Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Landing in the middle of the kernel is the worst, because it can be very hard to work out where you are and how you got there. Unfortunately it is very hard to get hold of debugging symbols, as they are unique to each platform - you would have to get them from Motorola, not from Microsoft.</p> <p>The convention on the ARM processor is for the return address of the current leaf function to be stored in the Link Register, <code>lr</code>. Each function's prolog is responsible for storing this register's value in a location that won't be trashed by any functions that it calls. In order to be able to unwind the stack, if a hardware exception occurs, Windows CE requires that the prolog takes particular forms. The virtual unwinder algorithm is described at <a href="http://msdn.microsoft.com/en-us/library/ms881423.aspx" rel="nofollow">ARM Prolog and Epilog</a> ('virtual' because Windows exception handling doesn't <em>actually</em> unwind the stack until it has discovered the actual handler for the exception, but it can only <em>find</em> that handler by walking the stack). You can follow that algorithm to walk back through the stack yourself.</p> <p>The <a href="http://msdn.microsoft.com/en-us/library/ms881424.aspx" rel="nofollow">examples</a> at that link are actually quite atypical - code only saves r0-r3 on the stack before saving any persistent registers for a C/C++ varargs function. This is so that they are next to any additional arguments. The Windows CE ARM calling convention passes the first four arguments to the function in registers r0-r3, then the fifth and subsequent arguments on the stack. A function that uses <code>va_args</code> therefore has to push the first four onto the stack next to the others, so it can treat all arguments the same.</p> <p>Normally, an ARM function will start with a <code>stmdb</code> (STore Multiple, Decrement Before) instruction that stores all the volatile registers overwritten by the function. This instruction isn't used very often in normal code, so the <code>stmdb</code> is nearly always the first instruction of the function. You can therefore work out from that instruction, and from the stack, what the value of <code>lr</code> was and therefore where to return to. You can then repeat that for each method until you get somewhere recognizable. Hopefully this will be in an import section of a DLL, but it's probable that it will be in mscoree2_0.dll or netcfagl2_0.dll. You will probably need to search a disassembly of the Compact Framework assemblies to find what managed code called into that native entry point.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload