| Current | v9 | v8 | v7 | v6 | v5 | v4 | v3 | v2 | v1 | All | About |
Conditions
Let's see if this new information can be applied to aid in reaching the goal of locating the playing grid. Start by hitting F10, or by typing 'p' in the Command window, to execute the current instruction and break. There are a couple of things to notice. First, the previously magenta colored bar that highlighted the examined instruction from above is now red and the instruction just below this is now highlighted blue. WinDBG, by default, denotes instructions that satisfy a breakpoint condition with a red highlight and the current instruction with a blue highlight. Additionally, a handful of values in the Registers window have been highlighted in red. Remember from Chapter 4 that this signifies an updated register value. As one would expect, the eax register has been updated, but what does its new value represent? 0x18, which now resides in eax, can be expressed as 24 in decimal. Note that our playing grid, even though previously specified at 800x900, was rendered at 30x24. Coincidence? This can be validated by restarting WinMine with varying grid sizes, but for the sake of brevity let the following statement evaluate as true:
winmine!yBoxMac == Height of Playing GridThe following instructions:
01002f85 83f801 cmp eax,0x1 01002f88 7c4 jl winmine!ShowBombs+0x58 (01002fd8)compare this value, the maximum height, to the literal numeric 0x1. If the reader visits the description of the cmp instruction in the reference material it can be determined that this command sets bits within EFLAGS[6] based on the result of the comparison. Logically, the next instruction is a conditional jump. More specifically, this instruction will jump to the address 0x01002fd8 if eax is "Less, Neither greater nor equal" than 0x1. One can come to this conclusion by first recognizing that any mnemonic starting with the letter 'j' and is not jmp is a conditional jump. The condition by which to perform the jump is represented by the following letter or letters. In this case an 'l', which signifies "Jump short if less" per the definition of this instruction found in the instruction reference and the previously mentioned EFLAGS definition. This series of instructions can be expressed in more common terms of:
if(iGridHeight < 1) {
//jmp winmine!ShowBombs+0x58
}
Translating assembly into pseudo code or C may be helpful when attempting to
understand large or complex functions. One can make the prediction that the
conditional jump will fail, as eax is currently valued at 0x18. But,
for the mere academics of it, one can determine what would happen by typing
the following in the Command window:
u 0x1002fd8This will show the reader the instructions that would be executed should the condition be met.