Integrating WinDbg and IDA for Improved Code Flow Analysis

Matt • July 30, 2011

00495001 calc!CCalcEngine::DoOperation =

0:000> BP 00495001
0:000> g

Entering in 1000 / 4 in calc

Breakpoint 0 hit
eax=00439220 ebx=0069c420 ecx=0069c278 edx=00000000 esi=0069c278 edi=00000000
eip=00495001 esp=0032e95c ebp=0032ea4c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
calc!CCalcEngine::DoOperation:
00495001 6a1c push 1Ch

Step through function until return instruction

0:000> PT
eax=00000000 ebx=0069c420 ecx=00495051 edx=00445310 esi=0069c278 edi=00000000
eip=00495051 esp=0032e95c ebp=0032ea4c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
calc!CCalcEngine::DoOperation+0xfa:
00495051 c20c00 ret 0Ch
0:000> g
0:004> .logopen "calc.log"

The following dump is the result of the operation 1000/4 in the function without stepping into calls (using the PA command):

 Opened log file 'calc.log'<br />0:004> lmp<br />start    end        module name<br />00470000 00530000   calc     <none>      <br />66580000 665bc000   oleacc   <none>      <br />73710000 73742000   WINMM    <none>      <br />739e0000 73adb000   WindowsCodecs <none>      <br />73ae0000 73af3000   dwmapi   <none>      <br />73ca0000 73e30000   gdiplus  <none>      <br />73e30000 73e70000   UxTheme  <none>      <br />73ed0000 7406e000   COMCTL32 <none>      <br />75290000 75299000   VERSION  <none>      <br />75d10000 75d1c000   CRYPTBASE <none>      <br />75f30000 75f7a000   KERNELBASE <none>      <br />76090000 760e7000   SHLWAPI  <none>      <br />760f0000 761c4000   kernel32 <none>      <br />76210000 76293000   CLBCatQ  <none>      <br />762b0000 7637c000   MSCTF    <none>      <br />76380000 763ce000   GDI32    <none>      <br />76460000 76479000   sechost  <none>      <br />76690000 76731000   RPCRT4   <none>      <br />76740000 76809000   USER32   <none>      <br />76810000 768bc000   msvcrt   <none>      <br />768c0000 76a1c000   ole32    <none>      <br />76a20000 76aaf000   OLEAUT32 <none>      <br />76f00000 76f9d000   USP10    <none>      <br />76fa0000 77bea000   SHELL32  <none>      <br />77bf0000 77d2c000   ntdll    <none>      <br />77d30000 77d3a000   LPK      <none>      <br />77d60000 77e00000   ADVAPI32 <none>      <br />77e00000 77e1f000   IMM32    <none>      <br /><br />Unloaded modules:<br />6d580000 6d59a000   mzvkbd3.dll<br />77d50000 77d55000   PSAPI.DLL<br />0:004> g<br />Breakpoint 0 hit<br />eax=00384b90 ebx=006cc420 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=00495001 esp=0020e38c ebp=0020e47c iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation:<br />00495001 6a1c            push    1Ch<br />0:000> pa 00495051<br />eax=00384b90 ebx=006cc420 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=00495003 esp=0020e388 ebp=0020e47c iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x2:<br />00495003 b8e1f74b00      mov     eax,offset calc!_allmul+0x2038 (004bf7e1)<br />eax=004bf7e1 ebx=006cc420 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=00495008 esp=0020e388 ebp=0020e47c iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x7:<br />00495008 e89ed2fdff      call    calc!operator new+0x30 (004722ab)<br />eax=0020e37c ebx=006cc420 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=0049500d esp=0020e350 ebp=0020e388 iopl=0         nv up ei ng nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286<br />calc!CCalcEngine::DoOperation+0xc:<br />0049500d 8bd9            mov     ebx,ecx<br />eax=0020e37c ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=0049500f esp=0020e350 ebp=0020e388 iopl=0         nv up ei ng nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286<br />calc!CCalcEngine::DoOperation+0xe:<br />0049500f 895ddc          mov     dword ptr [ebp-24h],ebx ss:0023:0020e364=00000000<br />eax=0020e37c ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=00495012 esp=0020e350 ebp=0020e388 iopl=0         nv up ei ng nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286<br />calc!CCalcEngine::DoOperation+0x11:<br />00495012 33ff            xor     edi,edi<br />eax=0020e37c ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=00495014 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x13:<br />00495014 837d0856        cmp     dword ptr [ebp+8],56h ss:0023:0020e390=0000005b<br />eax=0020e37c ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=00495018 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x17:<br />00495018 897dec          mov     dword ptr [ebp-14h],edi ss:0023:0020e374={KERNELBASE!_except_handler4 (75f51425)}<br />eax=0020e37c ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=0049501b esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x1a:<br />0049501b 897dfc          mov     dword ptr [ebp-4],edi ss:0023:0020e384=ffffffff<br />eax=0020e37c ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=0049501e esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x1d:<br />0049501e 7c0a            jl      calc!CCalcEngine::DoOperation+0xd3 (0049502a) [br=0]<br />eax=0020e37c ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=00495020 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x23:<br />00495020 837d085a        cmp     dword ptr [ebp+8],5Ah ss:0023:0020e390=0000005b<br />eax=0020e37c ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=00495024 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x27:<br />00495024 0f8e20f9ffff    jle     calc!CCalcEngine::DoOperation+0x2d (0049494a) [br=0]<br />eax=0020e37c ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc278 