[JMI]

gabri3l:

I have a question for you. I was not able to find a copy of v1.3 of the target because it's been replaced with v1.3a. Attempting to follow the code in OllyDBG it seems strange because the code for the SEH and exceptions all occur in what is listed as the main code section of the file. By this I mean that from the initial start at 0040100 all of the exception code takes place in the 00400000 range, while most ASPR files I've looked at in Olly have had these routines in a far distant address, well out of the 00400000 range of the target ".code" section. Although PEiD identifies this as ASPR I'm wondering if that is really true, considering that your version still identified ASPR even after you removed it.

Using the F9 and SHIFT+F9 technique I am eventually raising the following messagebox:

"Don't know how to step because memory at address XXXXXXXX is not readable.Try to change EIP or pass exception to program"

and one can't set a "breakpoint on entry" to the ".code" section, because it is already IN THE CODE SECTION.

I have found discussion of such a message and possible workaround on the OllyDBG Forum here:

http://ollydbg.win32asmcommunity.net/index.php?action=vthread&forum=1&topic=612

But haven't had time to work through it yet. Still learning Olly's traits and settings.

Does your v1.3 have it's exceptions within the 00400000 range, or does it leap off into a far address with the first or second F9/SHIFT+F9?

Regards,