Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to the forum
Board view  Mix view

Confusing DEBUG (Miscellaneous)

posted by cm(R) Homepage E-mail, Düsseldorf, Germany, 19.08.2010, 11:00

> I saw - and still see - some differences, but this is probably off-topic.

Feel free to wander. (If it's about the discrepancy that your DEBUG doesn't really check CS:EIP to see if it matches one of G's breakpoint, yeah, I noticed that later.)

> However, what's on-topic is that I'm unable to see why DEBUG is supposed to
> be "confused". I also don't agree that it "incorrectly decrements (E)IP".
> If the conditions described above are met then (E)IP has to be decremented,
> it doesn't matter if the INT 3 was truly executed or if it was "faked".

r ds 0
r bx C
a 100
push cs
push word 10C
push word [bx+2]
push word [bx]
db A9
jmp 110
int 3
int 3

g 10B
r ip 100

Executing this script (in your DEBUG) with the G breakpoint set at 10B ends up at the "test ax, 02EB" instruction (db A9). With no breakpoint at 10B (or outside DEBUG assuming a simple "iret" Int03 handler) the code doesn't execute the test instruction but the contained short jump instead.

The problem with that is that the byte which was set to a breakpoint doesn't have to be a valid instruction; therefore decrementing EIP to point there is incorrect. With a non-faked breakpoint, DEBUG knows it's a valid instruction because the CCh byte was executed. Not so if the Int03 call really came from elsewhere; the breakpoint might have been inside another instruction then. (Though setting breakpoints inside instructions is always just asking for problems.)

Of course, there is no use for this exploit. It's no issue with DEBUG either because no program ever fakes interrupt 03h calls. But I told you it's useless. I just found this to be interesting.



Complete thread:

Back to the forum
Board view  Mix view
15297 Postings in 1378 Threads, 254 registered users, 18 users online (1 registered, 17 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum