Log in

View Full Version : Exception handling

Tapani
January 8th, 2006, 14:50
Hi all,

I am debugging an old game and have problems that on some machines the program (presumably) receives an exception from kernel32 and dies.

However, running inside OllyDbg the game works on all machines, maybe since Olly by default intercepts exceptions from kernel32.

Is there any way I can mod/patch the game to have a similar exception behaviour as it has under Olly? I do not have access to a machine where a crash can be reproduced.

Any comments, advice, thoughts etc are welcome. :-)

//Tapani
comrade
January 8th, 2006, 16:04
Go to Debugging options and set it to pass all exceptions to the program, except int3 breaks (cause you still want to set breakpoints).
Tapani
January 8th, 2006, 18:41
Thanks mate, but I know how to receive the exceptions inside Olly. I want the other way around :-)

I would want the game to survive even if it receives an exception, just as if Olly had ignored the exception. Also, another of my pleasures is that the people having problems are non-techies and unwilling (unable) to do debugging for me, so I cannot really do proper debugging.

Yeah, I know, it sucks to be me :-)

//Tapani
comrade
January 9th, 2006, 02:03
Oh sorry, I haven't read your post completely before I replied.

Are you sure the game breaks only from exceptions inside kernel32? It must be doing something funny with exception handling, because usually kernel32/ntdll exceptions are handled by kernel32/ntdll itself, and the exception is never seen by the game.

Can you post the crash log that you get with Dr Watson?
Lord_Looser
January 9th, 2006, 03:59
First you should search for the calling function that leads to the exception. Perhaps sometimes there is a not allowed paramter (e.g. pointer NULL) handing over to the kernel32 function.
If not you can
1. write your own little loader/debugger or
2. insert a DLL and use SetUnhandledExceptionFilter or
3. insert a DLL and manipulate alls threads SEHs
...

I think if the game is not protected you should think about it from top to bottom.
Tapani
January 10th, 2006, 23:20
lord_looser:

thank you for your advice, unfortunately I do not have access to any machine where I can reproduce the crash. I am solely dependant on less computer literate users patient enough to do debug tests.

The capture all exceptions Olly-style was a fix-all solution without having to figure out why it crashed.



comrade:

I am not 100% sure it is from kernel32/ntdll. One user of mine has used purify on the exe, and for him it crashed in HeapFree .

Another of my users sent me the following drwatson log. I have never deciphered one these before, but to me it seems like it crashes in ntdll (InitializeCriticalSection)

Any advice is very, very welcome,

//Tapani (I am sortof a windows newbie (been on linux way too long), so sorry if I have missed something obvious..)


Application exception occurred:
App: C:\Program Files\Championship Manager 01-02\cm0102.exe (pid=2204)
When: 10/01/2006 @ 20:21:00.756
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: CPQXXXXXXXXXXX
User Name:
Terminal Session Id: 0
Number of Processors: 1
Processor Type: x86 Family 6 Model 10 Stepping 0
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
Current Type: Uniprocessor Free
Registered Organization:
Registered Owner:

*----> Task List <----*
0 System Process
4 System
500 smss.exe
576 csrss.exe
600 winlogon.exe
644 services.exe
656 lsass.exe
796 svchost.exe
860 svchost.exe
900 svchost.exe
960 svchost.exe
1028 svchost.exe
1288 spoolsv.exe
1308 Explorer.EXE
1392 Ati2evxx.exe
1432 HPConfig.exe
1472 HPWirelessMgr.exe
1548 navapsvc.exe
1720 SymWSC.exe
152 alg.exe
356 carpserv.exe
444 OneTouch.EXE
460 SynTPLpr.exe
520 SynTPEnh.exe
556 navapw32.exe
752 Dragdiag.exe
920 jusched.exe
1056 MSMSGS.EXE
1172 E_AICN03.EXE
1632 NMBgMonitor.exe
2676 ntvdm.exe
2204 cm0102.exe
3688 drwtsn32.exe
3304 drwtsn32.exe

*----> Module List <----*
(0000000000400000 - 0000000000de7000: C:&#92;Program Files&#92;Championship Manager 01-02&#92;cm0102.exe
(000000005ad70000 - 000000005ada8000: C:&#92;WINDOWS&#92;system32&#92;uxtheme.dll
(000000005b0a0000 - 000000005b0a7000: C:&#92;WINDOWS&#92;system32&#92;umdmxfrm.dll
(000000005cd70000 - 000000005cd77000: C:&#92;WINDOWS&#92;system32&#92;serwvdrv.dll
(000000005d090000 - 000000005d127000: C:&#92;WINDOWS&#92;system32&#92;COMCTL32.dll
(00000000629c0000 - 00000000629c9000: C:&#92;WINDOWS&#92;system32&#92;LPK.DLL
(0000000063000000 - 0000000063014000: C:&#92;WINDOWS&#92;system32&#92;SynTPFcs.dll
(0000000071aa0000 - 0000000071aa8000: C:&#92;WINDOWS&#92;system32&#92;WS2HELP.dll
(0000000071ab0000 - 0000000071ac7000: C:&#92;WINDOWS&#92;system32&#92;WS2_32.dll
(0000000071ad0000 - 0000000071ad9000: C:&#92;WINDOWS&#92;system32&#92;WSOCK32.dll
(0000000073000000 - 0000000073026000: C:&#92;WINDOWS&#92;system32&#92;WINSPOOL.DRV
(0000000073760000 - 00000000737a9000: C:&#92;WINDOWS&#92;system32&#92;DDRAW.dll
(0000000073bc0000 - 0000000073bc6000: C:&#92;WINDOWS&#92;system32&#92;DCIMAN32.dll
(0000000073f10000 - 0000000073f6c000: C:&#92;WINDOWS&#92;system32&#92;DSOUND.dll
(0000000074d90000 - 0000000074dfb000: C:&#92;WINDOWS&#92;system32&#92;USP10.dll
(00000000763b0000 - 00000000763f9000: C:&#92;WINDOWS&#92;system32&#92;comdlg32.dll
(0000000076b40000 - 0000000076b6d000: C:&#92;WINDOWS&#92;system32&#92;WINMM.dll
(00000000773d0000 - 00000000774d2000: C:&#92;WINDOWS&#92;WinSxS&#92;x86_Microsoft.Windows.Common-Controls_6595b64144ccf1 df_6.0.2600.2180_x-ww_a84f1ff9&#92;comctl32.dll
(00000000774e0000 - 000000007761d000: C:&#92;WINDOWS&#92;system32&#92;ole32.dll
(0000000077b40000 - 0000000077b62000: C:&#92;WINDOWS&#92;system32&#92;Apphelp.dll
(0000000077c00000 - 0000000077c08000: C:&#92;WINDOWS&#92;system32&#92;VERSION.dll
(0000000077c10000 - 0000000077c68000: C:&#92;WINDOWS&#92;system32&#92;msvcrt.dll
(0000000077d40000 - 0000000077dd0000: C:&#92;WINDOWS&#92;system32&#92;USER32.dll
(0000000077dd0000 - 0000000077e6b000: C:&#92;WINDOWS&#92;system32&#92;ADVAPI32.dll
(0000000077e70000 - 0000000077f01000: C:&#92;WINDOWS&#92;system32&#92;RPCRT4.dll
(0000000077f10000 - 0000000077f57000: C:&#92;WINDOWS&#92;system32&#92;GDI32.dll
(0000000077f60000 - 0000000077fd6000: C:&#92;WINDOWS&#92;system32&#92;SHLWAPI.dll
(000000007c800000 - 000000007c8f4000: C:&#92;WINDOWS&#92;system32&#92;kernel32.dll
(000000007c900000 - 000000007c9b0000: C:&#92;WINDOWS&#92;system32&#92;ntdll.dll
(000000007c9c0000 - 000000007d1d5000: C:&#92;WINDOWS&#92;system32&#92;SHELL32.dll

*----> State Dump for Thread Id 0x4e4 <----*

eax=0be54ad0 ebx=01400000 ecx=00000048 edx=00000146 esi=0be54ac8 edi=0be54b20
eip=7c911e58 esp=0012fa08 ebp=0012fa14 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:&#92;WINDOWS&#92;system32&#92;ntdll.dll -
function: ntdll!RtlInitializeCriticalSection
7c911e3c 000f add [edi],cl
7c911e3e 87ee xchg esi,ebp
7c911e40 ed in eax,dx
7c911e41 ffff ???
7c911e43 807d1400 cmp byte ptr [ebp+0x14],0x0
7c911e47 0f85977a0300 jne ntdll!RtlInitializeSListHead+0x108d4 (7c9498e4)
7c911e4d 8b4e0c mov ecx,[esi+0xc]
7c911e50 8d4608 lea eax,[esi+0x8]
7c911e53 8b10 mov edx,[eax]
7c911e55 894d08 mov [ebp+0x8],ecx
FAULT ->7c911e58 8b09 mov ecx,[ecx] ds:0023:00000048=????????
7c911e5a 3b4a04 cmp ecx,[edx+0x4]
7c911e5d 89550c mov [ebp+0xc],edx
7c911e60 0f859d000000 jne ntdll!RtlInitializeCriticalSection+0x3d6 (7c911f03)
7c911e66 3bc8 cmp ecx,eax
7c911e68 0f8595000000 jne ntdll!RtlInitializeCriticalSection+0x3d6 (7c911f03)
7c911e6e 56 push esi
7c911e6f 53 push ebx
7c911e70 e81fedffff call ntdll!wcsncpy+0x105 (7c910b94)
7c911e75 8b450c mov eax,[ebp+0xc]
7c911e78 8b4d08 mov ecx,[ebp+0x8]

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
*** WARNING: Unable to verify checksum for C:&#92;Program Files&#92;Championship Manager 01-02&#92;cm0102.exe
*** ERROR: Module load completed but symbols could not be loaded for C:&#92;Program Files&#92;Championship Manager 01-02&#92;cm0102.exe
ChildEBP RetAddr Args to Child
0012fa14 7c910d5c 00000048 0be54b20 0012facc ntdll!RtlInitializeCriticalSection+0x32b
0012fae8 00945330 01400000 00000000 0be54b28 ntdll!wcsncpy+0x2cd
0012fb04 00777564 0be54b28 00000118 00ae2c90 cm0102+0x545330
0be8d02d 00000000 61117401 61206120 61206120 cm0102+0x377564

*----> Raw Stack Dump <----*
000000000012fa08 00 00 40 01 20 4b e5 0b - 01 00 00 00 e8 fa 12 00 ..@. K..........
000000000012fa18 5c 0d 91 7c 48 00 00 00 - 20 4b e5 0b cc fa 12 00 &#92;..|H... K......
000000000012fa28 00 00 00 00 56 e2 e9 0b - 28 4b e5 0b 03 00 00 00 ....V...(K......
000000000012fa38 00 00 b6 01 ca 0e 91 7c - 00 24 50 01 78 01 40 01 .......|.&#036;P.x.@.
000000000012fa48 6d 05 91 7c 60 52 7f 11 - e0 6d 6d 11 08 24 50 01 m..|`R...mm..&#036;P.
000000000012fa58 00 00 b6 01 a0 2a 4d 01 - d8 6d 6d 11 90 69 73 11 .....*M..mm..is.
000000000012fa68 01 00 00 00 e8 d6 4c 01 - 2a 72 00 00 03 2f c3 0d ......L.*r.../..
000000000012fa78 00 00 00 00 00 00 00 00 - a8 01 40 01 98 69 73 11 ..........@..is.
000000000012fa88 30 00 00 00 00 00 00 00 - 38 d1 ed 0b 50 82 e9 0b 0.......8...P...
000000000012fa98 d0 01 40 01 a8 83 f4 0b - 08 00 00 00 a8 61 e7 0b ..@..........a..
000000000012faa8 68 11 00 00 d0 01 40 01 - 00 00 40 01 48 ca ea 0b h.....@...@.H...
000000000012fab8 50 fb 12 00 00 00 00 00 - 00 00 00 00 00 00 00 00 P...............
000000000012fac8 98 a3 01 00 06 00 00 00 - 2c fa 12 00 2c f6 12 00 ........,...,...
000000000012fad8 88 fb 12 00 18 ee 90 7c - 70 05 91 7c 01 00 00 00 .......|p..|....
000000000012fae8 04 fb 12 00 30 53 94 00 - 00 00 40 01 00 00 00 00 ....0S....@.....
000000000012faf8 28 4b e5 0b 5b e2 e9 0b - 00 4b e5 0b 2d d0 e8 0b (K..[....K..-...
000000000012fb08 64 75 77 00 28 4b e5 0b - 18 01 00 00 90 2c ae 00 duw.(K.......,..
000000000012fb18 00 00 00 00 48 ca ea 0b - 98 df 95 03 50 06 00 00 ....H.......P...
000000000012fb28 0a 00 00 00 da b5 76 00 - 40 b5 d6 0c 2a 72 00 00 ......v.@...*r..
000000000012fb38 03 2f c3 0d 00 00 00 00 - 03 00 d5 07 00 00 00 00 ./..............
Lord_Looser
January 11th, 2006, 04:49
Your exception occurs at eip=7c911e58. It's a memory access violation within
(000000007c900000 - 000000007c9b0000: C:&#92;WINDOWS&#92;system32&#92;ntdll.dll.
The most important suff are the satck back trace entries:
ChildEBP RetAddr Args to Child
0012fa14 7c910d5c 00000048 0be54b20 0012facc ntdll!RtlInitializeCriticalSection+0x32b
0012fae8 00945330 01400000 00000000 0be54b28 ntdll!wcsncpy+0x2cd
0012fb04 00777564 0be54b28 00000118 00ae2c90 cm0102+0x545330
0be8d02d 00000000 61117401 61206120 61206120 cm0102+0x377564

http://msdn.microsoft.com/library/en-us/vccore98/HTML/_crt_strncpy.2c_ .wcsncpy.2c_._mbsncpy.asp?frame=true
("http://msdn.microsoft.com/library/en-us/vccore98/HTML/_crt_strncpy.2c_.wcsncpy.2c_._mbsncpy.asp?frame=true
")

Check the parameters of this function within your programm above eip=00945330 and others before calling these.

ChildEBP=0012fae8
RetAddr=00945330
*strDest=01400000
*strSource=00000000
count=0be54b28
ntdll!wcsncpy+0x2cd
Lord_Looser
January 11th, 2006, 05:26
hm, if I see it correct it isn't involve in the function ntdll!wcsncpy.
Ollydbg calls it ntdll.RtlpDeCommitFreeBlock + 0x1A8 with my installed symbols.

https://www.xfocus.net/bbs/?act=ST&f=2&t=34352&page=2
("https://www.xfocus.net/bbs/?act=ST&f=2&t=34352&page=2
")
RtlFreeHeap calls RtlpDeCommitFreeBlock( Heap, (PHEAP_FREE_ENTRY)BusyBlock, FreeSize );
Tapani
January 11th, 2006, 16:47
Thank you very much!

Things start to falling in place:
0012fb04 00777564 0be54b28 00000118 00ae2c90 cm0102+0x545330
0be8d02d 00000000 61117401 61206120 61206120 cm0102+0x377564

The addresses there correspond to a call from the memory deallocation wrapper the game uses. (Using HeapFree). Unfortunately, this wrapper is used all the time by the game so I'll have to try to see what I find in the raw stack dump. It seems clear now that the game is freeing some memory it shouldn't free and that's the reason to all the evil.

Once more, thank you very much for your help.

//Tapani
Lord_Looser
January 12th, 2006, 17:59
Have you installed the last game updates? Version 3.968 (only german?)
http://www.champmaniacs.de/gdoffi.html ("http://www.champmaniacs.de/gdoffi.html")
Tapani
January 13th, 2006, 13:45
Thanks for the patch link, but I already have the last official 3.9.68 update.

The problem seems more deep-going than I thought. It seems that after some point any call to HeapFree will crash, so it seems like something that has corrupted the memory allocator (maybe a bad free?).

Is anyone aware of a tool for Windows that can debug memory allocation cerrors similar to Valgrind on Linux? I have already tried purify (the free two-week trial) and purify crashes with an "internal error" saying the compiler used is to create the .exe is not supported.

Lord_Looser, apparently you know the game - what I am up to is creating a mod that updates the start year, leagues and does other improvements/bugfixes. I would be happy to hand out the beta version of this mod to anyone interested... ;-)

//Tapani
Lord_Looser
January 14th, 2006, 12:53
Sorry, but I don't know this game. I only google for this and found this too: http://www.sigames.com/downloads.php?type=game&id=9&filterBy= ("http://www.sigames.com/downloads.php?type=game&id=9&filterBy=")