Log in

View Full Version : Ollydbg stepping bug?


Squidge
November 4th, 2003, 08:15
Can anyone help with the following code? The *seems* to work standalone (doesn't crash), but doesn't work under Ollydbg - it gives the result indicated in the comments, and therefore gives an Access Violation on the REP MOVS command. Since the ADD command I'm using (81) is supposed to be for immediate adding (ie - not from memory) I'm completely at a loss of why the calculation is wrong.

The entire code for the function is below, which was written using Ollydbg 1.09d's assembler.



code:


00181040 > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; mydll.J4 (get structure pointer)
00181044 57 PUSH EDI
00181045 56 PUSH ESI
00181046 E8 00000000 CALL mydll.0018104B ; get current EIP value
0018104B 5E POP ESI ; for self relocation [0x18104B]
0018104C 81C6 B5100000 ADD ESI,10B5 ; add 0x10B5 to 0x18104b gives 0xE42100 ?!
00181052 8BF8 MOV EDI,EAX
00181054 51 PUSH ECX
00181055 B9 00020000 MOV ECX,200
0018105A F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; Fill in structure
0018105C EB 17 JMP SHORT mydll.0018106D
0018105E 90 NOP
0018105F 90 NOP
00181060 > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; mydll.J4CD
00181064 50 PUSH EAX
00181065 E8 D6FFFFFF CALL mydll.J4
0018106A C3 RETN
0018106B 90 NOP
0018106C 90 NOP
0018106D 33C0 XOR EAX,EAX
0018106F 59 POP ECX
00181070 5E POP ESI
00181071 5F POP EDI
00181072 C2 0400 RETN 4


I've checked the Intel command reference, and the add command I'm using is definitely the immediate version (at first I thought maybe it was adding values from memory, but this is not the case).

To try and get some more information, I've also set ESI to zero in Ollydbg directly before the add command, and got this:

ESI before ADD = 00000000
ESI after ADD = 00CC10B5

The only other I can think of is bad relocation, but I don't use relocation in this dll (the codes is completely relocatable itself - no need for fixups).

Just thought about another thing - CC is the opcode for INT3, which Ollydbg uses to step through code, correct? Is it possible that Ollydbg guessed the wrong instruction size wrong and put the CC in the wrong place, but didn't remove it correctly afterwards?

blabberer
November 4th, 2003, 09:49
00402404 8B4424 04 MOV EAX, DWORD PTR SS:[ESP+4] ; stack ss :[0012ffbc] = 00000000 so eax = 00000000 after execution
00402408 57 PUSH EDI ; edi = 00000000
00402409 56 PUSH ESI ; esi = 4034c4
0040240A E8 00000000 CALL ****.0040240F ; esp =40240f == retn from call
0040240F 5E POP ESI ; so esi now becomes 40240f
00402410 81C6 B5100000 ADD ESI, 10B5 ; esi now becomes 004034c4
00402416 90 NOP

well i assembled this in place in olly and used new origin here to execute this
it seems to work properly but i am using 1.09b not d so one idea could be check ur code in that version and report if its a problem

drizz
November 20th, 2003, 11:40
...related

can someone confirm this?
this crashes on WinMe when singlestepped, but works ok on Win2k

start:
add esp,23h
lea esp,[esp+ebp-23h]; <- here
sub esp,ebp
retn
end start

using 1.09d