edi=00000000<br />eip=0049502a esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0xd3:<br />0049502a 8b750c          mov     esi,dword ptr [ebp+0Ch] ss:0023:0020e394=006cc420<br />eax=0020e37c ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049502d esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0xd6:<br />0049502d 8b4508          mov     eax,dword ptr [ebp+8] ss:0023:0020e390=0000005b<br />eax=0000005b ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=00495030 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0xd9:<br />00495030 83c0aa          add     eax,0FFFFFFAAh<br />eax=00000005 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=00495033 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz ac pe cy<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000217<br />calc!CCalcEngine::DoOperation+0xdc:<br />00495033 83f80b          cmp     eax,0Bh<br />eax=00000005 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=00495036 esp=0020e350 ebp=0020e388 iopl=0         nv up ei ng nz ac pe cy<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297<br />calc!CCalcEngine::DoOperation+0xdf:<br />00495036 0f870f050000    ja      calc!CCalcEngine::DoOperation+0x930 (0049554b) [br=0]<br />eax=00000005 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049503c esp=0020e350 ebp=0020e388 iopl=0         nv up ei ng nz ac pe cy<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297<br />calc!CCalcEngine::DoOperation+0xe5:<br />0049503c ff2485cc4f4900  jmp     dword ptr calc!CCalcEngine::DoOperation+0x96c (00494fcc)[eax*4] ds:0023:00494fe0=0049132d<br />eax=00000005 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049132d esp=0020e350 ebp=0020e388 iopl=0         nv up ei ng nz ac pe cy<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297<br />calc!CCalcEngine::DoOperation+0x517:<br />0049132d ff75ec          push    dword ptr [ebp-14h]  ss:0023:0020e374=00000000<br />eax=00000005 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491330 esp=0020e34c ebp=0020e388 iopl=0         nv up ei ng nz ac pe cy<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297<br />calc!CCalcEngine::DoOperation+0x51a:<br />00491330 33c0            xor     eax,eax<br />eax=00000000 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491332 esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x51c:<br />00491332 40              inc     eax<br />eax=00000001 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491333 esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x51d:<br />00491333 89450c          mov     dword ptr [ebp+0Ch],eax ss:0023:0020e394=006cc420<br />eax=00000001 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491336 esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x520:<br />00491336 8945e8          mov     dword ptr [ebp-18h],eax ss:0023:0020e370=0020ea30<br />eax=00000001 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491339 esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x523:<br />00491339 e8670dfeff      call    calc!_destroyrat (004720a5)<br />eax=00000001 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049133e esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x528:<br />0049133e 33ff            xor     edi,edi<br />eax=00000001 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491340 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x52a:<br />00491340 897dec          mov     dword ptr [ebp-14h],edi ss:0023:0020e374=00000000<br />eax=00000001 ebx=006cc278 ecx=006cc278 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491343 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x52d:<br />00491343 e83e0dfeff      call    calc!_createrat (00472086)<br />eax=00375548 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491348 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x532:<br />00491348 8945ec          mov     dword ptr [ebp-14h],eax ss:0023:0020e374=00000000<br />eax=00375548 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049134b esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x535:<br />0049134b ff30            push    dword ptr [eax]      ds:0023:00375548=00000000<br />eax=00375548 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049134d esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x537:<br />0049134d e8870dfeff      call    calc!_destroynum (004720d9)<br />eax=00375548 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491352 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x53c:<br />00491352 8b45ec          mov     eax,dword ptr [ebp-14h] ss:0023:0020e374=00375548<br />eax=00375548 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491355 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x53f:<br />00491355 8938            mov     dword ptr [eax],edi  ds:0023:00375548=00000000<br />eax=00375548 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491357 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x541:<br />00491357 8b06            mov     eax,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=00379df0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491359 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x543:<br />00491359 8b00            mov     eax,dword ptr [eax]  ds:0023:00379df0=00379d90<br />eax=00379d90 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049135b esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x545:<br />0049135b ff7004          push    dword ptr [eax+4]    ds:0023:00379d94=00000001<br />eax=00379d90 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049135e esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x548:<br />0049135e e8910dfeff      call    calc!