如何使用DumpMem在程序集中顯示堆棧

Question

好的，這是我的問題。在將一個變量推入堆棧之後，然後爲局部變量創建空間之後。 在我從程序返回之前，如何使用DumpMem顯示堆棧？

include irvine32.inc 

.data 
X sdword 10, -10, 20, -20, 30, -30, 40, -40 

.code 
begin: 
mov ecx, offset x 
push ecx 
call StackProcedure 

StackProcedure PROC 
     push ebp 
     mov ebp, esp 
     sub esp, 32 
     lea esi, [ebp-32] 
     mov ecx, 32 
L1:  mov BYTE PTR [esi], '*' 
     inc esi 
     loop L1 
     add esp, 32 
     pop ebp 
     ret 
StackProcedure ENDP 

finfin: 
invoke exitProcess,0 
end begin 

Answer 1

歐文的DumpMem需要在寄存器中只有三個值。只有這些寄存器被附加，當函數返回時，其他所有內容（寄存器，內存，堆棧）都不會改變。所以，它的使用很容易：

include irvine32.inc 

.data 
    X sdword 10, -10, 20, -20, 30, -30, 40, -40 

.code 

StackProcedure PROC 
    push ebp 
    mov ebp, esp 
    sub esp, 32 
    lea esi, [ebp-32] 
    mov ecx, 32 
L1: mov BYTE PTR [esi], '*' 
    inc esi 
    loop L1 

     mov esi, esp    ; Start address 
     mov ecx, 48     ; Number of bytes to dump 
     mov ebx, 1     ; 1 - size byte 
     call DumpMem    ; call Irvine's DumpMem 

    add esp, 32 
    pop ebp 
    ret 
StackProcedure ENDP 

main PROC 
    mov ecx, offset x 
    push ecx 
    call StackProcedure 
    invoke exitProcess,0 
main ENDP 

END main 

我想這實際上並沒有被問到。 Irvine的DumpMem顯示除了起始地址之外沒有地址，也沒有反彙編程序轉儲中預期的等效ASCII字符。由於它具有自己的顯示器（標題和換行符），因此它不能嵌入提供附加信息的函數之間。這是一個函數，它顯示一行16個字節的地址，十六進制值和ASCII字符：

include irvine32.inc 

.data 
    X sdword 10, -10, 20, -20, 30, -30, 40, -40 

.code 

DumpMemLine PROC C USES EBX ESI, address:PTR  ; dumps 16 bytes hex & char 
    mov eax, address 
    call WriteHex    ; call Irvine's WriteHex (8 hex digits) 
    mov al, ' ' 
    call WriteChar    ; call Irvine's WriteChar (space) 
    call WriteChar    ; call Irvine's WriteChar (space) 

    mov esi, address 
    mov ecx, 16 
    L1: 
    mov al, [esi] 
    cmp al, 14     ; ASCII code >= 14d? 
    jae @F      ; Yes, can be written unchanged 
    cmp al, 7     ; ASCII code < 7d? 
    jb @F      ; Yes, can be written unchanged 
    cmp al, 11     ; ASCII code == 11d? 
    je @F      ; Yes, can be written unchanged 
    cmp al, 12     ; ASCII code == 12d? 
    je @F      ; Yes, can be written unchanged 
    mov al, ' '     ; Replace characters that `WriteChar` will "cook" (7,8,9,10,13) 
    @@:       ; This is label where the `jcond @F` jump to 
    mov ebx, 1     ; Two hex digits 
    call WriteHexB    ; call Irvine's WriteHexB 
    mov al, ' ' 
    call WriteChar    ; call Irvine's WriteChar (space) 
    inc esi 
    loop L1 
    call WriteChar    ; call Irvine's WriteChar (space) 

    mov esi, address 
    mov ecx, 16 
    @@: 
    mov al, [esi] 
    call WriteChar    ; call Irvine's WriteChar 
    inc esi 
    loop @B 

    mov al, 10 
    call WriteChar    ; call Irvine's WriteChar (line feed) 

    ret 
DumpMemLine ENDP 

StackProcedure PROC 
    push ebp 
    mov ebp, esp 
    sub esp, 32 
    lea esi, [ebp-32] 
    mov ecx, 32 
L1: mov BYTE PTR [esi], '*' 
    inc esi 
    loop L1 

     mov esi, esp    ; Start address 
     mov ecx, 48     ; Number of bytes to dump 
     mov ebx, 1     ; 1 - size byte 
     call DumpMem    ; call Irvine's DumpMem 

     ; Dump three lines à 16 bytes 
     push esp     ; Argument for DumpMemLine 
     call DumpMemLine 
     add dword ptr [esp], 16  ; Increment the pushed argument 
     call DumpMemLine 
     add dword ptr [esp], 16  ; Increment the pushed argument 
     call DumpMemLine 
     add esp, 4     ; Clean up the stack 

    add esp, 32 
    pop ebp 
    ret 
StackProcedure ENDP 

main PROC 
    mov ecx, offset x 
    push ecx 
    call StackProcedure 
    invoke exitProcess,0 
main ENDP 

END main 

Answer 2

我想你想看看內存轉儲，如果當期的，你可以用GDB調試器來調試你的程序，你也可以看到內存的細節，如寄存器段，控制寄存器，幀等......通過設置破發點，並跟隨鏈接以獲得更多關於GDB，

http://www.yolinux.com/TUTORIALS/GDB-Commands.html