All geek questions in one place

How to configure Visual Studio 2008 to display the true EIP address in a disassembly window?

The Visual Studio 2008 debugger displays relative addresses in a disassembly window, as shown in the following snippet:

00000548 8B 4D B8 mov ecx,dword ptr [ebp-48h] 0000054b 8B 01 mov eax,dword ptr [ecx] 0000054d FF 50 28 call dword ptr [eax+28h] 00000550 89 85 44 FF FF FF mov dword ptr [ebp+FFFFFF44h],eax 00000556 8B 8D 44 FF FF FF mov ecx,dword ptr [ebp+FFFFFF44h] 0000055c E8 2F 1D 2C 76 call 762C2290 00000561 90 nop

Please note that the address values ​​are too low to be real addresses. When I am at 0x548 (first line), my EIP is 0x034D1A90. How to configure the debugger / disassembly window to display a real address (e.g. 0x034D1A90) instead of a relative address (e.g. 0x0548)?

+4
source share
1 answer

Yes, this is a bug in the debugger. The addresses that it calculates are based on the address indicated on the left. Which are fake, the actual machine code does not start at address 0. It does not have the ability to show real addresses.

To find the destination address of a real call, you must set a breakpoint in the call command. When it hits, use the Debug + Windows + registers and copy / paste the value of the EIP register into your calculator. Then add the value of the call argument and subtract the address value as shown on the left. This is a real address.

To view the machine code there, you need to switch the debugger to non-control mode. Debug + Windows + Call Stack and double-click one of the frames of the unmanaged method stack. Below if you are not sure. Now you enter "0x" in the "Address" field and copy / paste the address that you calculated. Make sure the character server is turned on.

+4
source

Source: https://habr.com/ru/post/1347381/

More articles:


All Articles