_createnum (004720f4)<br />eax=00378300 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491363 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x54d:<br />00491363 8b4dec          mov     ecx,dword ptr [ebp-14h] ss:0023:0020e374=00375548<br />eax=00378300 ebx=006cc278 ecx=00375548 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491366 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x550:<br />00491366 8901            mov     dword ptr [ecx],eax  ds:0023:00375548=00000000<br />eax=00378300 ebx=006cc278 ecx=00375548 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491368 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x552:<br />00491368 8b06            mov     eax,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=00379df0 ebx=006cc278 ecx=00375548 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049136a esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x554:<br />0049136a 8b00            mov     eax,dword ptr [eax]  ds:0023:00379df0=00379d90<br />eax=00379d90 ebx=006cc278 ecx=00375548 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049136c esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x556:<br />0049136c 8b4804          mov     ecx,dword ptr [eax+4] ds:0023:00379d94=00000001<br />eax=00379d90 ebx=006cc278 ecx=00000001 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049136f esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x559:<br />0049136f 8d0c8d0c000000  lea     ecx,[ecx*4+0Ch]<br />eax=00379d90 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491376 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x560:<br />00491376 51              push    ecx<br />eax=00379d90 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491377 esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x561:<br />00491377 50              push    eax<br />eax=00379d90 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491378 esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x562:<br />00491378 8b45ec          mov     eax,dword ptr [ebp-14h] ss:0023:0020e374=00375548<br />eax=00375548 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049137b esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x565:<br />0049137b ff30            push    dword ptr [eax]      ds:0023:00375548=00378300<br />eax=00375548 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049137d esp=0020e344 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x567:<br />0049137d e8f90cfeff      call    calc!memcpy (0047207b)<br />eax=00378300 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491382 esp=0020e344 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x56c:<br />00491382 8b45ec          mov     eax,dword ptr [ebp-14h] ss:0023:0020e374=00375548<br />eax=00375548 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491385 esp=0020e344 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x56f:<br />00491385 83c40c          add     esp,0Ch<br />eax=00375548 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491388 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz ac pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216<br />calc!CCalcEngine::DoOperation+0x572:<br />00491388 ff7004          push    dword ptr [eax+4]    ds:0023:0037554c=00000000<br />eax=00375548 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049138b esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz ac pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216<br />calc!CCalcEngine::DoOperation+0x575:<br />0049138b e8490dfeff      call    calc!_destroynum (004720d9)<br />eax=00375548 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491390 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x57a:<br />00491390 8b45ec          mov     eax,dword ptr [ebp-14h] ss:0023:0020e374=00375548<br />eax=00375548 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491393 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x57d:<br />00491393 897804          mov     dword ptr [eax+4],edi ds:0023:0037554c=00000000<br />eax=00375548 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491396 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x580:<br />00491396 8b06            mov     eax,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=00379df0 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=00491398 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x582:<br />00491398 8b4004          mov     eax,dword ptr [eax+4] ds:0023:00379df4=003762f8<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049139b esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x585:<br />0049139b ff7004          push    dword ptr [eax+4]    ds:0023:003762fc=00000001<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=0049139e esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x588:<br />0049139e e8510dfeff      call    calc!