Log in

View Full Version : to gigapede regarding labeller plugin

blabberer
March 31st, 2004, 10:43
hey gigapede ,
i was trying out your labeller plugin with referance to my post with topic re Ddraw methods labelling
i edited the struct deffinition and reloaded struct definition then
i told it to make a label
and specified an address of 0x728a**** (this is the method this struct has 24 members)

but it says debuggee blah blah is out of range and crashes ollydbg itself

so i tried various address and i always see that address is out of debugge range

see your source

if(adrs < dwImageBase || adrs > dwImageBase+dwSizeOfImage) {
wsprintf(buf,"The address 0x0%X is out of Debugee range.&#92;nReally do you want to set label at this address?",adrs);
ret = MessageBox(hwmain,buf,PNAME,MB_OKCANCEL);
if(ret == IDCANCEL) {
return FALSE;
}
}


why is this happening do you have any ideas
you can tell it faster than me coz i have to peer through your whole source and understand it completly to find the problem
so if you happen to read this please reply
thanks and regards
focht
March 31st, 2004, 15:17
Greets,

i guess you trying to mimic vtable interface (OLE/COM style) with your struct definition.
Tthe check fails because your "virtual" functions/methods reside in system dll area (0x72......).
Gigapede simply took the PE header image base+size to validate the range.
Maybe its dangerous setting/keeping labels outside of debuggee image in sync (target dll in not loaded yet/delay load, relocated, vm block/page not accessible... whatever)

For the ollydbg crash it would be nice to get a callstack to track down the cause (probably accessing invalid memory).

Regards
blabberer
April 1st, 2004, 08:23
greets focht,
yep i assumed so that it may not be accepting range outside my debuggee

Quote:

so i tried various address and i always see that address is out of debugge range



so i tried 401000 ,402000 and all these address pops up this debuggee out of range message that is why i wrote this post

and another problem is i tried loading this in TBD_DEBUGPLUGIN TO SEE BUT TBD DEBUG PLUGIN SAYS it is updated for 1.08 only
and i am using 1.10b

so its problem over problems only then i wrote this post
asking gigapede for help resolving

and thanks for reply yes i am trying to label
728a6153,***,*** as DDQUERYINTERFACE,DDRELEASE,DDSETCOOPERATIVELEVEL ETC,ETC

yes its com
blabberer
April 2nd, 2004, 10:42
well so iloaded that tbd debug plugin in version 1.08 and tried debugging you plugin


extc void _export cdecl ODBG_Pluginaction(int origin,int action,void *item) {

here when i click labeller-->make label
i see
0048CF28 |. FFD0 CALL NEAR EAX ; Labeler._ODBG_Pluginaction

EBP-14 0> 00000000
EBP-10 0> 00000000
EBP-C 0> 00000000
EBP-8 0> 0042E7D8 Entry address
EBP-4 0> 0000E240
EBP ==> 0>/0012F6F0
EBP+4 0>|00430540 RETURN to ollydbg.00430540 from ollydbg.0048CEC4

your source
switch(origin) {
case PM_MAIN:
switch (action) {
case LBL_MAKELABEL:
if(Getstatus() == STAT_NONE) {
return;
}
MakeLabel(origin, NULL);
return;
case LBL_DELETELABEL:
if(Getstatus() == STAT_NONE) {
return;
}

in disembly
041F1410 Labeler.>PUSH EBP
041F1411 MOV EBP, ESP
041F1413 ADD ESP, -884
041F1419 PUSH EBX
041F141A PUSH ESI
041F141B PUSH EDI
041F141C MOV EDI, DWORD PTR SS:[EBP+8]
041F141F MOV EAX, EDI
041F1421 SUB EAX, 1 ; Switch (cases 0..22)
041F1424 JB SHORT Labeler.041F1444
041F1426 SUB EAX, 1E
041F1429 JE Labeler.041F14F6
041F142F DEC EAX ; Labeler._ODBG_Pluginaction
041F1430 JE Labeler.041F16E7
041F1436 SUB EAX, 2
041F1439 JE Labeler.041F1631
041F143F JMP Labeler.041F1729
041F1444 MOV EDX, DWORD PTR SS:[EBP+C] ; Case 0 of switch 041F1421
041F1447 CMP EDX, 2 ; Switch (cases 0..3F)
041F144A JG SHORT Labeler.041F145A
041F144C JE SHORT Labeler.041F14B3



and this directly goes to DialogBoxParamA
041F1F10 CALL <JMP.&USER32.DialogBoxParam>; &#92;DialogBoxParamA

stack here
EBP-150 0>|hInst = 041F0000
EBP-14C 0>|pTemplate = 65
EBP-148 0>|hOwner = 004C00B6 ('OllyDbg - trespass.exe - [CPU...',class='OLLYDBG')
EBP-144 0>|DlgProc = Labeler.041F2274
EBP-140 0>&#92;lParam = NULL



and in your dlg proc you confirm this
041F27F6 CMP EAX, DWORD PTR SS:[EBP-20]
041F27F9 JA SHORT Labeler.041F2806
041F27FB ADD EAX, DWORD PTR DS:[4202274]
041F2801 CMP EAX, DWORD PTR SS:[EBP-20]
041F2804 JNB SHORT Labeler.041F2844
041F2806 MOV EDX, DWORD PTR SS:[EBP-20]
041F2809 LEA ECX, DWORD PTR SS:[EBP-134]
041F280F PUSH EDX ; /<%X> = 4C00B6
041F2810 PUSH Labeler.041FF551 ; |Format = "The address 0x0%X is out of Debugee range.
Really do you want to set label at this address?"
041F2815 PUSH ECX ; |s = Labeler.041F0000
041F2816 CALL <JMP.&USER32.wsprintfA> ; &#92;wsprintfA
041F281B ADD ESP, 0C



but the GetpeInfo isnt called before so the dwords pointed by
imagebase and imagesize always remain zero
so it says so

can you please go through your source and tell me if you are filling the imagebase and imagebase_imagesize before hand

else if iam right can you correct this plugin and upload a new version

btw (i think you should implement imagebase of any dlls too if its possible)

thanks and regards
focht
April 3rd, 2004, 09:19
Greets,

well i managed to compile the plugin using VC++ 7.1 ...
It shows lots of warnings and some errors (which went away after i used the uglyness of c-style casts).

Anyway you're right - it depends how the plugin is used.
If used with context menu (right click cpu window) it correctly initializes the stuff, even GetPEInfo() is called.
When using with main menu, GetPEInfo() isnt called and other stuff goes way wrong so it crashes ollydbg
(mainly due to unitialized memory/null pointer derefencing)

Code:


int MakeLabel(int origin, char *addr)

{

  int id,i,j,k;

  UINT adrs;

  char lbl[255],fmt[10];

  int align[] = {1,2,4,8,16};



  id = DialogBoxParam(hinst,MAKEINTRESOURCE(IDD_LABELMAKER),hwmain,(DLGPROC)M akLblDlgProc,(LPARAM)origin);

  if(id != IDOK) {

    return -1;

  }

  WriteLabelHistToIni();

  //adrs = strtoul(addr,&stop,16);

  sscanf(addr,"%X",&adrs);  <--- crashes here because "addr" is not setup (null ptr)

....


A code cleanup would improve quality and slay some bugs (i suspect more bugs while glancing over the code).
(e.g. factoring out the "local scope" address calc in ODBG_Pluginaction() into helper functions).
Consistent use of error handling/pointer checking/asserts would pinpoint bugs more quickly.

There exist good _free_ PE.c modules which wrap alot of PE reading/data gathering stuff. No need to reinvent the wheel.

For the range itself, yes its very strict only allowing the debuggee module base + size itself not any other (system module/dll).

Code:


BOOL GetPEInfo(void)



...

 DbgePath = (char*)Plugingetvalue(VAL_EXEFILENAME);



..


Regards
blabberer
April 3rd, 2004, 11:04
hi focht,
greetings ,

thanks a lot focht for clearing up the doubts
i lack programming knowledge so i couldnt confirm anything
i glanced over the source many times but couldnt come to a conclusion as to where his pm_main,pm_cpuregs_pm_disasm (all switches) are initialized or what ever it is called
but debugging it through tbd debug plugin i saw the the GetPeInfo didnt break at all so single stepped through ODBg_PLUGINACTION
and wrote the above post

yep i saw that dbgepath thats why i asked him if he could implememt system dlls if its possible

thanks a lot once again

regards