Log in

View Full Version : bug in a game

Dj Heiko
February 21st, 2004, 11:39
Hi,

I have a problem with a game.
At beginning I post the code were the bug came (ecx is 00000000)

Code:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00428A95(C)

|

:00428AC9 8B4E04                  mov ecx, dword ptr [esi+04]

:00428ACC 8D7EF4                  lea edi, dword ptr [esi-0C]

:00428ACF 57                      push edi

:00428AD0 E84BEFFFFF              call 00427A20

:00428AD5 8B46F8                  mov eax, dword ptr [esi-08]

:00428AD8 8B0D60EF5200            mov ecx, dword ptr [0052EF60]

:00428ADE 8B401C                  mov eax, dword ptr [eax+1C]

:00428AE1 8B89F0190100            mov ecx, dword ptr [ecx+000119F0]


It comes at EIP 00428AC9

I know this line is a indirect pointer but I donīt know where esi+04 looks to get the worth for ecx.
But I think esi+04 looks in this case where no worth is for ecx.

Can I look in a table when esi+04 is a number what number ecx will get?
So I can edit esi berfor the bug comes.
sgdt
February 21st, 2004, 12:45
Quote:
[Originally Posted by Dj Heiko]Hi,

I have a problem with a game.
At beginning I post the code were the bug came (ecx is 00000000)

Code:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00428A95(C)

|

:00428AC9 8B4E04                  mov ecx, dword ptr [esi+04]

:00428ACC 8D7EF4                  lea edi, dword ptr [esi-0C]

:00428ACF 57                      push edi

:00428AD0 E84BEFFFFF              call 00427A20

:00428AD5 8B46F8                  mov eax, dword ptr [esi-08]

:00428AD8 8B0D60EF5200            mov ecx, dword ptr [0052EF60]

:00428ADE 8B401C                  mov eax, dword ptr [eax+1C]

:00428AE1 8B89F0190100            mov ecx, dword ptr [ecx+000119F0]


It comes at EIP 00428AC9

I know this line is a indirect pointer but I donīt know where esi+04 looks to get the worth for ecx.
But I think esi+04 looks in this case where no worth is for ecx.

Can I look in a table when esi+04 is a number what number ecx will get?
So I can edit esi berfor the bug comes.


Have you considered using OllyDebug instead? It would make your life a bit easier...

In Olly, you can not only view the contents of ESI in the dump window, you can (on W2K or XP) set a hardware breakpoint on up to four locations and the program will stop when it toasts the value. It even has the ability to do single step trace logging and debugger hiding. Way cool stuff.

Anyway, check out the following (xx becomes tt)

For OllyDbg
hxxp://home.t-online.de/home/Ollydbg

Quick Start of commands
hxxp://home.t-online.de/home/Ollydbg/quickst.htm

Plug-ins and links (definitely get OllyScript!!!)
hxxp://ollydbg.win32asmcommunity.net/stuph/

For the Forums
hxxp://ollydbg.win32asmcommunity.net
naides
February 21st, 2004, 12:49
Quote:
[Originally Posted by Dj Heiko]Hi,

I have a problem with a game.
At beginning I post the code were the bug came (ecx is 00000000)

Code:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00428A95(C)

|

:00428AC9 8B4E04                  mov ecx, dword ptr [esi+04]

:00428ACC 8D7EF4                  lea edi, dword ptr [esi-0C]

:00428ACF 57                      push edi

:00428AD0 E84BEFFFFF              call 00427A20

:00428AD5 8B46F8                  mov eax, dword ptr [esi-08]

:00428AD8 8B0D60EF5200            mov ecx, dword ptr [0052EF60]

:00428ADE 8B401C                  mov eax, dword ptr [eax+1C]

:00428AE1 8B89F0190100            mov ecx, dword ptr [ecx+000119F0]


It comes at EIP 00428AC9

I know this line is a indirect pointer but I donīt know where esi+04 looks to get the worth for ecx.
But I think esi+04 looks in this case where no worth is for ecx.

Can I look in a table when esi+04 is a number what number ecx will get?
So I can edit esi berfor the bug comes.



