Assembly Language for Beginners

(Jeff_L) #1

10.3 Why “instrumentation”?


free(0x20af9cf0)
free(): we have this block in our records, size=0x18
0x20AF9CF0: 43 00 00 00 50 00 00 00-10 00 00 00 20 00 74 00 "C...P....... .t."
0x20AF9D00: 20 8B B2 20 00 00 00 00- " .. .... "


We can easily see that the biggest blocks (with size 0x28 and 0x140) are just arrays of values up to≈
0x50. Wait... 0x50 is 80 in decimal representation. And 9*9=81 (standard minesweeper configuration).


Afterquickinvestigation,I’vefoundthateach32-bitelementisindeedcellcoordinate. Acellisrepresented
using a single number, it’s a number inside of 2D-array. Row and column of each mine is decoded like
that:row=n / WIDTH; col=n % HEIGHT;


So when I tried to decode these two biggest blocks, I’ve got these cell maps:


try_to_dump_cells(). unique elements=0xa
........
..
......
.......*.


........
.......*
*.......
.......
.
......*..


try_to_dump_cells(). unique elements=0x44
*.**.
...**
***.*




**.
..
..

.
.**


It seems that the first block is just a list of mines placed, while the second block is a list of free cells, but,
the second is somewhat out of sync with the first one, and it’s negative version of the first one coincides
only partially. Nevertheless, the first map is correct - we can peek into it in log file when Minesweeper is
still loaded and almost all cells are hidden, and click safely on cells marked as dots here.


So it seems, when user first clicked somewhere, Minesweeper places 10 mines, than destroys the block
with a list of it (perhaps, it copies all the data to another block before?), so we can see it during free() call.


Another fact: the method Array::Add(NodeType) modifies blocks we observed, and is called
fromvariousplaces,includingBoard::placeMines(). Butwhatiscool: Inevergotintoitsdetails,everything
has been resolved using just PIN.


The files:https://github.com/DennisYurichev/RE-for-beginners/tree/master/DBI/minesweeper.


10.2.4 Exercise


Try to understand how rand()’s result being converted into coordinate(s). As a practical joke, make rand()
to output such results, so mines will be placed in shape of some symbol or figure.


10.3 Why “instrumentation”?


Perhaps, this is term of code profiling. There are at least two methods: 1) ”sampling”: you break into run-
ning code as many times as possible (hundreds per second), and see, where it is executed at the moment;
2) ”instrumentation”: compiled code is interleaved with other code, which can increment counters, etc.


Perhaps,DBItools inherited the term?

Free download pdf