_createnum (004720f4)<br />eax=003770f0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913a3 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x58d:<br />004913a3 8b4dec          mov     ecx,dword ptr [ebp-14h] ss:0023:0020e374=00375548<br />eax=003770f0 ebx=006cc278 ecx=00375548 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913a6 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x590:<br />004913a6 894104          mov     dword ptr [ecx+4],eax ds:0023:0037554c=00000000<br />eax=003770f0 ebx=006cc278 ecx=00375548 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913a9 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x593:<br />004913a9 8b06            mov     eax,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=00379df0 ebx=006cc278 ecx=00375548 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913ab esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x595:<br />004913ab 8b4004          mov     eax,dword ptr [eax+4] ds:0023:00379df4=003762f8<br />eax=003762f8 ebx=006cc278 ecx=00375548 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913ae esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x598:<br />004913ae 8b4804          mov     ecx,dword ptr [eax+4] ds:0023:003762fc=00000001<br />eax=003762f8 ebx=006cc278 ecx=00000001 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913b1 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x59b:<br />004913b1 8d0c8d0c000000  lea     ecx,[ecx*4+0Ch]<br />eax=003762f8 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913b8 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5a2:<br />004913b8 51              push    ecx<br />eax=003762f8 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913b9 esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5a3:<br />004913b9 50              push    eax<br />eax=003762f8 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913ba esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5a4:<br />004913ba 8b45ec          mov     eax,dword ptr [ebp-14h] ss:0023:0020e374=00375548<br />eax=00375548 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913bd esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5a7:<br />004913bd ff7004          push    dword ptr [eax+4]    ds:0023:0037554c=003770f0<br />eax=00375548 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913c0 esp=0020e344 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5aa:<br />004913c0 e8b60cfeff      call    calc!memcpy (0047207b)<br />eax=003770f0 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913c5 esp=0020e344 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5af:<br />004913c5 83c40c          add     esp,0Ch<br />eax=003770f0 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913c8 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz ac pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216<br />calc!CCalcEngine::DoOperation+0x5b2:<br />004913c8 ff36            push    dword ptr [esi]      ds:0023:006cc420=00379df0<br />eax=003770f0 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913ca esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz ac pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216<br />calc!CCalcEngine::DoOperation+0x5b4:<br />004913ca e8d60cfeff      call    calc!_destroyrat (004720a5)<br />eax=00000000 ebx=006cc278 ecx=75f376dc edx=00360174 esi=006cc420 edi=00000000<br />eip=004913cf esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5b9:<br />004913cf 893e            mov     dword ptr [esi],edi  ds:0023:006cc420=00379df0<br />eax=00000000 ebx=006cc278 ecx=75f376dc edx=00360174 esi=006cc420 edi=00000000<br />eip=004913d1 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5bb:<br />004913d1 e8b00cfeff      call    calc!_createrat (00472086)<br />eax=00379df0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913d6 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5c0:<br />004913d6 8906            mov     dword ptr [esi],eax  ds:0023:006cc420=00000000<br />eax=00379df0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913d8 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5c2:<br />004913d8 ff30            push    dword ptr [eax]      ds:0023:00379df0=00000000<br />eax=00379df0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913da esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5c4:<br />004913da e8fa0cfeff      call    calc!_destroynum (004720d9)<br />eax=00379df0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913df esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5c9:<br />004913df 8b06            mov     eax,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=00379df0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913e1 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5cb:<br />004913e1 2138            and     dword ptr [eax],edi  ds:0023:00379df0=00000000<br />eax=00379df0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=00000000<br />eip=004913e3 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5cd:<br />004913e3 8b7d10          mov     edi,dword ptr [ebp+10h] ss:0023:0020e398=0038ffa0<br />eax=00379df0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=004913e6 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5d0:<br />004913e6 8b07            mov     eax,dword ptr [edi]  ds:0023:0038ffa0=0037a1f0<br />eax=0037a1f0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=004913e8 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5d2:<br />004913e8 ff7004          push    dword ptr [eax+4]    ds:0023:0037a1f4=00000001<br />eax=0037a1f0 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=004913eb esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x5d5:<br />004913eb e8040dfeff      call    calc!