You can examine the value pointed by [esi+04] by typing in Softice

d @ [esi + 04]

But I suspect the origin of the bug is not the actual value pointed by [esi + 04] but rather that [esi + 04] points to an unmapped or invalid area of the memory, which certainly will generate a exception when you try to move it into ECX.
Dj Heiko
February 21st, 2004, 13:08
The problem ist that this call was gone through many times and it works.
I testet very much (I work with softice but I have ollydebug too)

I find out that this call worked but any time the bug comes. I donīt know why.
The game donīt crash at this instruction
but several instructions later.
There ecx (is 00000000) copy to esi (it gos 0000000 too)


Code:
* Referenced by a CALL at Addresses:

|:00428535   , :00428A73   , :00428A9E   , :00428AD0   

|

:00427A20 83EC08                  sub esp, 00000008

:00427A23 55                      push ebp

:00427A24 56                      push esi

:00427A25 8BF1                    mov esi, ecx

:00427A27 8B5608                  mov edx, dword ptr [esi+08]

:00427A2A 8B4E04                  mov ecx, dword ptr [esi+04]

:00427A2D 3BCA                    cmp ecx, edx

:00427A2F 57                      push edi

:00427A30 8974240C                mov dword ptr [esp+0C], esi

:00427A34 0F84D2000000            je 00427B0C

:00427A3A 8B442418                mov eax, dword ptr [esp+18]



The bug is than in line 0042A27 (Iīm sure why)

The pointer to ecx (00428AC9) has nearly every time a other worth.
So I have to look if the pointer is beside a worth or so on.

Any tips?
dELTA
February 21st, 2004, 13:40
It seems to me like you either have to analyze and understand the surrounding code more (the real "bug" is often not located at the same line of code as the line that results in a crash because of the bug), or do an inline patch that checks if these pointer registers contain valid addresses (!= 0 ?) before referencing them.
Dj Heiko
February 21st, 2004, 15:33
yes so I set several breakpoints with softice and get out that on EIP 00428AC9 ecx=00000000 but its clear on this line it isnīt the real bug.
But I dontīt know what I can do now.

I have the chance to write code before 00427A20 (where the game crash) because there are several nop lines.

There I write

Code:
cmp ecx, 00000000

je EIP


at EIP I jump to a other bigger nop place and there I tried much.
So when the indirect pointer is beside a right worth for ecx I can edit esi.

But I doīīt know what to do.
Dj Heiko
February 22nd, 2004, 17:05
Can nobody help me?

Or donīt you understand what I want?
dELTA
February 22nd, 2004, 20:55
Like I said in my last post, you must try to understand where the real bug is in the code, and then fix it, not just patch blindly. We cannot understand it for you (and certainly not without seeing the code).
disavowed
February 23rd, 2004, 01:21
using olly, set a conditional breakpoint on that line for when ecx == 0. then trace back from there to see where and why ecx was set to 0 for that instance
Aimless
February 23rd, 2004, 02:26
Hi,

Wrong move to analyse the function, before understanding where its coming from. I can see that its a conditional call. The first breakpoint I would put, is where the comparision is being made (even before the call instruction that would subsequently be called).

Then, take a look at all registers. You may need to work in IDA rather than ICE/Ollydbg before you come to a conclusion about the area where the wrong value is set.

A good tip is to understand what's happening to the function BEFORE its being called.

Yeah! I know. Its painful. But then again, no one said RCE would be a joyride.

Have Phun
Dj Heiko
February 23rd, 2004, 03:39
Yes you are right but I said, ecx going 00000000 on EIP 00428AC9.
But I donīt know why. I donīt know what to do now.
dELTA
February 24th, 2004, 08:27
Oh for christ sakes...
Dj Heiko
February 24th, 2004, 13:29
Whats this for a post?
This help me nothing, if you think it isnīt very intelligent what I write then write rather nothing.

The problem is I looked for the bug where it can happende but there isnīt a call near.
The call will be indirect called ^^ with a register or so on.

And usually the game go without a crash through the code so what can I edit.
I think I can only repair the bug before the game crash.

But I donīt understand the indirect pointer (00428AC9)
It esi is often 5/6 times a other worth but ecx is nevertheless identy.
But a other time the worth of ecx change and will be a while identy.

from where gets esi+04 the worth for ecx??
disavowed
February 24th, 2004, 15:10
i answered your question above. please re-read my post
JMI
February 24th, 2004, 15:56
He said:

"trace back from there to see where and why ecx was set to 0 for that instance."

Look ABOVE the point in the code where you found "ecx+00000000." You have to find where the code changes or sets "esi+4" and/or ecx to "00000000" or where is checks it or changes it, or even DOES NOT CHANGE IT. You have to stop the code ABOVE your error and TRACE back to the point of the error and observe what is happening to ecx.

Regards,
Polaris
February 24th, 2004, 16:29
Quote:
[Originally Posted by JMI]He said:

"trace back from there to see where and why ecx was set to 0 for that instance."

Look ABOVE the point in the code where you found "ecx+00000000." You have to find where the code changes or sets "esi+4" and/or ecx to "00000000" or where is checks it or changes it, or even DOES NOT CHANGE IT. You have to stop the code ABOVE your error and TRACE back to the point of the error and observe what is happening to ecx.

Regards,


JMI you are always SO clear