<bochs:4>n
(0) [0x00000000000325c8] 3224:0388 (unk. ctxt): movax, cs
<bochs:5>sreg
cs:0x3224, dh=0x00009303, dl=0x2240ffff,valid=1
查看lst文件可知jmp指令的偏移地址,假设须在此设置断点,可以如此计算:0x32240+0x0388+0xEC=0x325c8+0xEC=0x326b4
反汇编0x326b4处的指令,确实为jmp指令
<bochs:6>disasm 0x326b4
000326b4:(
<bochs:10> b0x326b4
<bochs:11>c
(0) Breakpoint 1, 0x00000000000326b4 in ?? ()
(0) [0x00000000000326b4] 3224:0000000000000474 (unk. ctxt): jmp far0010:00000000
<bochs:11>c
(0) Breakpoint 1, 0x00000000000326b4 in ?? ()
(0) [0x00000000000326b4] 3224:0000000000000474 (unk. ctxt): jmp far0010:00000000
选择子为0x0010,即描述符索引为0x10,检查GDT基地址为0x32348
<bochs:12>sreg
gdtr:base=0x0000000000032348, limit=0x3f
显示0x32348处的内存信息
<bochs:13> x/32xb 0x32348
[bochs]:
0x0000000000032348<bogus+
0x0000000000032350<bogus+
0x0000000000032358<bogus+
0x0000000000032360<bogus+
查看对应描述符索引0x10(即bogus+
<bochs:15>disasm 0x326d4
000326d4:(
<bochs:16>n
(0) [0x00000000000326d4] 0010:0000000000000000 (unk.ctxt): mov ax, 0x0020
反汇编结果和单步执行结果相同。
<bochs:27>watch read 0x32392
read watchpoint at0x0000000000032392 len=1 inserted
<bochs:30>c
00141741995i[CPU0 ] [141741995] Caught read watchpoint
(0) Caught read watch point at 0x0000000000032392
(0) [0x00000000000326fd] 0010:0000000000000029 (unk. ctxt): testal, al
<bochs:31>c
(0) [0x000000000003271c] 0010:0000000000000048 (unk.ctxt): jmp far 0004:00000000
从指令"jmp far0004:00000000"可以看出程序将跳转至LDT(因TI位为1)表中描述符索引为0的局部段,使用指令"sreg"检查LDT和GDT段基址
<bochs:32>sreg
ldtr:0x0030, dh=0x00008203, dl=0x27580007,valid=1
gdtr:base=0x0000000000032348, limit=0x3f
<bochs:33> x/64xb 0x32348
0x0000000000032348<bogus+
... ...
0x0000000000032378 <bogus+
0x0000000000032380 <bogus+
由GDT段基址0x32348及选择子0x30可知LDT段基址为:0x032758
<bochs:34> x/16xb 0x32758
0x0000000000032758<bogus+
0x0000000000032760<bogus+
反汇编0x032758处内存指示的内存地址0x32760,可知LD处的第一条指令
<bochs:35>disasm 0x32760
00032760:(
设置断点执行,与设想的一致
<bochs:37> b0x32760
<bochs:38> c
(0)Breakpoint 3, 0x0000000000032760 in ?? ()
(0) [0x0000000000032760] 0004:0000000000000000 (unk. ctxt): mov ax,0x0038