View Full Version : reocurring breakpoints
aeon
January 26th, 2008, 09:13
this application when runs under olly always breaks on some addresses "break on access when writing to [xxxxxx]" but I did not set any breakpoints
probably olly somehow misinterpretes some bytes of the application as breakpoints, It would not bother if it happend once or twice , it happens over 100x times
deleteting each one by bc [xxxxx] is tedious and out of question
what can I do?
blabberer
January 26th, 2008, 11:48
have you checked debug -> hardware break points
are you sure you dont have an entry listed there
hardware bps set are persistent across sessions
when you break on one try following it debug harware bps and if you see an entry delete it you dont like it hanging there
they are not listed in breakpoints window
also one more option to look at is to see if
options -> debugging options --> exceptions --> ignore memory access in kernel32 is checked -> it is checked on by default
but if you had unchecked it sometimes
then you might get those breaks especially when the exe is doing IsValid kind of Api (IsBadCodePointer , Is BadBlah , Is Bad whatever)
ollydbg uses those apis mostly in its IsSuspicious() wrapper
aeon
January 26th, 2008, 15:31
hmmm, application contains flash data (swf), when I stripped these , it does not break but exe does not work properly
maybe it's form of protection
seems I'll have to live with it
TiGa
January 26th, 2008, 15:37
If all else fails, try deleting the .udd corresponding to the file to start with a fresh new blank project.
Do you mean its a flash game or flash video embedded in an exe?
Without sending the file, what informations can you gather about it?
Any mention of the software it was made with?
TiGa
aeon
January 27th, 2008, 04:05
it has nothing to do with udd or hw bps(no hw bps are set and I never set them in this app) , I remember running it for the first time in olly with these problems, also tested it with modified olly version
yes, there is a flash 9 video embedded
according to xml in flash file it's made with abode flex 2 and there is a high chance that flash file itself is somehow protected from decompilation
TiGa
January 27th, 2008, 14:21
Adobe Flex 2 is used to make phone applications.
http://www.adobe.com/products/flex/media/flexapp/
Are you trying to debug a phone application in Olly?
If yes, stop right now and switch to IDA.
Olly is only for x86 instructions, not phone or .NET or Linux.
TiGa
aeon
January 28th, 2008, 09:30
no , it's windows application
this is why I think it is created with flex 2, copied right from embedded flash
<dc:title>Adobe Flex 2 Application</dc:title>
TiGa
January 28th, 2008, 14:02
Quote:
<dc:title>Adobe Flex 2 Application</dc:title> |
Sure, that's a PE header all right!
Even if the "application" happens to work via a Windows Web browser, it does not make it a Windows executable.
http://examples.adobe.com/flex3/labs/configurator/configurator.html
Olly can't help you, not even IDA.
TiGa
aeon
January 28th, 2008, 14:11
where did I write it works via webbrowser? it's Windows PE Executable with flash overlay
fr33ke
January 28th, 2008, 21:10
Olly has problems with guarded pages. It uses them to set memory breakpoints on access. However, every guard page violation is treated by Olly as a memory breakpoint.
Usually this isn't a problem, but for instance Ntkrnl protector uses it.
( http://www.reversing.be/article.php?story=20070124050711383 )
Maybe it is just a coincidence this time.
Anyway, to fix it use the OllyGuard plugin.
( http://www.tuts4you.com/download.php?view.1540 )
Hope this helps.
aeon
January 29th, 2008, 09:19
yes, that's it

, it works now nicely, no breaks , thank you
Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.