insight will place what looks like a breakpoint at the program's first instruction (here, a NOP instruction) but it will not stop there. The highlight will move to your initial breakpoint. The reason for this involves the internals of C programs, which I won't explain in detail here.

■ The Registers view and the Memory view, which had been empty, will now ''light up'' and show real data.

Like KDbg, Insight was really designed for C programming, and some of the controls apply more to C than to assembly. To single-step simple programs, click the Step Asm Instruction button. The highlighted instruction will execute, and the highlight will move to the next instruction in sequence. The two buttons for instruction stepping differ when you begin writing code with subroutine calls (as I'll demonstrate in a later chapter) but for programs as simple as eatsyscall, the two buttons do exactly the same thing.

The Registers view shows the current state of CPU registers, and any register that changed during the last instruction executed is highlighted in green. Step down the program until the highlight rests on the first int 80H instruction. Four registers have been loaded in preparation for the syscall, as you'll see in the Registers view, shown in Figure 6-13.

krroup:

all

cax

0x4

3<

a

BCX

Qx80490a4

S1

cdx

Oxc

o1

ebx

0x1

S1

eep

0xbfbd30d0

e 1

ebp

0x0

S1

es i

0x0

e<

edi

0x0

si

eip

0x8048095

fr

ellaqs

0x200292

I:

cs

0x73

£1

ss

0i7b

I.

-J 1

IJB

Figure 6-13: Insight's Registers view during program execution

The EDX register is the one highlighted in green because it was loaded in the last instruction that Insight executed. The EIP register (the instruction pointer) will be green virtually all the time, because it changes whenever an instruction is executed—that is, at every step.

The Registers view window (refer to Figure 6-13) is scaled back significantly. The CPU has a lot of registers, and the Registers view will obediently display all of them. You can get a sense for the full list of registers by maximizing the Registers view window. With the window maximized, Insight will show you the segment registers (which belong to the operating system and are not available for your use) and the math processor registers, which you won't be using during your first steps in assembly. It's possible to select only the general-purpose registers for display, and this is done by clicking the Group button at the top of the Registers view and selecting General from the menu that appears. You can get the same effect by sizing the window, and which you choose is up to you.

When you begin running your program, the Memory view window loads data starting at the first named data item in your .data section. In Listing 5-1, there's only one data item, the EatMsg string. You'll see the ''Eat at Joe's'' message at the beginning of the displayed data (see Figure 6-14).

Figure 6-14: Insight's Memory view during program execution

Like the Registers view, the Memory view is updated after every instruction. In more powerful programs that manipulate data in memory, you can watch the contents of memory change as you step through the program's machinery. Insight's Memory view is much like the Bless Hex Editor introduced in Chapter 5. Memory is displayed in two forms: on the left, as rows of 16 individual hexadecimal numeric values, and on the right, as rows of 16 ASCII characters. Data values that fall outside the range of displayable ASCII characters are displayed as period characters.

The memory view has another very useful trick: You can change data in memory at any time. Changes can be made in either the hexadecimal values section of the view, or in the ASCII section of the view. Give it a try: click on the ASCII view so that the cursor appears just after the ''e'' in ''Joe's.'' Backspace three characters, type Sam, and press Enter. You've changed ''Joe'' to ''Sam'' in memory. (Your files on disk are not affected.)

To verify the change, click the Continue button, which (in contrast to stepping) continues execution without pause until the next breakpoint, or until the end of the program, whichever comes first. (Continue is the fifth button from the left on the main toolbar.) Your program will run to completion, and if you look at the program's output in Kate's terminal window, you'll see that you've hijacked Joe's advertising slogan and given it to Sam.

Was this article helpful?

0 0

Post a comment