Common Memory References
There are a number of points in memory to which it is common to
refer, e.g., the address of the instruction at the top of the
disassembly window. These references are made easier by using one of
the following shortcuts (all of which can be used anywhere on the
command line where an address is expected such as BD .CODE, or BD .DATA L4
W):
| .EA |
Effective Address of the first (or only) operand to the
instruction at the top of the disassembly window |
| .EA2 |
Effective Address of the second operand to the instruction at
the top of the disassembly window |
| .GDT |
GDT base address (using selector zero) |
| .IDT |
IDT base address (using selector zero) |
| .LDT |
LDT base address (using selector zero) |
| .TSS |
TSS base address (using selector zero) |
| .CMAC |
Seg:Off of next C MAC entry -- equivalent to .DATA + 2 + FFFE & [.DATA |
| .CODE |
current code display address |
| .CSIP |
current cs:[e]ip |
| .DATA |
current data display address |
| .DMAC |
Seg:0 of first DOS MAC entry |
| .NMAC |
Seg:0 of next DOS MAC entry -- equivalent to ((S..DATA)+1+[.DATA+3):0 |
| .LBRFR |
EIP of Last Branch From |
| .LBRTO |
EIP of Last Branch To |
| .LEXFR |
EIP of Exception From |
| .LEXTO |
EIP of Exception To |
| .MDB |
Base address of the current Module Database (Windows only) |
| .PMIxx |
Sel|Off of PM Interrupt xxh |
| .RMIxx |
Seg:Off of RM interrupt # xx |
| .TDB |
Base address of the current Task Database (Windows only) |
| .VM |
Sel|Off of current Windows VM structure |
| .VMIxx |
Seg:Off of VM interrupt # xx |
| .VMRET |
Return CS|EIP saved in .VMSTK at .VMSTK+50 (DPMI fn 0300) or .VMSTK+150 (emulated INT) |
| .VMSTK |
Sel|Off of stack saved in .VM |
| .XBDA |
Seg:Off of XBDA; same as ([40:0E):0 |
| .XBDA2 |
Seg:Off of 2ndary XBDA; same as ((S..XBDA)+[.XBDA+B4):0 |
A common address to jump to is the (near or far) return address of
a subroutine. This is made easier by using shortened forms of the
commands one might use to extract these addresses. The various
flavors of return addresses are (where LaSTK is the address of the
current stack pointer -- SS:SP if VM,
SS|SP if PM and the B-bit in SS is clear,
and SS|ESP if PM and the B-bit in
SS is set):
| Keyword |
Grammar Equivalent |
Meaning |
| .RETND |
{LaSTK |
Near dword |
| .RETNS |
[LaSTK |
Near word |
| .RETFD |
:{LaSTK or |{LaSTK |
Far word:dword or word|dword (depending upon the
VM bit in the current EFL) |
| .RETFS |
:[LaSTK or |[LaSTK |
Far word:word or word|word (depending upon the VM
bit in the current EFL) |
| .RETN |
.RETND or .RETNS |
Depending upon the D-bit in CS |
| .RETF |
.RETFD or .RETFS |
Depending upon the D-bit in CS |
| .IRET |
.RETF in VM
.RETFD in PM |
Also allows mode switch from PM to VM by checking
VM bit in EFL above return address |
As a common shortcut, .RETN and .RETF refer to one of the above forms depending
upon the setting of the D-bit in the current CS (that is, whether we're running in a USE16 or
USE32 segment). Moreover, .IRET can be
used as a shorthand for .RETF with the
added check on the VM bit in the EFL above
the return address. If this bit is set, the return address is
interpreted as a VM address even though the current mode is PM.
No magic is invoked to extract the return address if data has been
pushed onto the stack below the return address, so be sure that LaSTK
points to the actual return address.
Also note that the keystrokes A-F and A-N are defined as shortcuts for the
commands G .RETF and G
.RETN, respectively.
NARS2000
© 2006-2020
|
|
|
Comments or suggestions? Send them to
.
|