1.16. LOOPS
We loadloops_2.exe.idcintoIDAand see:
Figure 1.57:IDAwith .idc-script loaded
We see thatESIcan be from 2 to 9 at the start of the loop body, but from 3 to 0xA (10) after the increment.
We can also see thatmain()is finishing with 0 inEAX.
traceralsogeneratesloops_2.exe.txt,thatcontainsinformationabouthowmanytimeseachinstruction
has been executed and register values:
Listing 1.167: loops_2.exe.txt
0x401020 (.text+0x20), e= 1 [PUSH ESI] ESI=1
0x401021 (.text+0x21), e= 1 [MOV ESI, 2]
0x401026 (.text+0x26), e= 8 [PUSH ESI] ESI=2..9
0x401027 (.text+0x27), e= 8 [CALL 8D1000h] tracing nested maximum level (1) reached,⤦
Çskipping this CALL 8D1000h=0x8d1000
0x40102c (.text+0x2c), e= 8 [INC ESI] ESI=2..9
0x40102d (.text+0x2d), e= 8 [ADD ESP, 4] ESP=0x38fcbc
0x401030 (.text+0x30), e= 8 [CMP ESI, 0Ah] ESI=3..0xa
0x401033 (.text+0x33), e= 8 [JL 8D1026h] SF=false,true OF=false
0x401035 (.text+0x35), e= 1 [XOR EAX, EAX]
0x401037 (.text+0x37), e= 1 [POP ESI]
0x401038 (.text+0x38), e= 1 [RETN] EAX=0
We can use grep here.
ARM
Non-optimizing Keil 6/2013 (ARM mode)
main
STMFD SP!, {R4,LR}
MOV R4, #2
B loc_368
loc_35C ; CODE XREF: main+1C
MOV R0, R4
BL printing_function
ADD R4, R4, #1
loc_368 ; CODE XREF: main+8