Squidge
November 4th, 2003, 08:15
Can anyone help with the following code? The *seems* to work standalone (doesn't crash), but doesn't work under Ollydbg - it gives the result indicated in the comments, and therefore gives an Access Violation on the REP MOVS command. Since the ADD command I'm using (81) is supposed to be for immediate adding (ie - not from memory) I'm completely at a loss of why the calculation is wrong.
The entire code for the function is below, which was written using Ollydbg 1.09d's assembler.
code:
00181040 > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; mydll.J4 (get structure pointer)
00181044 57 PUSH EDI
00181045 56 PUSH ESI
00181046 E8 00000000 CALL mydll.0018104B ; get current EIP value
0018104B 5E POP ESI ; for self relocation [0x18104B]
0018104C 81C6 B5100000 ADD ESI,10B5 ; add 0x10B5 to 0x18104b gives 0xE42100 ?!
00181052 8BF8 MOV EDI,EAX
00181054 51 PUSH ECX
00181055 B9 00020000 MOV ECX,200
0018105A F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; Fill in structure
0018105C EB 17 JMP SHORT mydll.0018106D
0018105E 90 NOP
0018105F 90 NOP
00181060 > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; mydll.J4CD
00181064 50 PUSH EAX
00181065 E8 D6FFFFFF CALL mydll.J4
0018106A C3 RETN
0018106B 90 NOP
0018106C 90 NOP
0018106D 33C0 XOR EAX,EAX
0018106F 59 POP ECX
00181070 5E POP ESI
00181071 5F POP EDI
00181072 C2 0400 RETN 4
I've checked the Intel command reference, and the add command I'm using is definitely the immediate version (at first I thought maybe it was adding values from memory, but this is not the case).
To try and get some more information, I've also set ESI to zero in Ollydbg directly before the add command, and got this:
ESI before ADD = 00000000
ESI after ADD = 00CC10B5
The only other I can think of is bad relocation, but I don't use relocation in this dll (the codes is completely relocatable itself - no need for fixups).
Just thought about another thing - CC is the opcode for INT3, which Ollydbg uses to step through code, correct? Is it possible that Ollydbg guessed the wrong instruction size wrong and put the CC in the wrong place, but didn't remove it correctly afterwards?
The entire code for the function is below, which was written using Ollydbg 1.09d's assembler.
code:
00181040 > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; mydll.J4 (get structure pointer)
00181044 57 PUSH EDI
00181045 56 PUSH ESI
00181046 E8 00000000 CALL mydll.0018104B ; get current EIP value
0018104B 5E POP ESI ; for self relocation [0x18104B]
0018104C 81C6 B5100000 ADD ESI,10B5 ; add 0x10B5 to 0x18104b gives 0xE42100 ?!
00181052 8BF8 MOV EDI,EAX
00181054 51 PUSH ECX
00181055 B9 00020000 MOV ECX,200
0018105A F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; Fill in structure
0018105C EB 17 JMP SHORT mydll.0018106D
0018105E 90 NOP
0018105F 90 NOP
00181060 > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; mydll.J4CD
00181064 50 PUSH EAX
00181065 E8 D6FFFFFF CALL mydll.J4
0018106A C3 RETN
0018106B 90 NOP
0018106C 90 NOP
0018106D 33C0 XOR EAX,EAX
0018106F 59 POP ECX
00181070 5E POP ESI
00181071 5F POP EDI
00181072 C2 0400 RETN 4
I've checked the Intel command reference, and the add command I'm using is definitely the immediate version (at first I thought maybe it was adding values from memory, but this is not the case).
To try and get some more information, I've also set ESI to zero in Ollydbg directly before the add command, and got this:
ESI before ADD = 00000000
ESI after ADD = 00CC10B5
The only other I can think of is bad relocation, but I don't use relocation in this dll (the codes is completely relocatable itself - no need for fixups).
Just thought about another thing - CC is the opcode for INT3, which Ollydbg uses to step through code, correct? Is it possible that Ollydbg guessed the wrong instruction size wrong and put the CC in the wrong place, but didn't remove it correctly afterwards?