Log in

View Full Version : Strange analysis

psyCK0
November 9th, 2003, 19:56
When I try to debug an exe that includes this code:
<pre>
GetFile proc hWin:HWND

mov ofn.lStructSize,SIZEOF ofn
push hWin
pop ofn.hWndOwner
push hInstance
pop ofn.hInstance
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,MAXSIZE
mov ofn.Flags, OFN_FILEMUSTEXIST or &#92;
OFN_PATHMUSTEXIST or OFN_LONGNAMES or &#92;
OFN_EXPLORER or OFN_HIDEREADONLY

invoke GetOpenFileName, ADDR ofn
ret

GetFile endp

DlgProc proc hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM

mov eax,uMsg

.if eax == WM_INITDIALOG
; Set up dialog icons
invoke LoadImage, hInstance, addr szFileIcon, IMAGE_ICON, 32, 32, LR_LOADFROMFILE
.if eax != 0
invoke SendMessage, hWin, WM_SETICON, ICON_BIG, eax
.endif
</pre>

....
....

Ollys analysis produces:

....
....

<pre>
00401031 &#036; 55 PUSH EBP
00401032 . 8BEC MOV EBP,ESP
00401034 . C705 31314000>MOV DWORD PTR DS:[ofn],4C
0040103E . FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401041 . 8F05 35314000 POP DWORD PTR DS:[403135]
00401047 . FF35 80314000 PUSH DWORD PTR DS:[403180]
0040104D . 8F05 39314000 POP DWORD PTR DS:[403139]
00401053 C7 DB C7
00401054 05 DB 05
00401055 > 3D314000 DD Cryptor.0040313D
00401059 0E304000 DD OFFSET Cryptor.FilterString ; ASCII "EXE Files"
0040105D . C705 4D314000>MOV DWORD PTR DS:[40314D],OFFSET Cryptor>
00401067 . C705 51314000>MOV DWORD PTR DS:[403151],104
00401071 . C705 65314000>MOV DWORD PTR DS:[403165],281804
0040107B . 68 31314000 PUSH OFFSET Cryptor.ofn ; /pOpenFileName = OFFSET Cryptor.ofn
00401080 . E8 B5000000 CALL <JMP.&comdlg32.GetOpenFileNameA> ; &#92;GetOpenFileNameA
00401085 . C9 LEAVE
00401086 . C2 0400 RETN 4
00401089 55 DB 55 ; CHAR 'U'
0040108A 8B DB 8B
0040108B EC DB EC
0040108C 8B DB 8B
0040108D 45 DB 45 ; CHAR 'E'
0040108E 0C DB 0C
0040108F 3D DB 3D ; CHAR '='
00401090 10 DB 10
00401091 01 DB 01
00401092 00 DB 00
00401093 00 DB 00
00401094 75 DB 75 ; CHAR 'u'
00401095 2E DB 2E ; CHAR '.'
00401096 6A DB 6A ; CHAR 'j'
00401097 10 DB 10
00401098 6A DB 6A ; CHAR 'j'
00401099 20 DB 20 ; CHAR ' '
0040109A 6A DB 6A ; CHAR 'j'
0040109B 20 DB 20 ; CHAR ' '
0040109C 6A DB 6A ; CHAR 'j'
0040109D 01 DB 01
0040109E 68 DB 68 ; CHAR 'h'
0040109F 00304000 DD OFFSET Cryptor.szFileIcon ; ASCII "xxx.ico"
004010A3 FF DB FF
004010A4 35 DB 35 ; CHAR '5'
004010A5 80314000 DD Cryptor.00403180
004010A9 E8 DB E8
004010AA 74 DB 74 ; CHAR 't'
004010AB 00 DB 00
004010AC 00 DB 00
004010AD > 00 DB 00
004010AE . 0BC0 OR EAX,EAX
004010B0 . 74 55 JE SHORT Cryptor.00401107
004010B2 . 50 PUSH EAX ; /lParam
004010B3 . 6A 01 PUSH 1 ; |wParam = 1
004010B5 . 68 80000000 PUSH 80 ; |Message = WM_SETICON
004010BA . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004010BD . E8 6C000000 CALL <JMP.&user32.SendMessageA> ; &#92;SendMessageA
</pre>

....
....

Why is it showing all this DB stuff???
psyCK0
November 9th, 2003, 20:09
Hmm, seems like this problem was discussed in another thread... Still there is no good resolution, removing analysis is not the way to go =)
MazeGen
November 12th, 2003, 14:07
psyCK0,
What about that (message from Olly from the thread)?
But, of, course, this is not exactly what you want. There is one trick that
allows to remove analysis from the selected piece of code. Modify any command,
then select the piece you need and undo modifications. OllyDbg marks whole
selection as not analyzed.