I am debugging a overflow code ,i find when i come to the return address (retaddr)that has been overlaied with the wrong address, ollydbg always says
"Don't know how to step because memory at address 61616161 is not readable.Try to change EIP or pass exception to program"
I know this exception can be catched by the command "faults on" with softice.But how can i catch it with ollydbg?
example :
vc6 /release
files.txt----------aaaaaaaaaaaaaaaaaaaa
when the number of the characters >=20,overflow.....
#include <stdio.h>
int main()
{
char buffer[16]="";
FILE *fd=NULL;
fd = fopen("files.txt","rb";
if(fd == NULL)
return printf("can't open files.txt&#92;n";
fgets(buffer,1000,fd);
return 0;
}

Now I give out the disassembler of the code :

:0040112B 55 push ebp
:0040112C 8BEC mov ebp, esp
:0040112E 6AFF push FFFFFFFF
:00401130 68B0604000 push 004060B0
:00401135 6840284000 push 00402840
:0040113A 64A100000000 mov eax, dword ptr fs:[00000000]
:00401140 50 push eax
:00401141 64892500000000 mov dword ptr fs:[00000000], esp:00401148 83EC10 sub esp, 00000010
:0040114B 53 push ebx
:0040114C 56 push esi
:0040114D 57 push edi
:0040114E 8965E8 mov dword ptr [ebp-18], esp
|
|
|
|
:004011DA E821FEFFFF call 00401000
:004011DF 83C40C add esp, 0000000C
:004011E2 8945E4 mov dword ptr [ebp-1C], eax
:004011E5 50 push eax

F7->00401000

:00401000 83EC10 sub esp, 00000010
:00401003 A0F0784000 mov al, byte ptr [004078F0]
:00401008 33C9 xor ecx, ecx
:0040100A 894C2401 mov dword ptr [esp+01], ecx
:0040100E 6858704000 push 00407058
:00401013 894C2409 mov dword ptr [esp+09], ecx
:00401017 684C704000 push 0040704C
:0040101C 894C2411 mov dword ptr [esp+11], ecx
:00401020 88442408 mov byte ptr [esp+08], al
:00401024 66894C2415 mov word ptr [esp+15], cx
:00401029 884C2417 mov byte ptr [esp+17], cl
:0040102D E8E6000000 call 00401118
:00401032 83C408 add esp, 00000008
:00401035 85C0 test eax, eax
:00401037 7511 jne 0040104A
:00401039 6830704000 push 00407030
:0040103E E884000000 call 004010C7
:00401043 83C404 add esp, 00000004
:00401046 83C410 add esp, 00000010
:00401049 C3 ret
:0040104A 50 push eax
:0040104B 8D542404 lea edx, dword ptr [esp+04]
:0040104F 68E8030000 push 000003E8
:00401054 52 push edx
:00401055 E816000000 call 00401070---------------->fgets
:0040105A 83C40C add esp, 0000000C
:0040105D 33C0 xor eax, eax
:0040105F 83C410 add esp, 00000010
:00401062 C3 ret------------------------------>be careful ,return the address(retaddr)that has been overlaied(wrong)

I have got it.
olly can catch it too.
:-)

wont sharing your thought process be better for someone reading this thread rather than seeing you blinking your eye
when you ask a question and expect it to be answered then i think it is also normal to answer your own question when you have found out on your own how you found it out

my opinion

I just wonder why nobody answers my question. Are my expressions too poor to be understand?
Thank you for your advice.

Here is my way:
open the program;
then before run it ,make a breakpoint at KiUserExceptionDispatcher
"bpx KiUserExceptionDispatcher";
run;
stop at 00401062 C3 ret
shift + F9 ----->enter the context of KiUserExceptionDispatcher.....

well then that means you are talking about nt based systems only and not 9x based system coz in 9x based systems you cant step through or break in system dlls

2)why dont you view seh chain (available in latest version to see the exception handler and break on it)

3)before pressing shift +f9 or f8 why dont you go to debugging options--->exceptions--->add last exception

4) u can also search for zwContinue in ntdll.dll and keep a permanent break there so it breaks on any exception or fault

5)try searching for a call near ecx in ntdll.dll there must be two or three of them and one of that calls belongs to KiUserException Blah
you analyze ntdll and put a break there and it remains for ever as long as you dont delete the ntdll.udd file

thanks