Part 2: Some Techniques

Procedures to get control at a point other than a trap:

One approach is to use clever breakpoints within OS/2. Stopping at the first executable instruction of a program

• We will make use of a couple of breakpoint commands

• The initial breakpoint uses the fact that almost all programs use the DOSCALL1 DLL, which appears to have instance initialization.

The content of the quoted string is the command to execute when we arrive at the breakpoint. This will assure us that we are in the correct context, because the output of '.p' includes the module name.

Let the MUT run, and execute OSPREY once again.

You will probably get control in the context of OSPREY. If not, issue 'g' again a time or two until you are.

• At this point, OSPREY has been loaded, so we can set a breakpoint.

a.

Use a register breakpoint, BR E,0F:1BBE
b.
Cause OS/2 to bring the page in with .I 0F:1BBE
Then reenter the BP command from above.
4.
However, this is 'cheating' because we already knew where to stop.
To find the address of the first instruction at this point, enter the command .M 0F:0 Find the MTE handle, hmte.

Issue the .LMO command with the HMTE as the parameter.

Alternatively, try .LMO 'OSPREY', which works sometimes.

The output of the .LMO command includes the linear address of the MTE.

Display the MTE as doublewords, and get the address of the SMTE from the output; it is in the second doubleword.

Display the SMTE as doublewords, and you can find the entry point in the second and third words displayed.

Now you can set a breakpoint at the entry to any module.
The PATCH program

• On the MUT, execute the EXEHDR utility against OSPREY.EXE.
EXEHDR is distributed with the developers' toolkit.

The output will provide you information you need to patch a program successfully. The last part of the output should look like

Module:                   OSPREY
Description:              OSPREY.EXE
Data:                     NONSHARED
Initial CS:IP:            seg   1 offset 0088
Initial SS:SP:            seg   3 offset 0000
Extra stack allocation:   0a00 bytes
DGROUP:                   seg   3

no. type address  file  mem   flags
  1 CODE 00000200 0247d 0247e
  2 DATA 00000000 00000 00200
  3 DATA 00002800 007cb 00960

There are two things we will need in this listing.

• The entry point, or initial CS:IP is _________:________

• The location in the file where that segment begins _________
The columns labelled 'file' and 'mem' are the sizes of the segment in the file, and in memory. The difference is due to uninitialized data, which is not stored, saving space and reducing program load time.

To find the location of an instruction in the file, add the offset to the file address.

• To get control, we will replace a byte with the hex value 'CC', which is a special one-byte instruction, Int 3, or BreakPoint.

• We will patch the call instruction at 1BBE.
Add the offset, 1BBE to the file address 0200 _________

If you cannot add hex, get the debug kernel's attention, and then type in ? 1BBE+0200. ? is a general purpose evaluation command.

• We now know where we want to patch the program. Let's do it.
On the MUT, enter the command PATCH OSPREY.EXE

The patch address was calculated above; enter it.

The byte you are about to replace is hex ______

Type CC then press enter, and complete the confirmations.

We have now patched the program.

• Execute the program on the MUT; you get control at the INT 3.
We need to put back the hex data which was originally there, so as not to introduce another problem. We will use the enter command.

Type the command E CS:IP

You will see the 'CC', type the original data value and press enter.

Type the command .R and you should see the original far call.

• This is one way to get control.
It has problems if the MUT is not where you can touch it.

Type the commands G then GT to let OSPREY finish.

• Patch OSPREY back to its original content if you wish.

---

[Back: Part 1: Introduction to the Debug Kernel]
[Next: Part 3: Finding the TSS]