hi all,

an application, that i'm trying to debug, loads a dll with opcodes OUTS and IN. When ollydbg reaches this opcodes a privileged instruction exception is fired.

is there a workaround for this problem?

many thanks in advance!

That exception means that the processor decoded a privileged instruction but was not executing in the privileged mode. Usually this kind of exceptions are fired due to some kind of executable file protection.

These instructions cannot be executed in ring3 (level application), the programme should run in ring0 (kernel mode) to access I/O port.

What's the DLL ? It could be an anti-debugging trick. Try ty pass the exception with Shift+(F7,F8 or F9).

thank you for your additional infos!

It is probably an anti debugging trick.

upon mapping of this dll ollydbg shows the message:"...entry point outside code ..."

if i try shift + f7/f8/f9 the log window says:
"Debbugged program was unable to process exception"
afterwards the threads are terminated

(i just trying the porttalk freeware but without success)

armadillo probably, rename ollydbg to other name and try again using the plugin Isdebug too and look if pass the exceptions.


Ricardo

so far I tried this:

-shift f7,f8,f9
-renaming ollydbg
-IsDebug displayed <error>
-start via allowio from porttalk
-noping the io opcodes -> same exception on later calls

programming can be very frustrating

by the way here is the snippet that causes the probs

005ED447 FF15 B8BDA300 CALL DWORD PTR DS:[…] ;
617441F0 > 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
617441F1 E5 6D IN EAX,6D ; I/O command
617441F3 AB STOS DWORD PTR ES:[EDI]
617441F4 227F 61 AND BH,BYTE PTR DS:[EDI+61]
617441F7 BB 53CCE5DA MOV EBX,DAE5CC53
617441FC 56 PUSH ESI
617441FD C9 LEAVE

and thank you for any further ideas

tell what packer is (use PEID) and will be more easy help.

If you rename olly and have errors, keep a copy of the original ollydbg.exe in the same folder for aviod the errors, and use a renamed exe you put in the same folder.

And if you use IsDEbug and make and error i think you are in win98, in XP work perfect.

Ricardo

hi ricardo,

peid shows the following message on the dll (while all other modules look normal):
safedisc 2.51.000 -> macrovision

unfortunately i'm not a hacker so i don't know what to do with this message. but i guess there is another tool that can remove this protection?!

looking forward hearing from you

ps: my os is xp and i also tested it on a virtual w2000 (virtual pc)

Aja safedisc i hear safedisc have a different kind of detection of ollydbg but i cannot check , safedisc programs are very large (games CDs and is difficult to download.

Ricardo