In Depth Analysis of ABAP Execution Process

Let’s apply information obtained in previous article to analyze execution process of one of SAPMSYST variant.

The dynpro steps that govern the execution steps of this program is located in D020L table and it is marked by *DSTP* signature and has variable length, which specified by first DWORD (blue box) for each record :

The above picture shows the boundary of the first dynpro record, which has the length of 0x14 (20 dec) and portion of overall dynpro record size is marked by red box.

Below is sample of one DYNPRO record (i.e. the first one) :

The blue box above denotes the type of method with 0x90 denotes user defined type, the other type is system defined type.

The red box above at offset 0x0B which has value of 0x08 contains module name offset, which is referenced to method table also in D020L:

The method table in D020L is marked by *DMTB signature and for the above sample, the offset refers to offset location in the *DMTB block.

Below is retrieved module record at offset 0x08:

Value at offset 0x04 (red box) is module index, which will be described in a moment below.

In this variant of SAPMSYST program, there are 3 user defined methods that is registered: FILL_INFO_TAB, D020_LOGON_WITH_SNC and D020_GET_USER_DATA.

So, the FILL_INFO_TAB module is supposed to be the first module that gets executed by ABAP system, but from the log information, the first dynpro happens to be %_CTL_INIT :

Y dynppbo0
Y ->module %_CTL_INIT prog >SAPMSYST<

This execution steps is hard-coded in dynppbo0 routine.

So, what kind of information does the ABAP system perform the arrangement of the above dynpro steps, i.e. starting from FILL_INFO_TAB, etc. It is in the screen source of the SAPMSYST itself:

module fill_info_tab.

Now, let's see how ABAP system perform its low level execution based on given the above dynpro step. Remember that the first executed method is hard coded %_CTL_INIT module. Below is the module record of %_CTL_INIT:

Value at offset 0x04 (red box) is the module index. To get the corresponding low level execution, this index is first referenced to cg_trig record:

This record resides in D010L table. The signature for this record is 0x44 (red box) and each record has also the size of 0x44. Because module index of %_CTL_INIT is 0x01, ABAP system will retrieve this cg_trig record:

Next, value at offset 0x00 (red box) is referenced to cg_cont record, to retrieve actual low level intermediate code.

This is the portion of cg_cont structure inside SAPMSYST load, it has the 0x45 marker (red box) and each record has the size of 0x04 bytes (blue box):

For the 0x13 value, the retrieved cg_cont would be:

To obtain actual operating system level code, the first value in cg_cont is referenced to contab structure. This structure is part of global variable inside SAP’s disp+work.exe. Below is the sample in-memory of contab structure:

contab structure has 0x18 bytes of size and each field is described as below:

– offset 0x00 is contains pointer to abbreviated name
– offset 0x08 if it is not null or 0x1 contains abap low level execution sequences.
– offset 0x0c if it is not null contains intermediate instruction for compound instructions
– offset 0x14 long instruction name

For 0x81, this will refers to:

By examining the in-memory names, this instruction refers to mvqk variant of MOVE instruction. Which actual low level assembly routine at 0x57ddeb. This instruction is actually part of %_CTL_INIT module instruction steps:

* Nach Laden des Dynpros
MODULE %_ctl_init OUTPUT. *#PBO
%_repid = sy-repid.
PERFORM %_ctl_init IN PROGRAM sapmssyd USING %_repid IF FOUND.

From the above source code, the MOVE instruction is clearly a low level execution for:

%_repid = sy-repid.

Intermediate instruction for MOVE instruction has the size of 0x08, so the next intermediate instruction should be:

From the given source code, Index 0x9D should be the low level corresponding instruction for:

PERFORM %_ctl_init IN PROGRAM sapmssyd USING %_repid IF FOUND.

Let’s verify whether this is indeed correct:

By examining the memory using the debugger, we get:

ABAP system then steps inside the called routine until it reach the end of %_ctl_init module. And the above sequence is repeated for the next DYNPRO step.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: