Hi everybody,
I made a snippet of non-standard testing code for my analyzer (it's nothing special, but for instance series of ADD instruction). Problem: when I load it as an PE EXE, it looks like OllyDbg's heuristic analysis don't want to disassemble the code (OllyDbg shows only DBs). How can I fix it? I tried changes in Options / Debugging options / analysis1-3, but the problem remains.

Can somebody help? Thank you.

I use OllyDbg v1.09c

MazeGen: can you post an example ? sometimes i also get DBs instead of code when OD thinks that is data and not code.

<pre>
00401000 >/&#036; 6A 00 push 0 ; /ExitCode = 0
00401002 &#92;. E8 3B010000 call <jmp.&kernel32>; &#92;ExitProcess

; My testing code starts here:
00401007 90 nop
00401008 00 db 00
00401009 D5 db D5
0040100A 65 db 65 ; CHAR 'e'
0040100B 00 db 00
0040100C D5 db D5
0040100D 66 db 66 ; CHAR 'f'
0040100E 00 db 00
0040100F D5 db D5
00401010 67 db 67 ; CHAR 'g'
00401011 00 db 00
00401012 D5 db D5
00401013 . 65 66 67 00 ascii "efg",0
00401017 D5 db D5
00401018 03 db 03
00401019 D5 db D5
0040101A 65 db 65 ; CHAR 'e'
0040101B 03 db 03
0040101C D5 db D5
0040101D 66 db 66 ; CHAR 'f'
0040101E 03 db 03
0040101F D5 db D5
00401020 67 db 67 ; CHAR 'g'
00401021 03 db 03
00401022 D5 db D5
</pre>

If I try to enable disassembly using jump instruction, disassembly is only partial:

<pre>
00401000 > &#036; EB 07 jmp short MODRMSIB.00401009
00401002 . 6A 00 push 0 ; /ExitCode = 0
00401004 . E8 3B010000 call <jmp.&kernel32.ExitProcess> ; &#92;ExitProcess
00401009 > 90 nop
0040100A . 00D5 add ch,dl
0040100C . 65:00D5 add ch,dl ; Superfluous prefix
0040100F . 66:00D5 add ch,dl
00401012 . 67:00D5 add ch,dl ; Superfluous prefix
00401015 . 65:66:67:00D5 add ch,dl ; Superfluous prefix
0040101A . 03D5 add edx,ebp
0040101C . 65:03D5 add edx,ebp ; Superfluous prefix
0040101F . 66:03D5 add dx,bp
00401022 . 67:03D5 add edx,ebp ; Superfluous prefix
00401025 . 65:66:67:03D5 add dx,bp ; Superfluous prefix
0040102A . 90 nop
0040102B . 67:0037 add [bx],dh
0040102E . 66:67:0037 add [bx],dh
00401032 . 65:66:67:0037 add gs:[bx],dh
00401037 . 67:0337 add esi,[bx]
0040103A . 66:67:0337 add si,[bx]
0040103E . 65:66:67:0337 add si,gs:[bx]
00401043 . 90 nop
00401044 . 67:0035 add [di],dh
00401047 . 66:67:0035 add [di],dh
0040104B . 65:66:67:0035 add gs:[di],dh
00401050 . 67:0335 add esi,[di]
00401053 . 66:67:0335 add si,[di]
00401057 . 65:66:67:0335 add si,gs:[di]
0040105C . 90 nop
0040105D 00 db 00
0040105E . 35 65 00 ascii "5e",0
00401061 . 35 66 00 ascii "5f",0
00401064 . 35 67 00 ascii "5g",0
00401067 . 36 65 66 67 00>ascii "6efg",0
0040106C 36 db 36 ; CHAR '6'
</pre>

As you see it, this testing code is only series of ADD instructions with different size of registers, different source and destionation operands and different prefixes.

I think there have to be some way how to enable it. I don't believe Olly forgot to enable it.

MazeGen: i think OD screws up on 40105D when it marks the next as data.

maybe you should use for you task RTA2 ("http://ibiblio.org/paulc/rta/") which is based on Olly's disassembly engine.

Thanks TBD,
RTA2 looks interesting. I am preparing for debugging with symbols (I code in MASM), so I have to look for another debugger anyway. I like OllyDbg, but it doesn't eat CodeView or PDB debug informations (produced by M&#036; LINK), so I'm trying to configure SICE or VC++ debugger.
By the way, do you have some experience with symbolic debugging MASM code?

Hey guys, sounds like MazeGen is going to move on to another debugger for his project but I am still interested in a solution for the problem he raised since I have also encountered this problem once or twice... Has anyone else faced this and found a solution?

Coops,
Do you mean the problem with marking code as data or symbolic debugging?

EDIT
Oh I got it, the problem with the code as data
/EDIT

MazeGen: ollydbg.hlp: to read symbolic debugging information in Microsoft formats (CodeView, COFF, PDB and SYM), you need dbghelp.dll.

check this thread ("http://ollydbg.win32asmcommunity.net/?action=vthread&forum=1&topic=40") for MASM32 symbolic debugging.

ps. use the power of search, Luke

Just a silly question, but have you tried the Control Up/Down arrows? You know, to set where the first byte at the top of the code window starts?

TBD,
Thanks, I've used the power of search already, but I found only an information that plug-in for MASM (my compiler) is under development or so. So that that reference is new for me. It could be really groovy!
Anyway, I just tried both

&#92;masm32&#92;bin&#92;Link /DEBUG /DEBUGTYPE:CV /SUBSYSTEM:WINDOWS main.obj
(does create main.pdb and main.ilk files)

and

&#92;masm32&#92;bin&#92;Link /DEBUG /DEBUGTYPE:CV /PDB:NONE /SUBSYSTEM:WINDOWS
(it doesn't)

but OllyDbg seems to have no debug info: Ctrl+F5 not working, View -> Source window is empty, and I don't see the source line on info pane, as you've wrote in referenced post. Additionaly, I am not able to find out more informations about it...
If it really works, please help me... I don't want to move on to another debugger already!

P.S. I have dbghelp.dll in main OllyDbg folder.

sgdt,
I'll have a look later, thanks!

MazeGen:here is what I did step by step using Iczelion Tutorial 4 - Paint

1. created a new directory, ODTest
2. copy paint.asm from &#92;masm32&#92;ICZTUTES&#92;TUTE04
3. create make_debug.bat
4. add &#92;masm32&#92;bin&#92;ml /c /coff /Zi paint.asm
5. add &#92;masm32&#92;bin&#92;Link /DEBUG /DEBUGTYPE:CV /SUBSYSTEM:WINDOWS paint.obj
6. save and run make_debug.bat
7. open OllyDbg with paint.exe
8. CTRL+F5 (view Source)
9. ... and it works.

please try this and tell me if it works.

ps. MASM plugin SDK it is available on the stuph page

TBD,
thank you very much! I've tried your test with paint.asm and it works. I tell you what happend: When I link my own asm prog without debug info, the code looks in OD exactly like my source code. OK. When I link the same with debug info, for some unknown reason the following code is added at the top of code:
<pre>
00401000 CC db CC
00401001 CC int3
00401002 CC int3
00401003 CC int3
00401004 CC int3
00401005 > E9 06000000 jmp SELECTOR._Start
0040100A CC int3
0040100B CC int3
0040100C CC int3
0040100D CC int3
0040100E CC int3
0040100F CC int3
00401010 > 8CC8 mov ax,cs ; my code
</pre>


And, if gray cursor is at the one of added instructions, all seems like there is no debug code, as I wrote already (not depending
on current eip). Well, that was the problem
It is really groovy, and I'm glad that additionaly I have no more need to move on to another dbg.

And MASM plugin SDK - I'll have a look.

Finally, I have one more question: I use tabs in my source code for justify, but the source line on info pane shows a little black panes instead of a tab-space. I don't know why, because the source view looks all right and I use the same font (System fixed font) in both. Maybe bug?

sgdt,
the Ctrl-Up/Down arrows works, but it has no influence on false marking code as data.

P.S. sorry for my english

MazeGen: i think the added code is from the linker to support the internal debuggers (VC, TD, ...) -> no info. i saw that on delphi and VC (if i remember correctly)

tabs: i dont know if it is a bug or a feature for me is a feature because i hate tabs in source (everyone has different tab setting -> ugly idents)

also, if you want, please add some details about your analyser

TBD,
tabs: IMHO it's a bug (probably tab (ASCII 9) doesn't fit in recognized chars area, so OD shows small black panes). You're right, but tabs are very useful for justify source code. Anyway, OD has the same tab setting as my FAR editor but then the Visual Studio disasm has different setting

Analyser: I code a code obfuscator. It is generally intended for protection binary code written in assembly foremost. There is possible to get some papers about it. One of my goals is public commercial version. In these days I'm coding disassembler and I'm writing test-mode code for hand-checking its right behaviour. However, OD doesn't like this code and mark it as data

I'll send Olly specification about this problem, because nobody knows how to figure it out.

Hi,
the following is my questions and Olly's answers ('*' means my comment):

> 1. The source line on info pane shows small black panes instead of
> real tabs. I think it's bug, because the source view window shows
> the tabs correctly. It makes reading single source line harder.


Pass 0x09 to ExtTextOutA(), and it will draw (depending on selected font)
either small squares (Terminal 6/Courier), black rectangles (system fixed font)
or vertical lines (ask me not which). I was too lazy to interprete 0x09 as
tabulation and pass it directly to my engine, that's all. Maybe I'll address
this errata-or-feature-but-not-a-bug in v1.10.


*I hope so, Olly

> 2. Heuristic scanner seems to be too sensitive for strange code - it
> often marks code as data. I know it has to be sentive because of API
> parameters recognition etc. I tried to switch different switches in
> Debugging options, but non-event. I think the best approach to manage
> this problem can be some new switch, something like "Disassemble code
> section always as code, never data".


Hmm... just detele analysis, and Disassembler will display everything as a
code.


*Olly is right here, we miss Options -> Debugging Options -> Analysis 1: "Auto
*start analysis of main module" and "Keep analysis between sections" switches.
*They both have to be switched off. And it works!

But, of, course, this is not exactly what you want. There is one trick that
allows to remove analysis from the selected piece of code. Modify any command,
then select the piece you need and undo modifications. OllyDbg marks whole
selection as not analyzed.

*I didn't try it, but it seems to be good trick.