Using Step to Address Command

There is the command in WinDBG called the pa command. The official documentation regarding this command is to executes the program until the specified addess is reached, displaying register and memory access results in each step.

I rarely used this command until I found that there are method to do the pa command until the end of routine is reached using :

pa @$ra

In this case, the result is the step trace information from the start of the routine until the control is returned to the caller.

One of the advantage of this command is that it doesn’t trace into the another routine that is called within the tracing scope.

This step trace information can be saved into the file for further analysis.

In one of the case of Reverse Engineering session, I have used this command to determine the exact location of some class instance structure, as described below.

In one of Lotus Notes Reverse Engineering session, I want to determine at which memory location the routine accessed to give the child node of one object.

More specifically, the problem is to determine which memory location the table object (CEdTableBoxData) gives its first cell object (CEdCell).

I have determine the routine in question to be :


This is because after this call :

61e02506 ff92b4000000    call    dword ptr [edx+0B4h] ds:0023:6209c91c=61e033a0 CEdTableAccess::_accHitTest(long,long,struct tagVARIANT *,long *)
eax=00000001 ebx=0013f354 ecx=6209ca08 edx=0013eee4 esi=0013f0fc edi=05bc3f14
eip=61e0250c esp=0013eedc ebp=0013eee8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

The ecx register contains the vftable of the CEdCellAccess class instance, which is the first child of the CEdTableBoxData. (Actually the CEdCellAccess is derived from the parent CEdCell object, but for the purpose of this illustration, I will assume that the CEdCellAccess is the child of CEdTableBoxData).

So, there is some routine in the CEdTableAccess::_accHitTest that assigned the ecx register with the value I want to get. But, at which location exactly this value is assigned ?

Using the indispensable pa command, I trace the program up to the routine in question, perform the pa command until return address is reached and the result is saved to the file.

Now, from the step trace information obtained from pa command, I searched the “6209ca08” string and found that the ecx is first assigned this value at :

61e035c3 8b08            mov     ecx,dword ptr [eax]  ds:0023:06ceced4=6209ca08
eax=06ceced4 ebx=0589337c ecx=6209ca08 edx=00310710 esi=0013f0fc edi=0589337c
eip=61e035c5 esp=0013ee94 ebp=0013eec4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

As for the eax register is obtained at :

:61E035BE E88D950000              call 61E0CB50 ;;CEdCell::GetIAccessible(int)

Examining this function revealed that actually this object is obtained from CEdCell that is assigned using ebx register :

:61E035B2 8B7510                  mov esi, dword[ebp+10]
:61E035B5 6A01                    push 001
:61E035B7 8BCB                    mov ecx, ebx ;;ebx=Instance of 6209CD88 CEdCell::`vftable’
:61E035B9 66C7060900              mov word[esi], 0009
:61E035BE E88D950000              call 61E0CB50 ;;CEdCell::GetIAccessible(int)

The step trace information revealed that ebx register is at 0x0589337c memory location. Using “0589337c” as search string, I get :

61e03545 e8b6ea99ff      call    nnotesws!NEMKillCommonTimer+0x26500 (617a2000)
eax=00000000 ebx=05892f6c ecx=0589337c edx=00000114 esi=066dc214 edi=05892f6c
eip=61e0354a esp=0013ee94 ebp=0013eec4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

Again, by examinig this function, this is actually accessed from :

:61E03543 8BCF                    mov ecx, edi ;;Instance of 6209CD88 CEdCell::`vftable’
:61E03545 E8B6EA99FF              call 617A2000 ;;CEdCell::IsDocPointInCell(struct DOCPOINT *)

Memory location at edi register is 0x05892f6c, which assigned at :

61e034ff 8bb9c0000000    mov     edi,dword ptr [ecx+0C0h] ds:0023:05892e9c=05892f6c
eax=00000000 ebx=05892bb4 ecx=05892ddc edx=00000000 esi=066dc214 edi=05892f6c
eip=61e03505 esp=0013ee94 ebp=0013eec4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

The ecx register itself is the instance class of CEdTableBoxData. So, I have now resolved the above problem by stating that :

The first child of CEdTableBoxData is located at memory location 0xC0 in this class instance structure.

Case closed 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: