View Full Version : Privileged Instruction
OnoSendai
June 24th, 2004, 05:28
hi all,
an application, that i'm trying to debug, loads a dll with opcodes OUTS and IN. When ollydbg reaches this opcodes a privileged instruction exception is fired.
is there a workaround for this problem?
many thanks in advance!
psyCK0
June 24th, 2004, 06:13
That exception means that the processor decoded a privileged instruction but was not executing in the privileged mode. Usually this kind of exceptions are fired due to some kind of executable file protection.
mimas
June 24th, 2004, 06:15
These instructions cannot be executed in ring3 (level application), the programme should run in ring0 (kernel mode) to access I/O port.
What's the DLL ? It could be an anti-debugging trick. Try ty pass the exception with Shift+(F7,F8 or F9).
OnoSendai
June 24th, 2004, 09:11
thank you for your additional infos!
It is probably an anti debugging trick.
upon mapping of this dll ollydbg shows the message:"...entry point outside code ..."
if i try shift + f7/f8/f9 the log window says:
"Debbugged program was unable to process exception"
afterwards the threads are terminated
(i just trying the porttalk freeware but without success)
Ricardo Narvaja
June 24th, 2004, 13:36
armadillo probably, rename ollydbg to other name and try again using the plugin Isdebug too and look if pass the exceptions.
Ricardo
OnoSendai
June 24th, 2004, 16:12
so far I tried this:
-shift f7,f8,f9
-renaming ollydbg
-IsDebug displayed <error>
-start via allowio from porttalk
-noping the io opcodes -> same exception on later calls
programming can be very frustrating
by the way here is the snippet that causes the probs
005ED447 FF15 B8BDA300 CALL DWORD PTR DS:[…] ;
617441F0 > 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
617441F1 E5 6D IN EAX,6D ; I/O command
617441F3 AB STOS DWORD PTR ES:[EDI]
617441F4 227F 61 AND BH,BYTE PTR DS:[EDI+61]
617441F7 BB 53CCE5DA MOV EBX,DAE5CC53
617441FC 56 PUSH ESI
617441FD C9 LEAVE
and thank you for any further ideas
Ricardo Narvaja
June 25th, 2004, 01:56
tell what packer is (use PEID) and will be more easy help.
If you rename olly and have errors, keep a copy of the original ollydbg.exe in the same folder for aviod the errors, and use a renamed exe you put in the same folder.
And if you use IsDEbug and make and error i think you are in win98, in XP work perfect.
Ricardo
OnoSendai
June 25th, 2004, 17:04
hi ricardo,
peid shows the following message on the dll (while all other modules look normal):
safedisc 2.51.000 -> macrovision
unfortunately i'm not a hacker so i don't know what to do with this message. but i guess there is another tool that can remove this protection?!
looking forward hearing from you
ps: my os is xp and i also tested it on a virtual w2000 (virtual pc)
Ricardo Narvaja
June 25th, 2004, 19:20
Aja safedisc i hear safedisc have a different kind of detection of ollydbg but i cannot check , safedisc programs are very large (games CDs and is difficult to download.
Ricardo
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.