1	Practical Foundations of Debugging Chapter 3 Bytes, words, double words and pointers to memory
2	Using hexadecimal numbers WinDbg disassembly: mov [a], 12 mov [a], 0xC In C language: a = 12; a = 0xC;
3	Bytes, words and double words
4	Bits, bytes, words and double words Bit 12_dec 1100_binvalue = 0 or 1 Byte (unsigned char) 8 bits 00001100_bin 0C_hex value 0_dec - 255_dec or 0_hex - FF_hex Word (unsigned short) 16 bits 0000000000001100_bin000C_hex value 0_dec - 65535_dec or 0_hex - FFFF_hex Double word (unsigned int, unsigned) bits 00000000000000000000000000001100_bin value 0_dec - 4294967295_dec or 0_hex - FFFFFFFF_hex
5	Memory layout (Picture 1) Minimal addressable element is memory byte Maximum addressable element is double word All registers are 32-bits and can contain double word value
6	Picture 1
7	Pointers revisited Pointer is a memory cell or a register that contains the address of another memory cell. Has its own address (as any memory cell) Pointers are always 32-bit (Windows) Memory cell can be byte, word or double word Pointer to byte (byte ptr), pointer to word (word ptr), pointer to double word (dword ptr)
8	Addressing types (Picture 6) byte ptr [eax] (Pictures 2,3) mov byte ptr [eax], 0xFF word ptr [eax] mov word ptr [eax], 0xFFFF dword ptr [eax] (Pictures 4,5) mov dword ptr [eax], 0xFFFFFFFF
9	mov byte ptr [eax], 0xFF
10	Picture 3
11	mov dword ptr [eax], 0xFF
12	Picture 5
13	Picture 6
14	Registers revisited EAX, EBX, ECX, EDX can be used as pointers Additionally: EAX and EDX contains the multiplication result after executing imul instruction ECX is often used as a loop counter for (int i = 0; i < N ; ++i)
15	NULL pointers Addresses 0x00000000 – 0x0000FFFF are specifically made inaccessible mov eax, 0xF mov [eax], 1 // Access violation
16	Invalid pointers NULL pointers Pointers to inaccessible memory Pointers pointing to “random” memory Uninitialized pointers Dangling pointers
17	“Pointers to memory” Project – Memory Layout and Registers Two memory addresses (locations): “a” and “b” int a, b; Two memory addresses (locations): “pa” and “pb” int pa, pb; int *pa is a pointer to int (memory cell pa contains the address of another memory cell that contains an integer value)
18	Pointer initialization int b; // uninitialized variable int pb; // uninitialized pointer pb = &b; // [pb] contains the address b int b = 12; // initialized variable int pb = &b; // initialized pointer Pointers are also variables
19	Memory segments Different places in memory (address ranges) .DATA All initialized global and static variables (including pointers) .BSS (block storage space) All uninitialized global and static variables (including pointers)
20	Why different memory segments? (Picture 7) int array[1000000]; // 4Mb Program size on disk is 32Kb array is put into .BSS segment that contains only information about its size int array[1000000] = { 12 }; Program size on disk 3.84Mb array is put into .DATA segment and contains { 12, 0, 0, 0, 0 … }
21	Picture 7
22	More pseudo notation [a] means contents at the address a [eax] means contents at the address stored in eax (eax is a pointer) [pa] means contents at the address stored at the address pa, called dereferencing a pointer whose address is pa int pa = &a; int b = *pa;
23	“Pointers” Project – Calculations (Picture 8) [pa] := address a [pa] := 1 ; [a] = 1 [pb] := 1 ; [b] = 1 [pb] := [pb] + *[pa] ; [b] = 2
24	"WinDbg output" WinDbg output: 004126ce 8d057c854200 lea eax,[MemoryPointers!a (0042857c)] 004126d4 a374854200 mov [MemoryPointers!pa (00428574)],eax 004126d9 a174854200 mov eax,[MemoryPointers!pa (00428574)] 004126de c60001 mov byte ptr [eax],0x1 004126e1 8b1d407b4200 mov ebx,[MemoryPointers!pb (00427b40)] 004126e7 c60301 mov byte ptr [ebx],0x1 004126ea 8b08 mov ecx,[eax] 004126ec 030b add ecx,[ebx] 004126ee 890b mov [ebx],ecx
25	Picture 8
26	What’s next? More instructions Instruction pointer Disassemble a program written in C