|
|
|
|
#1
01-05-2005, 13:53
|
|||
|
|||
|
Hi, it crashes not because of CC but there seem to be a problem with the Stack. After some tracing, it crashes at 00402E1D because it trying to return to 00000000.
For some reason at this address, there are some leftover bytes or maybe from unneeded Push 0. 0012FFC0 00 00 00 00 .... Code:
00402E14 E8 9F000000 CALL <JMP.&user32.EndDialog> 00402E19 61 POPAD 00402E1A 33C0 XOR EAX,EAX 00402E1C C9 LEAVE 00402E1D C2 1000 RETN 10 
|
|
#2
01-05-2005, 19:06
|
|||
|
|||
|
You mean on exit or in all crashes?
Do you have any hints to solve? Nopping PUSH 0 does not change situation. Last edited by TmC; 01-06-2005 at 00:05.
|
|
#3
01-05-2005, 19:49
|
|||
|
|||
|
I'm trying to handle nanomites but i came accross a question: When must I handle nanomites? Before or after handling CopyMem2?
After it sounds silly, but before does not allow me to handle copymem. I should save...but how can i save the changes i made and reload the executable from the beginning?
|
|
#4
01-06-2005, 03:32
|
|||
|
|||
|
I have not seen any nanomites in the target. You fix nanomites last.
Here is where the problem happens. Try this: 1. Load target in Olly 2. In Commandbar type BP MessageBoxA 3. Press F9 so it runs 4. Go to the target and press Exit 5. It will break in Olly at 77D8050B > 8BFF MOV EDI,EDI 6. Press CTRL-F9 7. You will hear a beep. Go back to Target and press OK 8. Olly will pause at 77D80551 C2 1000 RETN 10 9. Press F8 and Olly returns here 00402E0A 83F8 01 CMP EAX,1 10. Scroll down 8 lines and place a breakpoint at 00402E1D C2 1000 RETN 10 11. Press F9 8 times and it should break at 00402E1D. This is where it will crash because the return will take it to invalid 00000000 address. This makes be believe, there is a problem with stack. If I manually Popped the 8 zeros of the Stack, it exit without errors. Quote:
|
|
#5
01-06-2005, 05:11
|
||||
|
||||
|
Using NT so my errors may be different.
Open up TmC's dump and then press the load button. This brings about a crash. Looking at the report it crashes at 402bdd. So I Load it in olly and checking 402bdd and its an INT3. Not too good with arma but I'm assuming that it's waiting for the father thread to overwrite the INT3. Last edited by gabri3l; 01-06-2005 at 05:16.
|
|
#6
01-06-2005, 05:47
|
|||
|
|||
|
You are right. I didn't try anything but the Exit button. Was able to fix the Stack problem with a cmp and a pop.
The way I fixed it and now it Closes without Error: Code:
00402E19 ^E9 20FBFFFF JMP Copy_of_.0040293E 00402E1E 90 NOP 00402E1F 90 NOP ... 0040293E 61 POPAD 0040293F 33C0 XOR EAX,EAX the Popad, Xor, Leave here because I replaced them with Long jump at 00402E19 00402941 C9 LEAVE 00402942 3E:833C24 00 CMP DWORD PTR DS:[ESP],0 Here I check so it won't return to 00000000 00402947 75 01 JNZ SHORT Copy_of_.0040294A 00402949 58 POP EAX 0040294A C2 1000 RETN 10 Quote:
Last edited by Flagmax; 01-06-2005 at 05:49.
|
|
#7
01-06-2005, 07:44
|
|||
|
|||
|
Hi, thanks for your help.
I'm now trying to handle nanomites, but have some troubles. I'm following the above tutorial for LabWeather. I'm trying to find the 4 tables. I found first table at: 0040AEA3 . 8B0D 8C6A4200 MOV ECX,DWORD PTR DS:[426A8C] second at: 0040AEDA . A1 986A4200 MOV EAX,DWORD PTR DS:[426A98] third at: 0040AEFF . A1 886A4200 MOV EAX,DWORD PTR DS:[426A88] and fourth at: 0040AF15 > 8B15 9C6A4200 MOV EDX,DWORD PTR DS:[426A9C] The problem is that the program never hits the 4th because of this jump: 0040AF13 . EB 1E JMP SHORT vbowatch.0040AF33 Can someone tell me where i'm wrong? Attached is the original armadilloed version and Fixed Version
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Dumping Armadillo 3.0-3.6 without CopyMem II | chaboyd | General Discussion | 17 | 11-21-2004 06:20 |
Hybrid Mode
