If Your Code is at a Fault

Disassemble near the faulting location to see if what you get is proper code or not. Don't forget that ASCII text may look deceptively valid. Another thing to check is whether ESP and EIP are very close to each other. If so, this suggests a stack-balancing problem (too many pushes or pops). Dump the stack back to find the last known sane location and start working forwards.

Type u cs:eip to see if what you get is proper code or not. If you see any of the following, then you do not have proper code:

• Any instruction of the form db xx.
• Any instruction of the form lock xx.
• Any instruction whose opcode begins with the letter f (floating point).
• The same instruction repeated over and over, especially if it is one of the following:

  add byte ptr [eax], al

  and byte ptr [edi], al

  add byte ptr [bx+si], al

  and byte ptr [bx], al

• Anything else that obviously makes no sense.

If that quick test passes, then type db cs:eip-40 and check if you are in the middle of a data segment. One dead giveaway is that you see ASCII strings in the dump.