w10 64 bit computer using 2 very similiar batch files redirecting output to files.
chkdsk.exe c: > disk.txt then findstr.exe "found no problems" disk.txt WORKS OK
sfc /scannow > dscan.txt then findstr.exe "violations" dscan.txt FAILS TO WORK
hex output shows v 0x0 i 0x0 o 0x0 l 0x0 a 0x0 t 0x0 i 0x0 o 0x0 n 0x0 s 0x0
is this a know issue ? any easy way around this ?
Programmatic Breakpoint IDs
Breakpoint Syntax (learn.microsoft.com) claims this about setting breakpoints using an expression for the ID.
Breakpoint IDs do not have to be referred to explicitly. Instead, you
can use a numerical expression that resolves to an integer that
corresponds to a breakpoint ID. To indicate that the expression should
be interpreted as a breakpoint, use the following syntax.
b?[Expression]
In this syntax, the square brackets are required, and Expression stands for any numerical expression that resolves to an integer that corresponds to a breakpoint ID.
This is exactly what I want to do. However, it doesn't seem to work for me.
The one example they give
b?[#$t0]
produces a syntax error. I tried it a few other ways.
0:000> r $t0 = 300
0:000> ? $t0
Evaluate expression: 768 = 00000300
0:000> b?[#$t0]
^ Syntax error in 'b?[#$t0]'
0:000> b0
^ Syntax error in 'b0'
0:000> b
^ Syntax error in 'b'
0:000> bl?[#$t0]
^ Syntax error in 'bl?[#$t0]'
0:000> bl
0 e 77c27d89 0001 (0001) 0:**** ntdll!LdrpDoDebuggerBreak+0x2b
0:000> bl0
0 e 77c27d89 0001 (0001) 0:**** ntdll!LdrpDoDebuggerBreak+0x2b
0:000> bl300
0:000>
I don't really know if the example given is viable, since b and b0 don't work. However, I can't seem to use a similar syntax for commands that otherwise work with hardcoded values.
How can I make use of this (mythical?) feature?
(WinDbg 10.0.17134.12 X86)
The what is a regex substitute either of these (p,u,a) which will denote
bp1 .. bpn | ba1 ... ban | bu1 .. bun
0:000> bl
0 e 62e5f7a0 0001 (0001) xxx
1 e 62e5f7a2 0001 (0001) xxx
2 e 62e5f7a3 0001 (0001) xxx
3 e 62e5f7a5 0001 (0001) xxx
0:000> bp[8-5]
breakpoint 3 exists, redefining
breakpoint 0 redefined
0:000>
or a better usage scenerio
0:000> bp .
0:000> bl
0 e 77ac05a6 0001 (0001) 0:**** ntdll!LdrpDoDebuggerBreak+0x2c
0:000> r $t0 =0
0:000> bp[#$t0] ntdll!LdrpCompareServiceChecksum
breakpoint 0 exists, redefining
0:000> bl
0 e 77a4b931 0001 (0001) 0:**** ntdll!LdrpCompareServiceChecksum
0:000> bp[#$t0] kernel32!CreateWaitableTimerExA
breakpoint 0 exists, redefining
0:000> bl
0 e 77584202 0001 (0001) 0:**** kernel32!CreateWaitableTimerExA
0:000>
My objective is to open a socket, connect to that socket on a port, and then whenever that socket sends data to me, I want to write it to stdout.
My code works fine, but for some reason the string that is writing doesn't null terminate? I'm not so sure what the issue is and I have yet to find anything online about it.
#socket(2,1,0)
li $t7, -6
nor $t7, $t7, $zero
addi $a0, $t7, -3
addi $a1, $t7, -3
slti $a2, $zero, -1
li $v0, 4183
syscall 0x40404
sw $v0, -4($sp)
#connect(3, &addr, 16)
lw $a0, -4($sp)
li $t7, -3
nor $t7, $t7, $zero
sw $t7,-32($sp)
lui $t6,0x7a69
ori $t6,$t6,0x7a69
sw $t6, -28($sp)
lui $t5, 0x7F00
ori $t5, $t5, 0x1
sw $t5, -26($sp)
addiu $a1, $sp, -30
li $t4, -17
nor $a2, $t4, $zero
li $v0, 4170
syscall 0x40404
#read(3, addr, 50)
nex:
lw $a0, -4($sp)
addiu $a1, $sp,-64
li $a2, 50
addi $a2, $a2, -1
li $v0, 4003
syscall 0x40404
beqz $a3, next
move $a2,$v0
negu $a2,$v0
next:
blez $a2,nextt
#write(1, addr, 50)
li $a0, 1
li $v0, 4004
syscall 0x40404
j nex
nextt:
Here is the strace of me writing a\n to the socket, and it writing a\n\0\0\0\0\0\0\0\0 to stdout.
