10.2 Boolean expressions

These expressions can be checked for equality for later make conditional execution of commands.

Here is an example that checks if current eip is 0x8048404 and skips this instruction (!jmp eip+2) if matches.

> ? eip == 0x8048404
> ??!jmp eip+2

You can check the last comparision result with the '???' command. Which is the substraction of the first part of the expression and the second part of it.

> ? 1==1   # check equality (==)
> ???
0x0
> ? 2==1   # check equality (==)
> ???
0x1
> ? 1!=2   # check difference (!=)
> ???
0x0

Substraction can be also used as a comparator operation, because it's what the == operator does internally. If the substraction of two elements is 0 means that they are equal. Now we can replace the previous expression into:

> ? 2-1
> ???
0x1       # false
> ? 2-2
> ???
0x0       # true

The conditional command is given after the '??' command. Which is the help of the '?' command when no arguments given:

[0xB7F9D810]> ??
Usage: ?[?[?]] <expr>
  > ? eip             ; get value of eip flag
  > ? 0x80+44         ; calc math expression
  > ? eip-23          ; ops with flags and numbers
  > ? eip==sym.main   ; compare flags
 The '??' is used for conditional executions after a comparision
  > ? [foo] = 0x44    ; compare memory read with byte
  > ???               ; show result of comparision
  > ?? s +3           ; seek current seek + 3 if equal