|
gabri3l:
Thanks for reminding me that it is ALWAYS a good idea to go back and read from the start of the thread. Had I done that, I would have discovered that you had reported Your "last exception" occurred with the routine between 00A60019-00A6005C. I had noticed then, that your code was nearly identical as that shown in the R@dier tut I described, except for the fact that his exceptions, as well as the ones I've seen in the few other ASPR targets I've tried in OllyDBG were clearly "outside" the range of the ".code" section shown in the Memory Map. R@dier's were in the range of 00D0XXXX, while, at least your last one, was in the range 00A60019-00A6005C.
Now you are confusing me by your statement that:
Exceptions:
00A10671 <-- First exception
...25 exceptions later...
00A10019 <--Last exception
There is an obvious difference between a last exception routine which starts at 00A60019 and one that starts at 00A10019 is there not?????
And my first exception was also at 00A10671. How did you lose 50000 bytes between what you first posted and today??????
In my version of the target, the Memory Map shows the .code section to begin at Address=00401000, with Size=00098000 (622592.) That suggests that any address within the range of 00401000 to 00499000 (which would include 00A60019-00A6005C and/or 00A10671 and 00A10019) where these exceptions are occurring is IN the code section shown in the Memory Map. I didn't hit any OUTSIDE that range and I have a file with the code addresses at each of the breaks on exception.
I am also running XP SP1 and I believe the same OllyDbg version R@dier just described reverting back to, although my "About" identifies it as OllyDbg v1.10(step 2), I believe that is version 1.10b.
I'm wondering if I have one of the settings wrong in Olly as I know I set several in attacking some of the other targets I finally had some time to play with, but I never got to the routine you posted in your first post, although I was watching for it.
I'm going to try your break point on 00A10053 and see if it breakes, because I'm not getting anywhere near. My last exception code is happening at:
00A111D3 58 POP EAX
00A111D4 33C0 XOR EAX,EAX
00A111D6 5A POP EDX
00A111D7 59 POP ECX
00A111D8 59 POP ECX
00A111D9 64:8910 MOV DWORD PTR FS:[EAX],EDX
00A111DC 68 0E12A100 PUSH 0A1120E
00A111E1 8D85 ACD7FFFF LEA EAX,DWORD PTR SS:[EBP-2854]
00A111E7 BA 02000000 MOV EDX,2
00A111EC E8 BF1FFFFF CALL 00A031B0
00A111F1 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
00A111F4 E8 971FFFFF CALL 00A03190
00A111F9 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
00A111FC BA 02000000 MOV EDX,2
00A11201 E8 AA1FFFFF CALL 00A031B0
00A11206 C3 RETN
which sure doesn't look correct and leads to the error message I posted below.
R@dier:
Will be happy to see your notes and would appreciate if you would include your setting in the Debugger options--->exceptions because that may be the problem here. I will be especially interested if the phrase "well outside the 00400000 range" really means something "outside" what is listed for the .code section, such something in the 00DXXXXX or 00CXXXXX perhaps. That would be very strange, and gabri3l confirms my findings that they appear to be within the .code section.
I've just retried the program in OllyDbg and after the first exception, I can scroll up and see the routine at 00A10019 and if I put a breakpoint there, or at 00A10053 I'm not reaching it and still get to the routine I posted, which starts at 00A111D3 and ends in the error message.
One small further intersting point. When I ran PEiD on the file it said the OEP was at 47CB16 (although I never got there in the code) while gabr3il found 0047ED5F. So I'm suspecting more and more it is something in my settings.
Regards,
__________________
JMI
|