Exetools  

Go Back   Exetools > General > General Discussion

Notices

Closed Thread
 
Thread Tools Display Modes
  #1  
Old 02-17-2011, 10:54
blaklite
 
Posts: n/a
Question Olly Question

I have been playing around with assembling/debugging my own simple little programs and have noticed an oddity while using Olly Debug.

frinstance...

I have a call to "CreateWindowExA" with lots of PUSH'es beforehand to load up the details. The problem is, that it does not seem to want to display correctly.

For example, a region "without" analysis looks like
Code:
0040107D    6A 00           PUSH    0
0040107F    FF35 A0314000   PUSH    DWORD PTR [4031A0]
00401085    6A 00           PUSH    0
00401087    6A 00           PUSH    0
00401089    68 C8000000     PUSH    0C8
0040108E    68 2C010000     PUSH    12C
00401093    68 00000080     PUSH    80000000
00401098    68 00000080     PUSH    80000000
0040109D    68 0000CF00     PUSH    0CF0000
004010A2    68 12304000     PUSH    OFFSET OpenFile.AppName          ; ASCII "Win32 Asm Edit"
004010A7    68 00304000     PUSH    OFFSET OpenFile.ClassName        ; ASCII "Win32ASMEditClass"
004010AC    68 00020000     PUSH    200
004010B1    E8 54030000     CALL    <JMP.&user32.CreateWindowExA>
but when I hit "Analyse Code". it looks like:
Code:
0040107D   .  6A 00         PUSH    0
0040107F   .  FF35 A0314000 PUSH    DWORD PTR [4031A0]
00401085   .  6A 00         PUSH    0
00401087   .  6A 00         PUSH    0
00401089   .  68 C8000000   PUSH    0C8
0040108E   .  68 2C010000   PUSH    12C
00401093   .  68 00000080   PUSH    80000000
00401098      68            DB      68                               ;  CHAR 'h'
00401099      00            DB      00
0040109A      00            DB      00
0040109B >    00            DB      00
0040109C      80            DB      80
0040109D      68            DB      68                               ;  CHAR 'h'
0040109E      00            DB      00
0040109F      00            DB      00
004010A0      CF            DB      CF
004010A1      00            DB      00
004010A2      68            DB      68                               ;  CHAR 'h'
004010A3   .  12304000      DD      OFFSET OpenFile.AppName          ;  ASCII "Win32 Asm Edit"
004010A7      68            DB      68                               ;  CHAR 'h'
004010A8   .  00304000      DD      OFFSET OpenFile.ClassName        ;  ASCII "Win32ASMEditClass"
004010AC      68            DB      68                               ;  CHAR 'h'
004010AD      00            DB      00
004010AE      02            DB      02
004010AF      00            DB      00
004010B0   .  00E8          ADD     AL, CH
004010B2   .  54            PUSH    ESP
004010B3   .  0300          ADD     EAX, DWORD PTR [EAX]
004010B5   .  00A3 CC314000 ADD     BYTE PTR [EBX+4031CC], AH
Can anyone explain why this happens? I have tried fiddling with the settings, but the only difference I can seem to make is with;

Selection/Right-click Analysis ->During Next analysis, treat selection as->Commands

Which is ok, but it is bothering me that I don't know why it is happening.

Is this a "Feature" of Olly?
Is it something to do with the alignment of code/data within the sections?
Is there some other options I could change.

Any tips gratefully received.

B.
  #2  
Old 02-17-2011, 12:01
D-Jester's Avatar
D-Jester D-Jester is offline
VIP
 
Join Date: Nov 2003
Location: Ohio, USA
Posts: 269
Rept. Given: 39
Rept. Rcvd 61 Times in 41 Posts
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
D-Jester Reputation: 61
Olly may be just getting confused. As its interpreting your code as data

Make sure you have enabled under options

Analysis 2 -> Show arguments of known functions
Analysis 2 -> Guess number of arguments of unknown functions
Analysis 1 -> Heuristical Procedure recognition

Let me know
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light.
The Following User Gave Reputation+1 to D-Jester For This Useful Post:
chessgod101 (02-17-2011)
  #3  
Old 02-18-2011, 06:33
blaklite
 
Posts: n/a
Thanks for the reply, but no joy. I did already have the settings you mentioned, set (and unset and pretty much all other combinations thereof).

