tag:blog.danieljanus.pl,2019:category:assemblyDaniel Janus – assembly2014-04-06T00:00:00ZDaniel Janushttp://danieljanus.pldj@danieljanus.pltag:blog.danieljanus.pl,2014-04-06:post:dos-debugging-quirkDOS debugging quirk2014-04-06T00:00:00Z<div><p>While hacking on Lithium, I’ve noticed an interesting thing. Here’s a sample DOS program in assembly (TASM syntax):</p><pre><code class="hljs x86asm"><span class="hljs-meta">.model</span> tiny
<span class="hljs-meta">.code</span>
org <span class="hljs-number">100h</span>
N <span class="hljs-built_in">equ</span> <span class="hljs-number">2</span>
<span class="hljs-symbol">
start:</span>
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">bp</span>,<span class="hljs-built_in">sp</span>
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">ax</span>,<span class="hljs-number">100</span>
<span class="hljs-keyword">mov</span> [<span class="hljs-built_in">bp</span>-N],<span class="hljs-built_in">ax</span>
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">cx</span>,[<span class="hljs-built_in">bp</span>-N]
<span class="hljs-keyword">cmp</span> <span class="hljs-built_in">cx</span>,<span class="hljs-built_in">ax</span>
<span class="hljs-keyword">jne</span> wrong
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">dx</span>,offset msg
<span class="hljs-keyword">jmp</span> disp
<span class="hljs-symbol">wrong:</span>
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">dx</span>,offset msg2
<span class="hljs-symbol">disp:</span>
<span class="hljs-keyword">mov</span> <span class="hljs-number">ah</span>,<span class="hljs-number">9</span>
<span class="hljs-keyword">int</span> <span class="hljs-number">21h</span>
<span class="hljs-keyword">mov</span> <span class="hljs-built_in">ax</span>,<span class="hljs-number">4c00h</span>
<span class="hljs-keyword">int</span> <span class="hljs-number">21h</span>
msg <span class="hljs-built_in">db</span> <span class="hljs-string">"ok$"</span>
msg2 <span class="hljs-built_in">db</span> <span class="hljs-string">"wrong$"</span>
end start
</code></pre><p>If you assemble, link and then execute it normally, typing <code>prog</code> in the DOS command line, it will output the string “ok”. But if you trace through the program in a debugger instead, it will say “wrong”! What’s wrong?</p><p>The problem is in lines 10-11 (instructions 3-4). Here’s what happens when you trace through this program in DOS 6.22’s <code>DEBUG.EXE</code>:</p><img src="/img/blog/debug.png">
<p>Note how in instruction 3 (actually displayed as the second above) we set the word <code>SS:0xFFFC</code> to <code>100</code>. When about to execute the following instruction, we would expect that word to continue to hold the value <code>100</code>, because nothing which could have changed that value has happened in between. Instead, the debugger still reports it as <code>0x0D8A</code>, as if instruction 3 had not been executed at all — and, interestingly, after actually executing this instruction, <code>CX</code> gets yet another value of <code>0x7302</code>!</p><p>Normally, thinking of DOS <code>.COM</code> programs, you assume a 64KB-long chunk of memory that the program has all to itself: the code starts at <code>0x100</code>, the stack grows from <code>0xFFFE</code> downwards (at any given time, the region from <code>SP</code> to <code>0xFFFE</code> contains data currently on the stack), and all memory in between is free for the program to use however it deems fit. It turns out that, when debugging, it is not the case: the debuggers need to manipulate the region just underneath the program’s stack in order to handle the tracing/breakpoint interrupt traps.</p><p>I’ve verified that both DOS’s DEBUG and Borland’s Turbo Debugger 5 do this. The unsafe-to-touch amount of space below SP that they need, however, varies. Manipulating the N constant in the original program, I’ve determined that DEBUG only needs 8 bytes below SP, whereas for TD it is a whopping 18 bytes.</p></div>