View Full Version : Debugging my own asm program
Phoenix_cz
June 22nd, 2007, 03:24
Hi,
I would like to use OllyDbg to debug my own asm program. But after I load it in OllyDbg, Im unable to find my code.
I tried to search Google, for some tutorials, but I couldnt find anything other than tutorials about cracking.
How can I find my code using OllyDbg ? I was stuck in modules like kernel32.dll etc...
Im using OllyDbg version 1.10.
Thank you
esther
June 22nd, 2007, 03:32
Can you be more specific what happen after loading your exe in ollydbg?
Phoenix_cz
June 22nd, 2007, 04:24
I load my program, and what I see is the code inside module kernel32.dll
OllyDbg seems to work fine, its just that I do not know where to find my piece of code.
I have tried "Run until user code" but that just stepped to the next instruction. ( I expected that user code represents those few lines of my code that im looking for, so I thought that this command will run the program, and stop when it reaches my code.)
Im trying to write a win32 kernel base locator. And I would like to go step by step over the instructions, to check the adress calculation. Maybe if there is a better tool for this kind of job, Id be thankful for any recommendations.
Thank you
esther
June 22nd, 2007, 04:45
Ollydbg is only best for programs that uses (ring 3)
Try syser debugger or softice
http://www.woodmann.com/forum/showthread.php?t=10047&highlight=syser
naides
June 22nd, 2007, 04:50
Take a look at the menu Options->Debugging Options->Events tab
make sure all the check marks are clear except the radio button at Entry point of main module.
Option 2: disassemble your exe using IDA or w32dasm. look at a byte pattern (10 to 15 bytes should be unique enough) near the entry point now in Olly view-> memory right click and search for your bytes. note down the address, then find that address in the cpu view. place a bp at the entry point, Olly should stop there next time you reaload.
add-on : I did not see esther second post. If you are coding a ring 0 app olly will not get you there
LLXX
June 22nd, 2007, 08:12
If you're in the kernel32 ("system startup breakpoint"
, press F9 once and it should stop at the "entry point of main module".
Phoenix_cz
June 24th, 2007, 05:02
Thank you for advice.
I think that the problem is that I havent compiled & linked my program properly.
I tried to debug my program with w32dsm87, I loaded the exe file, but I cannot "Load process" , and I noticed that the size of my program is only 2kB.
I built my program like this:
nasm -g -f obj file.asm -l file.lst
link file.obj , file.exe , file.map , , nul.def
I dont know the purpose of *.lst and *.map files and I dont know why my program has only 2kB.
How do I properly build my program, so that I would be able to "Load process" in the w32dsm87 ?
esther
June 24th, 2007, 08:03
Hi,
try this
C:\w32nasm\BIN>nasm -f obj 1.asm
C:\w32nasm\BIN>alink -oPE 1.obj
Phoenix_cz
June 24th, 2007, 09:30
Hello,
I tried building my program with nasmw and alink the way you suggested, but it seems to ignore my code section.
My program :
segment code
..start:
mov ah,9
mov edx,string
int 21h
mov ah,4ch
int 21h
segment data
string db 'Hello!',10,13,'$'
When I open the object file the code section seems to be empty. Do you know why that is ?
esther
June 24th, 2007, 09:39
your code doesn't seem to be a portable executable file(win32)
blabberer
June 24th, 2007, 10:27
you are doing 16 bit assembly
win 32 doesnt do ints
to compile 16 bi code you need 16 bit linker
and 16 bi code will not be debuggable by ollydbg etc
use debug.com (start -> run -> cmd > debug your program)
blabberer
June 24th, 2007, 12:56
Code:
test:/>type hello.asm
section .text
..start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop
mov dx , hello
mov ah,0x09
int 0x21
mov ax,0x4c00
int 0x21
section .data
hello: db 'hello, simple world',13,10,'$'
segment stack stack
resb 64
stacktop:
test:/>nasmw.exe -fobj hello.asm -o hello.obj
test:/>ALINK.EXE hello.obj -oEXE -o hello.exe
ALINK v1.6 (C) Copyright 1998-9 Anthony A.J. Williams.
All Rights Reserved
Loading file hello.obj
matched Externs
matched ComDefs
test:/>hello.exe
hello, simple world
test:/>
works like charm for me
-oPE is for 32 bit executable
Phoenix_cz
June 24th, 2007, 15:59
When I follow your example(same source code) I get an error while linking the program:
...
...
...
Loading file test.obj
matched Externs
matched ComDefs
not flat, or absolute segment 0:text
not flat, or absolute segment 1:data
not flat, or absolute segment 2:stack
not flat, or absolute segment 2:stack
not flat, or absolute segment 1:data
Im using the same version of ALINK as you -> 1.6
LLXX
June 25th, 2007, 03:22
...
Are you debugging a 32-bit PE, or a 16-bit EXE/COM ? I think that is one question that needs to be answered first.
Phoenix_cz
June 25th, 2007, 05:05
Yes, thats the question.
I wanted to debug 16-bit EXE/COM program and I thought it was 32-bit PE.
Now I "changed" the program to 32-bit and Im debugging 32-bit.
We had an Assembly course at school, and we were only taught 16-bit asm. And I assumed that it is the same as 32-bit, because I didnt know what the difference is.And to be honest, its still not very clear to me. So if anyone knows of a good tutorial explaining differences between 16-bit and 32-bit (resp. EXE/COM and PE) asm It would be great if you shared it.
Now that I have a correct 32-bit PE OllyDbg works exactly the way I wanted in the beggining.
Thank you all for your help
esther
June 25th, 2007, 06:06
The only difference 16bit and 32bit is about registers
ax=16bit
eax-32bit
Eight Bits Sixteen Bits Thirty-two Bits
80h 0080h 00000080h
Try do some searching on the web on the difference between com and exe files
If you want to learn windows assembly programming check out the link below
There is an article describing on pe files.
http://win32assembly.online.fr
Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.