Answer to the Christmas brain teaser...

  • Article

So at Christmas I posed a brain teaser.

"0:001> .foreach ( greeting {s -[1]u 0 L?0xffffffff "Merry"} ) {.printf "%mu" , greeting }
Merry Christmas and a Happy New Year!

Christmas brain teaser: based off this, what can infer about the most likely bit-ness of the process and the operating system I was debugging on and why?"

First of all, the "Christmas message" was command Window output from WinDBG which is part of the great and free Debugging Tools for Windows package. The command executed uses the built in .foreach meta command to iterate the output of the given search command ("s") and pass each token to the .printf command. "greeting" is the placeholder variable used in the .foreach command and represents the memory address of each search "hit". The format string passed to the .printf command ("%mu") tells the debugger to interpret whatever is at that address as a null terminated unicode string and print it out.

The search command (s -[1]u 0 L?0xffffffff "Merry") searches the specified address range for the unicode string (the "u") "Merry" but only prints out the address at which it is found (the "-[1]"). The address range specified here is from 0 to 4Gb ("L?0xffffffff " - more cryptic WinDBG syntax). The address range is really the clue as to the bitness of the operating system I'm doing this on. Whilst this could be a 64-bit debuggee, it's unlikely we would just want to search the first 4Gb of a possible 16Tb address range if we are looking for something. So this makes it more likely we are debugging a 32-bit debuggee. In which case the question is 'in what circumstances do we have a 4Gb address range in a 32-bit process?'. The only case where that applies is a 32-bit process on a 64-bit version of Windows.

So in summary, we are searching the entire 4Gb virtual memory address space of a 32-bit process on 64-bit Windows for the word "Merry" and finding once instance of it at the start of the null terminated unicode string "Merry Christmas and a Happy New Year!" which we are then printing out.

And once again- Happy New Year!

Don't know about where you are, but here it is a very cold one (by UK standards). Here's the Wunderground weather station nearest to me.

Doug