Crash Dump Analysis

Opcodism: The Art of Opcodes

Forthcoming Webinar on Pattern-Driven Software Diagnostics

2012 - The Year of Software Trace Analysis

Accelerated Memory Dump Analysis Training

Sponsored link: Memory Dump Analysis Services

Fascinated by Kazimir Malevich’s Black Square I created the new art genre with the following two artistic installations:

A Pause before Crash

This is 1Mb of PAUSE instructions without the point of return:

_text SEGMENT

main PROC

DW 100000h DUP (90f3h)

main ENDP

_text ENDS

END

When launched it crashes:

0:000> kL Child-SP RetAddr Call Site 00000000`0012ff58 00000000`7704be3d 1MbPause+0x201011 00000000`0012ff60 00000000`77256a51 kernel32!BaseThreadInitThunk+0xd 00000000`0012ff90 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

0:000> ub rip 1MbPause+0x201002: 00000001`40201002 f390 pause 00000001`40201004 f390 pause 00000001`40201006 f390 pause 00000001`40201008 f390 pause 00000001`4020100a f390 pause 00000001`4020100c f390 pause 00000001`4020100e f390 pause 00000001`40201010 cc int 3

You can download the source code, PDB and 64-bit EXE from here:

1MbPause.zip

Do Nothing and Crash

This is 1Mb of NOP instructions without the point of return:

_text SEGMENT

main PROC

DB 100000h DUP (90h)

main ENDP

_text ENDS

END

When launched it crashes too:

0:000> kL Child-SP RetAddr Call Site 00000000`0012ff58 00000000`7704be3d 1MbNop+0x101011 00000000`0012ff60 00000000`77256a51 kernel32!BaseThreadInitThunk+0xd 00000000`0012ff90 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

0:000> ub rip 1MbNop+0x101009: 00000001`40101009 90 nop 00000001`4010100a 90 nop 00000001`4010100b 90 nop 00000001`4010100c 90 nop 00000001`4010100d 90 nop 00000001`4010100e 90 nop 00000001`4010100f 90 nop 00000001`40101010 cc int 3

You can download the source code, PDB and 64-bit EXE from here:

1MbNop.zip

The earliest opcodism binary was created on October 25th, 2006 that I now call Nothingness and Crash: The Smallest Program.

- Dmitry Vostokov @ DumpAnalysis.org -

Sponsored link: Professional Software Debugging Services

/* Malware and Software Defects -> Victimware.org */

Citrix and Microsoft Customer Forum

Museum of Debugging and Memory Dumps

7/7/2011 - 8/8/2011 Annual Competition: Tell Your Windows Debugging Story

Crash and Hang Analysis Audit Service

CARE: Crash Analysis Report Environment

Crash Dump and Software Trace Analysis Training and Seminars

Access OpenTask Titles on Safari Books Online

DATA (Dump Analysis + Trace Analysis) Facebook group
Please join the community of memory (dump) and trace analysis engineers. This group promotes scientific methods and memory dump-based worldview.

Twitter @ DumpAnalysis
You can now follow portal and blog news at DumpAnalysis on Twitter

LinkedIn Group Dr. Watson Enthusiasts
All about Dr. Watson errors and more. Get news, excerpts and progress reports about the forthcoming book The Science of Dr. Watson: An Illustrated History of Debugging (ISBN 978-1906717070)

2010 (0x7DA) - The Year of Dump Analysis
2011 (0x7DB) - 2020 (0x7E4) The Debugging Decade

International Memory Analysts and Debuggers Day:
07.07 and/or 08.08 starting from The Year of Dump Analysis, 2010, 7DA

Announcements

Coming Soon:

Resume and CV: As a Book

Fundamentals of Complete Crash and Hang Memory Dump Analysis

Management Bits: An Anthology from Reductionist Manager

Crash Dump Analysis: Practical Foundations (Windows Edition, Systematic Software Fault Analysis Series)

Crash Dump Analysis for System Administrators and Support Engineers

New Magazines:

Debugged! MZ/PE: MagaZine for/from Practicing Engineers

New Books:

Advanced Windows Memory Dump Analysis with Data Structures: Training Course Transcript and WinDbg Practice Exercises with Notes

Accelerated .NET Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises with Notes

Accelerated Windows Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises with Notes

Introduction to Pattern-Driven Software Problem Solving

Memory Dump Analysis Anthology: Color Supplement for Volumes 4-5

Windows Debugging Notebook: Essential User Space WinDbg Commands

Memory Dump Analysis Anthology, Volume 5

Memory Dump Analysis Anthology, Volume 4

Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3

Memory Dump Analysis Anthology, Volume 3

First Fault Software Problem Solving: A Guide for Engineers, Managers and Users

x64 Windows Debugging: Practical Foundations

Also available:

Windows Debugging: Practical Foundations

DLL List Landscape: The Art from Computer Memory Space

Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov

WinDbg: A Reference Poster and Learning Cards

Memory Dump Analysis Anthology, Volume 2

Memory Dump Analysis Anthology, Volume 1

New Children's Book:

Baby Turing

Memory Dump It

This entry was posted on Monday, September 28th, 2009 at 4:22 pm and is filed under Announcements, Art, Assembly Language, Fun with Crash Dumps, New Words, Opcodism. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “Opcodism: The Art of Opcodes”

Anonymous Says:
September 28th, 2009 at 10:47 pm
The assembler is clearly surrounding your 1mb of NOP/Pause instructions with TRAP instructions. There’s not much to it.
Dmitry Vostokov Says:
September 29th, 2009 at 6:48 am
To Anonymous: of course all works of art can be reduced to their chemical and physical components…
Crash Dump Analysis » Blog Archive » What color is your instruction? Says:
September 30th, 2009 at 4:25 pm
[…] Opcodism art is not only limited to binaries. It also provides beautiful color illustrations of processor opcodes and instructions. In this post I provide illustrations of NOP, PAUSE and INT 3 instructions generated by Dump2Picture from memory dump images of crashed 1MbNop and 1MbPause processes. […]
Jamie Fenton Says:
October 12th, 2009 at 4:09 pm
IEFBR14

Is the name of the shortest program writtern for the IBM-360 system. It was a single instruction long - a return instruction. It was used because the IBM job control language required you to run a program for each step in its job language, so if all you needed was to cause side effects to happen (such as copying files, etc.) you would use IEFBR14 as a sort of single shot null job to move things along.

IEFBR14 had a bug in it. It returned garbage in one of the registers where a result code of 0 was expected to be returned so the operating system would know that the job finished or failed.

They had to issue a revision that doubled the size of the program! A clear instruction, followed by the return instruction.

There was a rule of thumb that said software cost $10 a line to write. I always wondered if the author got a check from IBM for that amount, and how many times more then $10 it must have cost to have reported the bug, authorize the change, test it, and release the fix.
Dmitry Vostokov Says:
October 14th, 2009 at 2:38 pm
I still remember that in 1987 I encountered a PDP-11 clone and wanted to learn about its assembly language, went to a university library and took 2 volume assembly language book. After 2 weeks I finally realized that I was reading a book about IBM-360 The suspicion aroused when I couldn’t find any reference to EBCDIC on PDP-11…

Opcodism: The Art of Opcodes

5 Responses to “Opcodism: The Art of Opcodes”

Leave a Reply