_createnum (004720f4)<br />eax=00379d90 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=004913f0 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5da:<br />004913f0 8b0e            mov     ecx,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=00379d90 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=004913f2 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5dc:<br />004913f2 8901            mov     dword ptr [ecx],eax  ds:0023:00379df0=00000000<br />eax=00379d90 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=004913f4 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5de:<br />004913f4 8b07            mov     eax,dword ptr [edi]  ds:0023:0038ffa0=0037a1f0<br />eax=0037a1f0 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=004913f6 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5e0:<br />004913f6 8b4804          mov     ecx,dword ptr [eax+4] ds:0023:0037a1f4=00000001<br />eax=0037a1f0 ebx=006cc278 ecx=00000001 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=004913f9 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5e3:<br />004913f9 8d0c8d0c000000  lea     ecx,[ecx*4+0Ch]<br />eax=0037a1f0 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491400 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5ea:<br />00491400 51              push    ecx<br />eax=0037a1f0 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491401 esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5eb:<br />00491401 50              push    eax<br />eax=0037a1f0 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491402 esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5ec:<br />00491402 8b06            mov     eax,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=00379df0 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491404 esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5ee:<br />00491404 ff30            push    dword ptr [eax]      ds:0023:00379df0=00379d90<br />eax=00379df0 ebx=006cc278 ecx=00000010 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491406 esp=0020e344 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5f0:<br />00491406 e8700cfeff      call    calc!memcpy (0047207b)<br />eax=00379d90 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=0049140b esp=0020e344 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5f5:<br />0049140b 8b06            mov     eax,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=00379df0 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=0049140d esp=0020e344 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x5f7:<br />0049140d 83c40c          add     esp,0Ch<br />eax=00379df0 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491410 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz ac pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216<br />calc!CCalcEngine::DoOperation+0x5fa:<br />00491410 ff7004          push    dword ptr [eax+4]    ds:0023:00379df4=00000000<br />eax=00379df0 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491413 esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz ac pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216<br />calc!CCalcEngine::DoOperation+0x5fd:<br />00491413 e8c10cfeff      call    calc!_destroynum (004720d9)<br />eax=00379df0 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491418 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x602:<br />00491418 8b06            mov     eax,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=00379df0 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=0049141a esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x604:<br />0049141a 83600400        and     dword ptr [eax+4],0  ds:0023:00379df4=00000000<br />eax=00379df0 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=0049141e esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x608:<br />0049141e 8b4704          mov     eax,dword ptr [edi+4] ds:0023:0038ffa4=00367598<br />eax=00367598 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491421 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x60b:<br />00491421 ff7004          push    dword ptr [eax+4]    ds:0023:0036759c=00000001<br />eax=00367598 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491424 esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x60e:<br />00491424 e8cb0cfeff      call    calc!_createnum (004720f4)<br />eax=003762f8 ebx=006cc278 ecx=75f37782 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=00491429 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x613:<br />00491429 8b0e            mov     ecx,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=003762f8 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=0049142b esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x615:<br />0049142b 894104          mov     dword ptr [ecx+4],eax ds:0023:00379df4=00000000<br />eax=003762f8 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=0038ffa0<br />eip=0049142e esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x618:<br />0049142e 8b7f04          mov     edi,dword ptr [edi+4] ds:0023:0038ffa4=00367598<br />eax=003762f8 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=00367598<br />eip=00491431 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x61b:<br />00491431 8b4704          mov     eax,dword ptr [edi+4] ds:0023:0036759c=00000001<br />eax=00000001 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=00367598<br />eip=00491434 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x61e:<br />00491434 8d04850c000000  lea     eax,[eax*4+0Ch]<br />eax=00000010 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=00367598<br />eip=0049143b esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x625:<br />0049143b 50              push    eax<br />eax=00000010 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=00367598<br />eip=0049143c esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x626:<br />0049143c 8b06            mov     eax,dword ptr [esi]  ds:0023:006cc420=00379df0<br />eax=00379df0 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=00367598<br />eip=0049143e esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x628:<br />0049143e 57              push    edi<br />eax=00379df0 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=00367598<br />eip=0049143f esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x629:<br />0049143f ff7004          push    dword ptr [eax+4]    ds:0023:00379df4=003762f8<br />eax=00379df0 ebx=006cc278 ecx=00379df0 edx=00000000 esi=006cc420 edi=00367598<br />eip=00491442 esp=0020e344 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x62c:<br />00491442 e8340cfeff      call    calc!memcpy (0047207b)<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00367598<br />eip=00491447 esp=0020e344 ebp=0020e388 iopl=0         nv up ei pl nz na po nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />calc!CCalcEngine::DoOperation+0x631:<br />00491447 83c40c          add     esp,0Ch<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00367598<br />eip=0049144a esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz ac pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216<br />calc!CCalcEngine::DoOperation+0x634:<br />0049144a 837b0800        cmp     dword ptr [ebx+8],0  ds:0023:006cc280=00000000<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00367598<br />eip=0049144e esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x638:<br />0049144e 0f859d390000    jne     calc!CCalcEngine::DoOperation+0x63a (00494df1) [br=0]<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00367598<br />eip=00491454 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x6ad:<br />00491454 837d085b        cmp     dword ptr [ebp+8],5Bh ss:0023:0020e390=0000005b<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00367598<br />eip=00491458 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x6b1:<br />00491458 ff75ec          push    dword ptr [ebp-14h]  ss:0023:0020e374=00375548<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00367598<br />eip=0049145b esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x6b4:<br />0049145b 56              push    esi<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00367598<br />eip=0049145c esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x6b5:<br />0049145c 0f85fd3b0000    jne     calc!CCalcEngine::DoOperation+0x6c5 (0049505f) [br=0]<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00367598<br />eip=00491462 esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x6b7:<br />00491462 8b7de8          mov     edi,dword ptr [ebp-18h] ss:0023:0020e370=00000001<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000001<br />eip=00491465 esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x6ba:<br />00491465 0faf7d0c        imul    edi,dword ptr [ebp+0Ch] ss:0023:0020e394=00000001<br />eax=003762f8 ebx=006cc278 ecx=00000004 edx=00000000 esi=006cc420 edi=00000001<br />eip=00491469 esp=0020e348 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x6be:<br />00491469 e8074efeff      call    calc!divrat (00476275)<br />eax=00000000 ebx=006cc278 ecx=00000000 edx=00000009 esi=006cc420 edi=00000001<br />eip=0049146e esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x6cd:<br />0049146e 837b0800        cmp     dword ptr [ebx+8],0  ds:0023:006cc280=00000000<br />eax=00000000 ebx=006cc278 ecx=00000000 edx=00000009 esi=006cc420 edi=00000001<br />eip=00491472 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x6d1:<br />00491472 0f84d3400000    je      calc!CCalcEngine::DoOperation+0x930 (0049554b) [br=1]<br />eax=00000000 ebx=006cc278 ecx=00000000 edx=00000009 esi=006cc420 edi=00000001<br />eip=0049554b esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x930:<br />0049554b 837dec00        cmp     dword ptr [ebp-14h],0 ss:0023:0020e374=00375548<br />eax=00000000 ebx=006cc278 ecx=00000000 edx=00000009 esi=006cc420 edi=00000001<br />eip=0049554f esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x934:<br />0049554f 0f84f7faffff    je      calc!CCalcEngine::DoOperation+0xf5 (0049504c) [br=0]<br />eax=00000000 ebx=006cc278 ecx=00000000 edx=00000009 esi=006cc420 edi=00000001<br />eip=00495555 esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x93a:<br />00495555 ff75ec          push    dword ptr [ebp-14h]  ss:0023:0020e374=00375548<br />eax=00000000 ebx=006cc278 ecx=00000000 edx=00000009 esi=006cc420 edi=00000001<br />eip=00495558 esp=0020e34c ebp=0020e388 iopl=0         nv up ei pl nz na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />calc!CCalcEngine::DoOperation+0x93d:<br />00495558 e848cbfdff      call    calc!_destroyrat (004720a5)<br />eax=00000000 ebx=006cc278 ecx=75f376dc edx=00360174 esi=006cc420 edi=00000001<br />eip=0049555d esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0x942:<br />0049555d e9eafaffff      jmp     calc!CCalcEngine::DoOperation+0xf5 (0049504c)<br />eax=00000000 ebx=006cc278 ecx=75f376dc edx=00360174 esi=006cc420 edi=00000001<br />eip=0049504c esp=0020e350 ebp=0020e388 iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0xf5:<br />0049504c e81acffdff      call    calc!_EH_epilog3 (00471f6b)<br />eax=00000000 ebx=006cc420 ecx=00495051 edx=00360174 esi=006cc278 edi=00000000<br />eip=00495051 esp=0020e38c ebp=0020e47c iopl=0         nv up ei pl zr na pe nc<br />cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />calc!CCalcEngine::DoOperation+0xfa:<br />00495051 c20c00          ret     0Ch<br />0:000> .logclose<br />Closing open log file calc.log

 # Windbg log parser IDApython script<br /># Author: Matthew Graeber<br /><br /># I highly recommend your WinDbg log contain the output from 'lmp'<br /># Otherwise, if the module base in WinDbg and IDA don't match,<br /># this will not markup IDA properly.<br /><br />from idaapi import *<br /><br />logfile = open(AskFile(1, "*.*", "Select Windbg log file"), 'r')<br /><br />colors = {'red':0x0000FF, 'green':0x00FF00, 'blue':0xFF0000, 'pink':0xFF00FF, 'black':0x00000000, 'white':0xFFFFFFFF}<br />color = AskStr("red, green, blue, pink, black, white (default)", "Enter the color you want to use")<br /><br />if color in colors.keys():<br />    color_val = colors[color]<br />else: # default to white background<br />    color_val = colors['white']<br /><br />line = logfile.readline()<br />modules_listed = False<br /><br />ins_addr = [] # will contain list of addresses and comment<br />base_addresses = {} # dictionary of all loaded modules and their base addresses<br />registers = {} # register values during trace<br /><br />while line:<br />    if 'start' in line: # beginning of module base listing<br />        modules_listed = True<br />        while True:<br />            line = logfile.readline() # read first module listing<br />            if '<none>' in line:<br />                tokens = line.strip().split()<br />                base_addresses[tokens[2]] = tokens[0] # save in the following form: {'kernel32':'760f0000'}<br />            else: # end of module listing<br />                break<br /><br />    if 'eax=' in line[0:4]: # get first line of register values<br />    tokens = line.strip().split()<br />    for i in tokens:<br />        tokens2 = i.split('=')<br />        registers[tokens2[0]] = tokens2[1]<br />    if 'eip=' in line[0:4]: # get EBP and ESP from the next line<br />    tokens = line.strip().split()<br />    for i in tokens:<br />        tokens2 = i.split('=')<br />        if tokens2[0] == 'esp':<br />             registers[tokens2[0]] = tokens2[1]<br />        if tokens2[0] == 'ebp':<br />             registers[tokens2[0]] = tokens2[1]<br /><br />    if 'cs=' in line[0:3]:<br />        module = logfile.readline()<br />        module = module.split('!')[0] # extract module name<br />        line = logfile.readline() # extract addr, opcode, instruction<br /><br />        tokens = line.strip().split()<br />        if tokens[1] != 'cc': # skip debug breakpoints<br />            if modules_listed: # Calculate offsets from module base<br />                base = long(base_addresses[module], 16) # convert hex string to IDA ea form<br />                temp = [long(tokens[0], 16) - base]<br />            else: # use absolute virtual addresses<br />                temp = [long(tokens[0], 16)] # convert hex string to IDA ea form<br /><br />        <br />        for i in registers.keys(): # Make comments for referenced registers<br />        if i in line:<br />            temp.append(i + "=" + registers[i])<br />            <br />            <br />            temp2 = tokens[len(tokens)-1] # get last item in line<br />            if ':' in temp2: # check for pointer dereference<br />                temp2 = temp2.split(':')<br />                temp.append("Ptr deref: " + temp2[len(temp2)-1]) # append opcode pointer for IDA comment<br />                <br />            ins_addr.append(temp)<br /><br />    line = logfile.readline() # move on to next line<br />    <br />for i in ins_addr:<br />    if modules_listed:<br />        ea = i[0] + get_imagebase()<br />    else:<br />        ea = i[0]<br />        <br />    if ea == BADADDR:<br />        print("BAD ADDRESS @ 0x%08x" % ea)<br />        continue<br /><br />    SetColor(ea, idc.CIC_ITEM, color_val)<br /><br />    if len(i) > 1:<br />    commentStr = ""<br />    for j in range(1, len(i)):<br />        commentStr += i[j]<br />        if j != len(i) - 1:<br />            commentStr += "\n"<br />    if Comment(ea):<br />        MakeComm(ea, Comment(ea) + "\n" + commentStr) # Prevents overwriting existing comments<br />    else:<br />        MakeComm(ea, commentStr)<br /><br />logfile.close()

