I have a program that's unable to load in OllyDbg. it runs normallly on win xp . here are the error i encounter:

Access violation when readiing [ffffffff]

EBX = 00000000
DS: [ffffffff]=???

the proggie is written in VC. i tried to bypass but fail. exit code 80 (128).

any clues?? thanks

it doesnt help. we need more info like - do you have the source or not ?
where it GPF (in your program or in dll) ?

you said "unable to load" - you cannot start at all your program ?

also you can post a link to it so everyone can take a look.

a lot of different things can go wrong

There is a antidebug rutine sure, in the program, read the tute in english 68 Armadillo for newbies and in the beginning there are a method for hide ollydbg.
And is possible the program use the api IsDebuggerPresent to detect a debugger.With the method of the tute you run the program with this antidebugging trick.

Ricardo

6C3ED626 5E POP ESI
6C3ED627 > 55 PUSH EBP
6C3ED628 8BEC MOV EBP,ESP
6C3ED62A 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
6C3ED62D 53 PUSH EBX
6C3ED62E 33DB XOR EBX,EBX
6C3ED630 3BC3 CMP EAX,EBX
6C3ED632 74 02 JE SHORT MFC42.6C3ED636
6C3ED634 8918 MOV DWORD PTR DS:[EAX],EBX // Failed here EAX=FFFFFFFF

for some reason , i can't give out the program.

Ricardo sorry for be a newbie, do you have the link for the tute u mention??

appreciate any help giving.

Ricardo i found the tute. keke thanks again.

mov eax,[ebp+10] ---> moves aome thing from stack to eax
xor ebx,ebx
cmp eax,ebx ; so basically eax must be zero so that it takes the je that comes next

so the access viol can be eliminated
that means [ebp+10] must be 0
you land at access violation coz [ebp+10] !== 0

it may be designed like that for triggering an access violation and handling
tha access violation via a structured exception handling code

look for the seh (olly marks it in stack and cpu as well
btw if you use seh you can do almost anything with the situation
for example modify debugregisters,change eip, writein the code section (if the code section has write permission(else it can virtual protect and write loop holes every where) change the registers to new value so that it works now
but also the program gets to know that it is being debugged)

btw did you try passing that exception to program (shift+f7)
or adding last exception in debug options olly got lot of options to tackle these situations

modul kernel32
77E7387D 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
77E73880 50 PUSH EAX
77E73881 FF15 0015E677 CALL DWORD PTR DS:[<&ntdll.RtlRaiseExcep>; ntdll.RtlRaiseException
77E73887 5E POP ESI;MSVCRT.77C114AC//Access violation no RTTI Data

heres another exception i encount, I m able to pass this exception a few times (shift + f7) and the program runs.
quick question what's the drawbacks of bypassing these expetions??
thanks

Is difficult if not view the program, if the program RUN out of OLLYDBG is obvious there are a detection of OLLYDBG.
When you press Shift + f9 and the program ends, go to the K (call stack) and view the calls in the list, the upper is the last call the program enter ,right click VIEW CALL and go to the executable or part of the program last executed before the error, look if there are a conditional jump, for not execute the bad call, if changing the conditonals jumps befores this call not RUN good the program, go to the call stack again and take the second call and make the same process, i dont know if is your case, but if i cant look the program, is only an idea.

Ricardo Narvaja