Can anyone help with the following code? The *seems* to work standalone (doesn't crash), but doesn't work
under Ollydbg - it gives the result indicated in the comments, and therefore gives an Access Violation
on the REP MOVS command. Since the ADD command I'm using (81) is supposed to be for immediate adding
(ie - not from memory) I'm completely at a loss of why the calculation is wrong.

The entire code for the function is below, which was written using Ollydbg 1.09d's assembler.



00181040 > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; mydll.J4 (get structure pointer)
00181044 57 PUSH EDI
00181045 56 PUSH ESI
00181046 E8 00000000 CALL mydll.0018104B ; get current EIP value
0018104B 5E POP ESI ; for self relocation [0x18104B]
0018104C 81C6 B5100000 ADD ESI,10B5 ; add 0x10B5 to 0x18104b gives 0xE42100 ?!
00181052 8BF8 MOV EDI,EAX
00181054 51 PUSH ECX
00181055 B9 00020000 MOV ECX,200
0018105A F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; Fill in structure
0018105C EB 17 JMP SHORT mydll.0018106D
0018105E 90 NOP
0018105F 90 NOP
00181060 > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; mydll.J4CD
00181064 50 PUSH EAX
00181065 E8 D6FFFFFF CALL mydll.J4
0018106A C3 RETN
0018106B 90 NOP
0018106C 90 NOP
0018106D 33C0 XOR EAX,EAX
0018106F 59 POP ECX
00181070 5E POP ESI
00181071 5F POP EDI
00181072 C2 0400 RETN 4


I've checked the Intel command reference, and the add command I'm using is definitely the immediate version (at first I thought maybe it was adding values from memory, but this is not the case).

To try and get some more information, I've also set ESI to zero in Ollydbg directly before the add command, and got this:

ESI before ADD = 00000000
ESI after ADD = 00CC10B5

:confused:

The only other I can think of is bad relocation, but I don't use relocation in this dll (the codes is completely relocatable itself - no need for fixups).

Go on, tell me I'm doing something stupid! as it sure beats me.
Posted on 2003-11-02 05:02:31 by squidge
:grin: I think the CC comes from the breakpoint that ollydbg set, but not removed.
Posted on 2003-11-02 07:01:40 by roticv
Hmm, that would make sense, but why put the breakpoint in the middle of an instruction? Unless of course, the instruction length was guessed wrong. Explains why it works without Ollydbg tho' :)

:alright:
Posted on 2003-11-02 14:59:54 by squidge
Not too sure though. Perhaps you can try writing an email to olly. I think he would give a better answer than I would.
Posted on 2003-11-02 21:26:45 by roticv