how does olly pass exceptions to debugee? [Archive]

View Full Version : how does olly pass exceptions to debugee?

pillii

July 22nd, 2005, 10:35

hello,
i wonder how exactly olly passes exceptions to the debugee. in the exceptions option window when i check every option and also ignore the exception range from 0 to ffffffff olly sometimes tells me 'dont know how to bypass exception'.
this is not what i expected.
another thing is that i get evil bluescreens when debugging certain exes, every other debugger i tried didnt give me bluescreens when exceptions have been raised.

pillii

Ricardo Narvaja

July 22nd, 2005, 17:58

OLLY have a bug in ILLEGAL EXECPTION, hwne you pass tell you don´t know how bypass exception, i repair this bug debuggin OLLYDBG with other OLLY, search the strings of the message and you can repir this bug easily, only changing one conditional JUMP.

Olly is a RING3 debugger and cannot produce any blue screen , the program you are debugging, detect is being debugged and intentionally produce this blue screen.

Ricardo Narvaja

gabri3l

July 22nd, 2005, 19:11

Ricardo, you just saved me a whole ton of Shift+F9's. I didn't know it was a bug that could be fixed, You are my hero.

pillii

July 23rd, 2005, 23:15

thank you for your answer.
i followed your instructions and now i dont get the annoying message box.
i also figured out why olly makes those certain exes give me a bluescreen.
its because olly calls continuedebugevent api with dwContinueStatus=DBG_CONTINUE, this is not what i expect from olly when i tell olly in the options menu to not handle any exception. i changed the parameter dwContinueStatus to DBG_EXCEPTION_NOT_HANDLED and now everything works just fine.
i wonder if there is a plugin out there doing this automatically. if not i will try to write such a plugin, because i think this feature is a must for a good debugger.
btw, why does olly call continuedebugevent with wContinueStatus=DBG_CONTINUE when i tell olly to pass every exception to the debugee??
tia
pillii

omega_red

April 13th, 2007, 04:45

Jump to patch in Olly to prevent buggy pauses is

Code:

0043979D   68 203A4E00      PUSH OLLYDBG.004E3A20

004397A2   E8 A5160500      CALL OLLYDBG.0048AE4C

004397A7   59               POP ECX

004397A8   33D2             XOR EDX,EDX

004397AA   8B4D B0          MOV ECX,DWORD PTR SS:[EBP-50]

004397AD   8915 5C8D4D00    MOV DWORD PTR DS:[4D8D5C],EDX

004397B3   890D 5C5A4D00    MOV DWORD PTR DS:[4D5A5C],ECX

004397B9   833D 14574D00 01 CMP DWORD PTR DS:[4D5714],1

004397C0   75 42            JNZ SHORT OLLYDBG.00439804 ; <== change to JMP

004397C2   833D 70574D00 00 CMP DWORD PTR DS:[4D5770],0

004397C9   75 39            JNZ SHORT OLLYDBG.00439804

004397CB   833D D8364D00 02 CMP DWORD PTR DS:[4D36D8],2

004397D2   74 0C            JE SHORT OLLYDBG.004397E0

004397D4   813D 2C574D00 00>CMP DWORD PTR DS:[4D572C],80000000

004397DE   73 24            JNB SHORT OLLYDBG.00439804

004397E0   833D 8C574D00 00 CMP DWORD PTR DS:[4D578C],0

004397E7   75 11            JNZ SHORT OLLYDBG.004397FA

004397E9   8D86 A5310000    LEA EAX,DWORD PTR DS:[ESI+31A5]

004397EF   50               PUSH EAX

004397F0   6A 00            PUSH 0

004397F2   E8 397EFFFF      CALL OLLYDBG._Message

Change it to JMP and no more annoying breaks. I've run into this issue yesterday and thought that may as well post it for the lazy ones

naides

April 13th, 2007, 05:20

Thank you, in the name of the lazy ones