Let??™s set a breakpoint on main:
0:000> bm meet!main
*** WARNING: Unable to verify checksum for meet.exe
1: 00401060 meet!main
0:000> bl
1 e 00401060 0001 (0001) 0:*** meet!main
(Ignore the checksum warning.) Let??™s next run execution past the ntdll initialization
on to our main function.
NOTE During this debug session, the memory addresses shown will likely be
different than the memory addresses in your debugging session.
0:000> g
Breakpoint 1 hit
eax=00320e60 ebx=7ffdf000 ecx=00320e00 edx=00000003 esi=00000000 edi=00085f38
eip=00401060 esp=0012fee0 ebp=0012ffc0 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
meet!main:
00401060 55 push ebp
0:000> k
ChildEBP RetAddr
0012fedc 004013a0 meet!main
0012ffc0 77e7eb69 meet!mainCRTStartup+0x170
0012fff0 00000000 kernel32!BaseProcessStart+0x23
(If you saw network traffic or experienced a delay right there, it was probably the
debugger downloading kernel32 symbols.) Aha!We hit our breakpoint and, again, the
registers are displayed. The command that will next run is push ebp, the first assembly
instruction in the standard function prolog. Now you may remember that in gdb, the
actual source line being executed is displayed.
Pages:
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463