PDA

View Full Version : reocurring breakpoints


aeon
January 26th, 2008, 09:13
this application when runs under olly always breaks on some addresses "break on access when writing to [xxxxxx]" but I did not set any breakpoints

probably olly somehow misinterpretes some bytes of the application as breakpoints, It would not bother if it happend once or twice , it happens over 100x times

deleteting each one by bc [xxxxx] is tedious and out of question

what can I do?

blabberer
January 26th, 2008, 11:48
have you checked debug -> hardware break points
are you sure you dont have an entry listed there

hardware bps set are persistent across sessions

when you break on one try following it debug harware bps and if you see an entry delete it you dont like it hanging there

they are not listed in breakpoints window

also one more option to look at is to see if
options -> debugging options --> exceptions --> ignore memory access in kernel32 is checked -> it is checked on by default
but if you had unchecked it sometimes

then you might get those breaks especially when the exe is doing IsValid kind of Api (IsBadCodePointer , Is BadBlah , Is Bad whatever)

ollydbg uses those apis mostly in its IsSuspicious() wrapper

aeon
January 26th, 2008, 15:31
hmmm, application contains flash data (swf), when I stripped these , it does not break but exe does not work properly

maybe it's form of protection

seems I'll have to live with it

TiGa
January 26th, 2008, 15:37
If all else fails, try deleting the .udd corresponding to the file to start with a fresh new blank project.

Do you mean its a flash game or flash video embedded in an exe?
Without sending the file, what informations can you gather about it?
Any mention of the software it was made with?

TiGa

aeon
January 27th, 2008, 04:05
it has nothing to do with udd or hw bps(no hw bps are set and I never set them in this app) , I remember running it for the first time in olly with these problems, also tested it with modified olly version

yes, there is a flash 9 video embedded
according to xml in flash file it's made with abode flex 2 and there is a high chance that flash file itself is somehow protected from decompilation

TiGa
January 27th, 2008, 14:21
Adobe Flex 2 is used to make phone applications.
http://www.adobe.com/products/flex/media/flexapp/

Are you trying to debug a phone application in Olly?
If yes, stop right now and switch to IDA.

Olly is only for x86 instructions, not phone or .NET or Linux.

TiGa

aeon
January 28th, 2008, 09:30
no , it's windows application

this is why I think it is created with flex 2, copied right from embedded flash

<dc:title>Adobe Flex 2 Application</dc:title>

TiGa
January 28th, 2008, 14:02
Quote:
<dc:title>Adobe Flex 2 Application</dc:title>
Sure, that's a PE header all right!

Even if the "application" happens to work via a Windows Web browser, it does not make it a Windows executable.
http://examples.adobe.com/flex3/labs/configurator/configurator.html

Olly can't help you, not even IDA.

TiGa

aeon
January 28th, 2008, 14:11
where did I write it works via webbrowser? it's Windows PE Executable with flash overlay

fr33ke
January 28th, 2008, 21:10
Olly has problems with guarded pages. It uses them to set memory breakpoints on access. However, every guard page violation is treated by Olly as a memory breakpoint.

Usually this isn't a problem, but for instance Ntkrnl protector uses it.
( http://www.reversing.be/article.php?story=20070124050711383 )
Maybe it is just a coincidence this time.

Anyway, to fix it use the OllyGuard plugin.
( http://www.tuts4you.com/download.php?view.1540 )

Hope this helps.

aeon
January 29th, 2008, 09:19
yes, that's it , it works now nicely, no breaks , thank you