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(31337), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
read(3, "a\n", 49) = 2
write(1, "a\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 49a
zi3▒ݤ) = 49
As you can see, it prints out some weird characters at the end. Thanks for any help!
Notice in your strace output that your read syscall returns a value of 2 [in $v0].
Also notice that your write syscall has a length much greater than 2.
After your read syscall you have:
move $a2,$v0 # this reg has 2
negu $a2,$v0 # BUG: this changes it to -2 (0xFFFFFFFE)
The length for the write was interpreted as an unsigned number [and a very large one]
Change this to just [i.e. remove the negu]:
move $a2,$v0
I set the following breakpoint:
bp MSPTLS!LsCreateLine 100
The program crashes before the break point is hit 100 times. When I do bl after the crash, I get the following:
0 e 5dca4b62 0072 (0100) 0:**** MSPTLS!LsCreateLine
I am assuming from this information that the break point was hit 72 times before the crash.
However, when I do bp MSPTLS!LsCreateLine 80 I am able to hit the breakpoint before the crash telling me that the break point was hit more than 72 times before the crash. Does this 72 not indicate how many times the break point was hit?
The default number format of WinDbg is hexadecimal. If you want decimal numbers, prefix them with 0n:
0:005> bp ntdll!DbgBreakPoint 0n100
0:005> bl
0 e 7735000c 0064 (0064) 0:**** ntdll!DbgBreakPoint
The counter 0064 before (0064) counts backwards. You can easily observe that in any GUI application:
0:000> bl
0 e 74fd78d7 000a (000a) 0:**** USER32!NtUserGetMessage+0x15
1 e 74fd78c2 0064 (0064) 0:**** USER32!NtUserGetMessage
0:000> g
Breakpoint 0 hit
eax=00000001 ebx=00000001 ecx=00000000 edx=00000000 esi=001faf8c edi=74fd787b
eip=74fd78d7 esp=001faf44 ebp=001faf60 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
USER32!NtUserGetMessage+0x15:
74fd78d7 83c404 add esp,4
0:000> bl
0 e 74fd78d7 0001 (000a) 0:**** USER32!NtUserGetMessage+0x15
1 e 74fd78c2 005a (0064) 0:**** USER32!NtUserGetMessage
0:000> ? 5a
Evaluate expression: 90 = 0000005a
In the example, breakpoint 0 has been hit 10 times, leaving breakpoint 1 at 90.
Which of the following give back 63 as long (in Java) and how?
0x0
0x1
0x2
0x4
0x8
0x10
0x20
I'm working with NetworkManager API flags if that helps. I'm getting 63 from one of the operations but don't know how should I match the return value to the description.
Thanks
63 is 32 | 16 | 8 | 4 | 2 | 1, where | is the binary or operator.
Or in other words (in hex): 63 (which is 0x3F) is 0x20 | 0x10 | 0x8 | 0x4 | 0x2 | 0x1. If you look at them all in binary, it is obvious:
0x20 : 00100000
0x10 : 00010000
0x08 : 00001000
0x04 : 00000100
0x02 : 00000010
0x01 : 00000001
And 63 is:
0x3F : 00111111
If you're getting some return status and want to know what it means, you'll have to use binary and. For example:
if (status & 0x02)
{
}
Will execute if the flag 0x02 (that is, the 2nd bit from the right) is turned on in the returned status. Most often, these flags have names (descriptions), so the code above will read something like:
if (status & CONNECT_ERROR_FLAG)
{
}
Again, the status can be a combination of stuff:
// Check if both flags are set in the status
if (status & (CONNECT_ERROR_FLAG | WRONG_IP_FLAG))
{
}
P.S.: To learn why this works, this is a nice article about binary flags and their combinations.
I'd give you the same answer as Chris: your return value 0x63 seems like a combination of all the flags you mention in your list (except 0x0).
When dealing with flags, one easy way to figure out by hand which flags are set is by converting all numbers to their binary representation. This is especially easy if you already have the numbers in hexadecimal, since every digit corresponds to four bits. First, your list of numbers:
0x01 0x02 0x04 ... 0x20
| | | |
| | | |
V V V V
0000 0001 0000 0010 0000 0100 ... 0010 0000
Now, if you take your value 63, which is 0x3F (= 3 * 161 + F * 160, where F = 15) in hexadecimal, it becomes:
0x3F
|
|
V
0011 1111
You quickly see that the lower 6 bits are all set, which is an "additive" combination (bitwise OR) of the above binary numbers.
63 (decimal) equals 0x3F (hex). So 63 is a combination of all of the following flags:
0x20
0x10
0x08
0x04
0x02
0x01
Is that what you were looking for?