Exercise 5: Unwinding a 16-bit Stack

Objectives:

To learn how to 'unwind' a stack. This is how to find the calling hierarchy which existed at some particular point, such as at the point of failure.
To learn how to 'mine' information from the stack frames.

Normally, every routine which has not returned to its caller will have a stack frame. Each stack frame normally contains the parameters passed to a routine, the return address for the routine, and the data which is local for that routine.

Start the dump formatter just as before, on the same dump.

Questions:

The convention states that BP or EBP will point to the current stack frame. SP will point to the lowest address which is in use.

Therefore, note the initial values for SP _______ and BP ________. Since SS is the selector that defines the stack, note which it is. Some analysts also note the limit of the SS descriptor, because that value bounds the range of both SP and BP.

SS ________ SSLIM _______

Display the current stack frame using DW SS:BP. This will show you only part of the frame, but most analysts do this because it makes following the chain so easy.

The first word is the offset, or near address, of the next frame. The second word is the offset part of the return address. If the call was a far call, the return must also be a far call. If this is the case, the third word is the selector part of the return address.

next stack frame ________ return offset ________ selector ________

Some number of words following the return address are the parameters passed. There is no way to know for certain how many parameters there are, unless you know how both the caller and the routine are written. Analysts typically write down a few words, as convenient.

parameter word# 1 ________ 2 ________ 3 ________ 4 ________

At this point we have gleaned what we can from this frame. Now you need to repeat the process for the rest of the stack frames.

Many analysts will follow the entire chain of stack frames before going to the system or application documentation to find the names of the routines involved, and the line numbers. Others choose to go back and forth, and put in the routine names and line numbers for each frame as they go.

The application documentation will tell you where variables are stored. Remember that each routine uses its own stack frame, so be certain to use the numeric value rather than the register name 'BP' to look at local data for routines other than the failing one.

If you display from SP to BP-2, or ESP to EBP-4, you will see the entire local data for the routine using the current stack frame. This can be quite nice for locating the individual variables.

Find the routine which failed by looking at the .MAP file.

Find the line number that failed by looking next at the .COD file.

The following variables are involved in the failure: 'npr' and 't'. their locations can be found in the .COD file.

Find the location of npr,________ then display its value ________

Find the location of t,________ then display its value ________

You may want to look at the call to the failing routine, before going away to find the programmer.

[Back: Questions]
[Next: Exercise 6: Unwinding a 32-bit Stack]