Here is what the graph of DoOperation looks like before 1000 / 4 is performed:

Here is what the graph of DoOperation looks like after 1000 / 4 is performed:

You can see the highlighted instructions and the values of any referenced registers and pointers.

Hopefully, by now you can see the power of IDApython in improving your analysis workflow. If you use this script, I welcome your feedback!

References:

1. Cody Pierce, “MindshaRE: Hit Tracing in WinDbg,” July 17, 2008, http://dvlabs.tippingpoint.com/blog/2008/07/17/mindshare-hit-tracing-in-windbg

Newer Post >

Make the most of the season by following these simple guidelines

By ZenBusiness Admin • September 19, 2023

The new season is a great reason to make and keep resolutions. Whether it’s eating right or cleaning out the garage, here are some tips for making and keeping resolutions.

Keep in touch with site visitors and boost loyalty

By ZenBusiness Admin • September 19, 2023

There are so many good reasons to communicate with site visitors. Tell them about sales and new products or update them with tips and information.

Tips for writing great posts that increase your site traffic

By ZenBusiness Admin • September 19, 2023

Write about something you know. If you don’t know much about a specific topic that will interest your readers, invite an expert to write about it.

How-to: Reversing and debugging ISAPI modules

By ron • June 27, 2023

Recently, I had the privilege to write a detailed analysis of CVE-2023-34362, which is series of several vulnerabilities in the MOVEit file transfer application that lead to remote code execution. One of the several vulnerabilities involved an ISAPI module - specifically, the MoveITISAPI.dll ISAPI extension. One of the many vulnerabilities that comprised the MOVEit RCE was a header-injection issue, where the ISAPI application parsed headers differently than the .net application. This point is going to dig into how to analyze and reverse engineer an ISAPI-based service! This wasn’t the first time in the recent past I’d had to work on something written as an ISAPI module, and each time I feel like I have to start over and remember how it’s supposed to work. This time, I thought I’d combine my hastily-scrawled notes with some Googling, and try to write something that I (and others) can use in the future. As such, this will be a quick intro to ISAPI applications from the angle that matters to me - how to reverse engineer and debug them! I want to preface this with: I’m not a Windows developer, and I’ve never run an IIS server on purpose. That means that I am approaching this with brute-force ignorance! I don’t have a lot of background context nor do I know the correct terminology for a lot of this stuff. Instead, I’m going to treat these are typical DLLs from typical applications, and approach them as such.

Cybersecurity Is a Social, Policy, and Wicked Problem

By Richard Bejtlich • June 25, 2023

Cybersecurity is a social and policy problem, not a scientific or technical problem. Cybersecurity is also a wicked problem. In a landmark 1973 article, Dilemmas in a General Theory of Planning , urban planners Horst W. J. Rittel and Melvin M. Webber described wicked problems in these terms: