blabberer
November 25th, 2006, 07:12
Quote:
thats the exact error thats being displayed ?
|
some kind of buffer overflow
assuming your program returns there and the eip isnt being modified by
SetThreadContext
you can ask ollydbg to stop before eip actually gets there
with a conditional trace
use ctrl+t
type in
dword ptr ss:[esp] == 401027 && byte ptr ds:[eip] == 0xc2
substitute 401027 with 00310031 0xc2 is the opcode for retn n bytes
if it returned with no nbytes opcode would be 0xc3
and use ctrl+f11 (trace in)
there could be many false positives and it could be slow
but this conditional trace should get you the point live
a sample pause tracing ollydbg itself is pasted below
Code:
Log data, item 0
Address=7C80B549
Message=Conditional pause: dword ptr ss:[esp] == 401027 && byte ptr ds:[eip] == 0xc2
stack
0012FFB8 00401027 RETURN to OLLYDBG.00401027 from <JMP.&KERNEL32.GetModuleHandleA>
0012FFBC 00000000
0012FFC0 7C90EB94 ntdll.KiFastSystemCallRet
eip when ollydbg paused
7C80B549
code snippet where i ran the trace
00401000 <ModuleEntryP> $ EB 10 JMP SHORT OLLYDBG.00401012
00401002 66 DB 66 ; CHAR 'f'
00401003 62 DB 62 ; CHAR 'b'
00401004 3A DB 3A ; CHAR ':'
00401005 43 DB 43 ; CHAR 'C'
00401006 2B DB 2B ; CHAR '+'
00401007 2B DB 2B ; CHAR '+'
00401008 48 DB 48 ; CHAR 'H'
00401009 4F DB 4F ; CHAR 'O'
0040100A 4F DB 4F ; CHAR 'O'
0040100B 4B DB 4B ; CHAR 'K'
0040100C 90 NOP
0040100D E9 DB E9
0040100E . 28014B00 DD OFFSET OLLYDBG.___CPPdebugHook
00401012 > A1 1B014B00 MOV EAX,DWORD PTR DS:[4B011B]
00401017 . C1E0 02 SHL EAX,2
0040101A . A3 1F014B00 MOV DWORD PTR DS:[4B011F],EAX
0040101F . 52 PUSH EDX
00401020 . 6A 00 PUSH 0 ; /pModule = NULL
00401022 . E8 4BE00A00 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401027 . 8BD0 MOV EDX,EAX
runtrace details
Address Thread Command Registers and comments
Flushing gathered information
0040101F Main PUSH EDX
00401020 Main PUSH 0 pModule = NULL
00401022 Main CALL <JMP.&KERNEL32.GetModuleHandleA>
004AF072 Main JMP DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>]
GetModuleHandleA Main MOV EDI,EDI
7C80B52B Main PUSH EBP
7C80B52C Main MOV EBP,ESP EBP=0012FFB4
7C80B52E Main CMP DWORD PTR SS:[EBP+8],0
7C80B532 Main JE SHORT kernel32.7C80B54C
7C80B54C Main MOV EAX,DWORD PTR FS:[18] EAX=7FFDF000
7C80B552 Main MOV EAX,DWORD PTR DS:[EAX+30] EAX=7FFDC000
7C80B555 Main MOV EAX,DWORD PTR DS:[EAX+8] EAX=00400000
7C80B558 Main JMP SHORT kernel32.7C80B548
7C80B548 Main POP EBP EBP=0012FFF0
End of gathered information, live log begins
alt +k will normally not yield any usefull information because stack trace wont be working without a valid eip