Thread: Olly Question
View Single Post
  #1  
Old 02-17-2011, 10:54
blaklite
 
Posts: n/a
Question Olly Question
I have been playing around with assembling/debugging my own simple little programs and have noticed an oddity while using Olly Debug.

frinstance...

I have a call to "CreateWindowExA" with lots of PUSH'es beforehand to load up the details. The problem is, that it does not seem to want to display correctly.

For example, a region "without" analysis looks like
Code:
0040107D    6A 00           PUSH    0
0040107F    FF35 A0314000   PUSH    DWORD PTR [4031A0]
00401085    6A 00           PUSH    0
00401087    6A 00           PUSH    0
00401089    68 C8000000     PUSH    0C8
0040108E    68 2C010000     PUSH    12C
00401093    68 00000080     PUSH    80000000
00401098    68 00000080     PUSH    80000000
0040109D    68 0000CF00     PUSH    0CF0000
004010A2    68 12304000     PUSH    OFFSET OpenFile.AppName          ; ASCII "Win32 Asm Edit"
004010A7    68 00304000     PUSH    OFFSET OpenFile.ClassName        ; ASCII "Win32ASMEditClass"
004010AC    68 00020000     PUSH    200
004010B1    E8 54030000     CALL    <JMP.&user32.CreateWindowExA>
but when I hit "Analyse Code". it looks like:
Code:
0040107D   .  6A 00         PUSH    0
0040107F   .  FF35 A0314000 PUSH    DWORD PTR [4031A0]
00401085   .  6A 00         PUSH    0
00401087   .  6A 00         PUSH    0
00401089   .  68 C8000000   PUSH    0C8
0040108E   .  68 2C010000   PUSH    12C
00401093   .  68 00000080   PUSH    80000000
00401098      68            DB      68                               ;  CHAR 'h'
00401099      00            DB      00
0040109A      00            DB      00
0040109B >    00            DB      00
0040109C      80            DB      80
0040109D      68            DB      68                               ;  CHAR 'h'
0040109E      00            DB      00
0040109F      00            DB      00
004010A0      CF            DB      CF
004010A1      00            DB      00
004010A2      68            DB      68                               ;  CHAR 'h'
004010A3   .  12304000      DD      OFFSET OpenFile.AppName          ;  ASCII "Win32 Asm Edit"
004010A7      68            DB      68                               ;  CHAR 'h'
004010A8   .  00304000      DD      OFFSET OpenFile.ClassName        ;  ASCII "Win32ASMEditClass"
004010AC      68            DB      68                               ;  CHAR 'h'
004010AD      00            DB      00
004010AE      02            DB      02
004010AF      00            DB      00
004010B0   .  00E8          ADD     AL, CH
004010B2   .  54            PUSH    ESP
004010B3   .  0300          ADD     EAX, DWORD PTR [EAX]
004010B5   .  00A3 CC314000 ADD     BYTE PTR [EBX+4031CC], AH
Can anyone explain why this happens? I have tried fiddling with the settings, but the only difference I can seem to make is with;

Selection/Right-click Analysis ->During Next analysis, treat selection as->Commands

Which is ok, but it is bothering me that I don't know why it is happening.

Is this a "Feature" of Olly?
Is it something to do with the alignment of code/data within the sections?
Is there some other options I could change.

Any tips gratefully received.

B.