Seem that it is an added "feature" of Olly, although I did notice that it doesn't seem to happen with OllyV2, so will just have to live with the minor inconvenience of it, for now,
or at least until V2 becomes as handy as the original (it's not as if I use half of the features of Olly, but V2 just doesn't seem complete somehow)
  #4  
Old 02-18-2011, 07:28
D-Jester's Avatar
D-Jester D-Jester is offline
VIP
 
Join Date: Nov 2003
Location: Ohio, USA
Posts: 269
Rept. Given: 39
Rept. Rcvd 61 Times in 41 Posts
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
D-Jester Reputation: 61
would you mind uploading target executable so I might have a look?
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light.
  #5  
Old 02-18-2011, 17:14
ricnar456 ricnar456 is offline
Friend
 
Join Date: May 2002
Posts: 290
Rept. Given: 1
Rept. Rcvd 28 Times in 10 Posts
Thanks Given: 0
Thanks Rcvd at 52 Times in 40 Posts
ricnar456 Reputation: 28
is a problem of olly

If you work with packed executables, and a seccion is unpacked on the fly and is originallly marked like data section, when end the unpacking job and jump to execute code in this section, olly mantain the initial analisys (thinking is a data section), and display like data. (DBs)
Only removing the initial analisys is posible see the created on the fly executable code.

ricnar
  #6  
Old 02-19-2011, 02:44
D-Jester's Avatar
D-Jester D-Jester is offline
VIP
 
Join Date: Nov 2003
Location: Ohio, USA
Posts: 269
Rept. Given: 39
Rept. Rcvd 61 Times in 41 Posts
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
D-Jester Reputation: 61
Quote:
Originally Posted by blaklite View Post
...assembling/debugging my own simple little programs and have noticed an oddity while using Olly Debug
Agree ricnar, I am assuming this is not a packed executable based on his comment. I am guessing possibly section flags are to blame.
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light.
  #7  
Old 02-19-2011, 04:40
blaklite
 
Posts: n/a
Doh



I dunno how it happened but it seems to have fixed itself.

I was all set to upload the .asm as an attachment, when I noticed that I had used an .inc file to clean up some of the code, and it would no longer build.

As it happens, overnight I had managed to delete the file while fiddling with different versions of Masm to see if that was the culprit.

Trouble is I cannot for the life of me remember what else was in the .inc file. all I can remember is that I had changed around the original example to be easier to read, by following the structure of another simple program I had found online (can I remember what it was called, can I &%$# !!)

eg putting the "RegisterWindow" bit in its own procedure. and the same for the message loop, making the whole thing look a lot cleaner.

From what I can tell from what is in the .asm file now, I had put a lot of the includes and a procedure to Show/update the window into the .inc.

So just now when I quickly just added the includes, and put back the separate calls to Show/Update window. I built the executable, and had a quick look in Olly to check that it was still doing the same thing...voila! it had magically fixed itself.

So I think it must have been something in the way that I had used the includes, or called the procedure that had caused Masm to somehow make Olly think portions of the code section were really data. (however the code that would have been in the .inc file was not the code that was displayed incorrectly in Olly)

I just wish I could remember what else I had put in the .inc file. I had thought to start adding useful routines that I might use across different programs into one place, and so put the file along side the other includes that come with Masm32, and then promptly forgot all about it.

So thanks for your answers, to my NON-question. I think perhaps I had better just shut up for now, and stop bothering you nice people.

B

PS Thought I might as well attach the source
Attached Files
File Type: rar OpenFile.rar (3.3 KB, 2 views)
  #8  
Old 02-19-2011, 05:39
blaklite
 
Posts: n/a
Thanks for the help.

I have just spent the last hour trying to recreate the .exe to give the same problem.

Gonna have to put this one down to sunspot activity and get on with my life.

For sanities sake I am going to close the thread and try to put it out of my mind, before I go completely loopy.

B.
Closed Thread

Tags
analysis, debug, olly

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Olly pdk 1.08 ragdog General Discussion 4 01-05-2014 21:16
Olly PDK question ferrit.rce General Discussion 4 10-02-2013 18:46
Olly & .NET peleon General Discussion 8 06-21-2007 09:13
Olly BPM apex General Discussion 1 02-25-2005 15:02


All times are GMT +8. The time now is 16:21.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )