(1)启动debug
(2)用R命令查看、改变寄存器内容
(3)用D命令查看内存中的内容
(4)用E命令修改内存中的内容
(5)用U命令查看内存中机器码的含义
(6)用T命令执行CS:IP指向的指令
(7)用A命令以汇编指令的形式在内存中写入机器指令
(8)用p命令一次性执行执行循环、重复的字符串指令、软件中断或子例程
(1)启动debug
这个命令很简单,打开windows控制台,输入debug再回车,启动debug程序,此时debug当前控制台窗口程序,即cmd.exe。
如果用命令debug xxx.exe,那么就是运行并debug xxx.exe,类似于gdb的load file命令。
(2)用R命令查看、改变寄存器内容
启动debug后,输入r则显示当前寄存器的内容,如:
C:/Users/123>debug
-r
AX=0000 BX=0000 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000
DS=13F0 ES=13F0 SS=13F0 CS=13F0 IP=0100 NVUP EI PL NZ NA PO NC
13F0:01000000 ADD [BX+SI],AL DS:0000=CD
此处显示了很多寄存器的内容,其中最后一行第一部分为当前的程序指针,即CS:IP,第二部分为CS:IP中机器指令所代表的汇编指令。
启动debug后,输入r寄存器名后按enter,出现“:”提示符,输入要写入的数据后回车,即完成了对AX中内容的修改。
(3) 用D命令查看内存中的内容
D命令的用法为: d 段地址:偏移地址,例如:
-d 13F0:0100
13F0:0100 00 00 00 00 00 00 00 00-00 0000 00 00 00 00 00 ................
13F0:0110 00 00 00 00 00 00 00 00-00 00 00 00 34 00 DF 13 ............4...
13F0:0120 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:0130 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:0140 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:0150 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:0160 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:0170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
-
此时如果再执行d命令而不带内存地址,则可列出上次输出的后续内容,例如:
-d 13F0:0100
13F0:0100 00 00 00 00 00 00 00 00-00 00 00 00 00 00 0000 ................
13F0:0110 00 00 00 00 00 00 00 00-00 00 00 00 34 00 DF 13 ............4...
13F0:0120 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:0130 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:0140 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:0150 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:0160 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:0170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
-d
13F0:0180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 0000 ................
13F0:0190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
另外,还可以设置d命令的查看范围,格式为:“d段地址:起始偏移地址 结尾偏移地址”
(4)用E命令修改内存中的内容
命令格式为:e起始地址数据数据数据 .........,例如:
-e 13f0:0180 0 1 2 3 4 5 6 7 8 9
-d 13f0:0180
13F0:0180 00 01 02 03 04 05 06 07-08 09 00 00 00 00 00 00 ................
13F0:0190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
13F0:01F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
另外E命令还有一种询问的方式,即输入e段地址:偏移地址并回车后,光标停留在“.”后提示输入想要写入的数据,输入数据后按空格键,则继续询问下一个地址中需要写入的数据,如果不输入数据而直接按空格键,则不改写当前内存。
(5)用U命令查看内存中机器码的含义
很简单,和r命令一样,即 u段地址:偏移地址,例如:
-u 13f0:0180
13F0:0180 0304 ADD AX,[SI]
13F0:0182 050304 ADD AX,0403
13F0:0185 050607 ADD AX,0706
13F0:0188 0809 OR [BX+DI],CL
13F0:018A 0000 ADD [BX+SI],AL
13F0:018C 0000 ADD [BX+SI],AL
13F0:018E 0000 ADD [BX+SI],AL
13F0:0190 0000 ADD [BX+SI],AL
13F0:0192 0000 ADD [BX+SI],AL
13F0:0194 0000 ADD [BX+SI],AL
13F0:0196 0000 ADD [BX+SI],AL
13F0:0198 0000 ADD [BX+SI],AL
13F0:019A 0000 ADD [BX+SI],AL
13F0:019C 0000 ADD [BX+SI],AL
13F0:019E 0000 ADD [BX+SI],AL
(6)用T命令执行CS:IP指向的指令,直接输入T,然后回车
(7)用A命令已汇编指令的形式在内存中写入机器指令
命令格式为 A段地址:偏移地址,如果省略了段地址和偏移地址,默认为cs:ip所指向的地址,回车后,提示输入汇编指令,例如:
-a
13F0:0100 mov ax,1
13F0:0103
-
-r
AX=0000 BX=0000 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000
DS=13F0 ES=13F0 SS=13F0 CS=13F0 IP=0100 NVUP EI PL NZ NA PO NC
13F0:0100 B80100 MOV AX,0001
-t
AX=0001 BX=0000 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000
DS=13F0 ES=13F0 SS=13F0 CS=13F0 IP=0103 NVUP EI PL NZ NA PO NC
13F0:0103 0000 ADD [BX+SI],AL DS:0000=CD
(8)用p命令一次性执行执行循环、重复的字符串指令、软件中断或子例程
当 p命令将控制从 Debug传送到要测试的程序时,该程序不间断运行,直到循环、重复字符串指令、软件中断或者完成了指定地址的子例程为止,或者直到执行了指定数量的机器指令为止。控制返回到 Debug。
扫一扫
685
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
