Hi!

I have the following simple code, and an unusual situation:
.386
.model flat, stdcall
option casemap:none

include piccam.inc

.code

Start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke GetCommandLine
mov CommandLine, eax
invoke InitCommonControls

; Creating the main dialog
invoke DialogBoxParam, hInstance, IDD_DIALOG, NULL, addr DlgProc, NULL

invoke ExitProcess, NULL

DlgProc proc hWin:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM

mov eax, uMsg
.if eax == WM_INITDIALOG
mov eax, hWin
mov hDlg, eax
invoke LoadIcon, hInstance, IDI_DIALOG
invoke SendMessage, hWin, WM_SETICON, ICON_BIG + ICON_SMALL, eax
invoke CheckDlgButton, hWin, IDC_CHK1, BST_CHECKED
invoke IRRSItemsEnable, hWin
.elseif eax == WM_COMMAND
mov eax, wParam
mov edx, eax
shr edx, 16
and eax, 0FFFFh
.if edx == BN_CLICKED
.if eax == IDC_BTN1
invoke IRRSItemsEnable, hWin
invoke IRRSEnable
.elseif eax == IDC_CHK1
invoke MessageBox, NULL, NULL, NULL, MB_OK
.elseif eax == IDCANCEL
invoke MessageBox, hWin, addr tExit, addr tDialog, MB_YESNO + MB_ICONQUESTION
.if eax == IDYES
invoke EndDialog, hWin, IDOK
.endif
.endif
.endif
.else
xor eax, eax
ret
.endif
xor eax, eax
inc eax
ret

DlgProc endp

IRRSItemsEnable proc hWin:HWND

xor bIRRS, TRUE
invoke GetDlgItem, hWin, IDC_EDT1
invoke EnableWindow, eax, bIRRS
invoke GetDlgItem, hWin, IDC_EDT2
invoke EnableWindow, eax, bIRRS
invoke GetDlgItem, hWin, IDC_EDT3
invoke EnableWindow, eax, bIRRS
invoke GetDlgItem, hWin, IDC_CHK1
invoke EnableWindow, eax, bIRRS
mov edx, offset tEnable
.if bIRRS
mov edx, offset tDisable
.endif
invoke SetDlgItemText, hWin, IDC_BTN1, edx
ret

IRRSItemsEnable endp

IRRSEnable proc

;invoke SerialOpen
invoke SetDlgItemInt,hDlg,IDC_EDT1,eax,FALSE
ret

IRRSEnable endp

end Start

My problem is that if I run the program it works normally.
If I load it into OllyDbg and I search the IRRSEnable procedure, and I press F4 (run to cursor), it will stop with access violation. If I set up breakpoint at those location it works well again. I just don't get it. I don't even use ECX register. Did I do something wrong?
I attached the screen capture of OllyDbg.
Attachments:
Posted on 2005-05-04 09:43:27 by bszente
Ollydbg's fault. Write an email to the author  ;)
Posted on 2005-05-04 10:10:19 by roticv
Ok, thanks for your reply. What a relief... :lol: I thought that I'm the guilty one.

Beside this small fault I'm realy satisfied with OllyDbg, I like it better than any other debugger. It's realy a great program.
Posted on 2005-05-04 11:54:07 by bszente
well could you please upload the compiled binary so that i can try debugging with my olly :)
i dont think olly has some bugs of that nature
as i see it is having a violation in ntdll.dll which is odd that means you are passing some thing
which gets a wrong value some where
also in stack i see a lot of LDR : messages  that means it is probaly in some initialization stage
or you have some imagebase clash and getting access violation  dunno :)

btw is it some trick question or didnt i see the picture clearly ??
how did victor know it is a bug of olly without even having a cursory glance :)
or am i not looking at some thing which he noticed ??

Posted on 2005-05-05 02:25:48 by bluffer

well could you please upload the compiled binary so that i can try debugging with my olly :)
i dont think olly has some bugs of that nature
as i see it is having a violation in ntdll.dll which is odd that means you are passing some thing
which gets a wrong value some where

I attached the whole RadASM project.

The steps to reproduce the error:
1. Open project in RadASM. Ctrl+D to debug the exe with OllyDbg.
2. In OllyDbg go with the cursor to address 004010c6 (and eax,0fffh or some other neighbouring instruction).
3. Press F4 a few times (around 7 or 8 times)
4. Execution stops: Access violation when reading [7D371066]

It is realy bizzare. In this moment I found another way to reproduce the error: if you set up a normal brakepoint and you press F9 the error will appear.

BUT: if you do the same and you set up that breakpoint, and you DO NOT USE the keyboard, but the toolbar Run Program button, the error will NOT appear.
Also if I run the program normally from windows, there is no error.

I got the feeling that there is a problem with OllyDbg using the keyboard shortcuts. I just tried another project (a program that never crashed): the same stuff. If I debug the ReBar project, which comes with RadASM, it's enough to press only twice F4 to get the error.

There is a 3rd option: maybe my M$ Window$ very bad eXPerience is broken.  :mad: :mad:

Can someone, please, confirm this strange behaviour?
Attachments:
Posted on 2005-05-05 02:58:10 by bszente
sorry to say that i cannot make it crash in w2k :) neither your program crashes nor ollydbg crashes

i ve f4ed till my fingers ached  then f9nned with other hand till it ached but nada i cant establish that access violation

yes you have three edit boxes so the system will send six wm_command (notify messages)

so after executing f4 for 6 times the seventh time the application pops up and runs normally

ive captured the messages as they are sent to your dialogproc
and they all look ok

[
Log data
Address    Message
0040103E  COND: 00000030 WM_SETFONT  <--first message
0040103E  COND: 00000111 WM_COMMAND <- second message
004010BE  COND: 040003EB MSG(40003EB) <-- notice address , id and message
0040103E  COND: 00000111 WM_COMMAND
004010BE  COND: 030003EB MSG(30003EB)
0040103E  COND: 00000111 WM_COMMAND
004010BE  COND: 040003EC MSG(40003EC)
0040103E  COND: 00000111 WM_COMMAND
004010BE  COND: 030003EC MSG(30003EC)
0040103E  COND: 00000111 WM_COMMAND
004010BE  COND: 040003ED MSG(40003ED)
0040103E  COND: 00000111 WM_COMMAND
004010BE  COND: 030003ED MSG(30003ED)
0040103E  COND: 00000110 WM_INITDIALOG
0040103E  COND: 00000080 WM_SETICON
0040103E  COND: 00000046 WM_WINDOWPOSCHANGING
0040103E  COND: 0000001C WM_ACTIVATEAPP
0040103E  COND: 00000086 WM_NCACTIVATE
0040103E  COND: 00000006 WM_ACTIVATE
0040103E  COND: 00000400 WM_USER
0040103E  COND: 00000127 WM_CHANGEUISTATE
0040103E  COND: 00000018 WM_SHOWWINDOW
0040103E  COND: 00000046 WM_WINDOWPOSCHANGING
0040103E  COND: 0000000D WM_GETTEXT
0040103E  COND: 00000085 WM_NCPAINT
0040103E  COND: 0000000D WM_GETTEXT
0040103E  COND: 00000014 WM_ERASEBKGND
0040103E  COND: 00000136 WM_CTLCOLORDLG
0040103E  COND: 00000047 WM_WINDOWPOSCHANGED
0040103E  COND: 00000005 WM_SIZE
0040103E  COND: 00000003 WM_MOVE
0040103E  COND: 0000000F WM_PAINT
0040103E  COND: 00000135 WM_CTLCOLORBTN
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 00000138 WM_CTLCOLORSTATIC
0040103E  COND: 0000000D WM_GETTEXT
60000000  Module C:\WINNT\system32\MSCTF.dll
779B0000  Module C:\WINNT\system32\OLEAUT32.DLL
0040103E  COND: 00000086 WM_NCACTIVATE
0040103E  COND: 0000000D WM_GETTEXT
0040103E  COND: 00000006 WM_ACTIVATE
0040103E  COND: 0000001C WM_ACTIVATEAPP
0040103E  COND: 00000135 WM_CTLCOLORBTN
0040103E  COND: 00000135 WM_CTLCOLORBTN

===========================
here is the arguments decoded
0040103B  COND: <WinProc>
0040103B  CALL to Assumed WinProc from user32.77E3A3CD
            hWnd = 003D012C ('PicCam',class='#32770')
            Message = WM_SETFONT
            hFont = 800A0592
            Redraw = 0
0040103B  COND: <WinProc>
0040103B  CALL to Assumed WinProc from user32.77E3A3CD
            hWnd = 003D012C ('PicCam',class='#32770')
            Message = WM_COMMAND
            Notify = EN_UPDATE... ID = 1003.
            hControl = 002E0112 ('0',class='Edit',parent=003D012C)
0040103B  COND: <WinProc>
0040103B  CALL to Assumed WinProc from user32.77E3A3CD
            hWnd = 003D012C ('PicCam',class='#32770')
            Message = WM_COMMAND
            Notify = EN_CHANGE... ID = 1003.
            hControl = 002E0112 ('0',class='Edit',parent=003D012C)
0040103B  COND: <WinProc>
0040103B  CALL to Assumed WinProc from user32.77E3A3CD
            hWnd = 003D012C ('PicCam',class='#32770')
            Message = WM_COMMAND
            Notify = EN_UPDATE... ID = 1004.
            hControl = 002D00F8 ('0',class='Edit',parent=003D012C)
0040103B  COND: <WinProc>
0040103B  CALL to Assumed WinProc from user32.77E3A3CD
            hWnd = 003D012C ('PicCam',class='#32770')
            Message = WM_COMMAND
            Notify = EN_CHANGE... ID = 1004.
            hControl = 002D00F8 ('0',class='Edit',parent=003D012C)
0040103B  COND: <WinProc>
0040103B  CALL to Assumed WinProc from user32.77E3A3CD
            hWnd = 003D012C ('PicCam',class='#32770')
            Message = WM_COMMAND
            Notify = EN_UPDATE... ID = 1005.
            hControl = 002A00DE ('0',class='Edit',parent=003D012C)
0040103B  COND: <WinProc>
0040103B  CALL to Assumed WinProc from user32.77E3A3CD
            hWnd = 003D012C ('PicCam',class='#32770')
            Message = WM_COMMAND
            Notify = EN_CHANGE... ID = 1005.
            hControl = 002A00DE ('0',class='Edit',parent=003D012C)
0040103B  COND: <WinProc>
0040103B  CALL to Assumed WinProc from user32.77E3A3CD
            hWnd = 003D012C ('PicCam',class='#32770')
            Message = WM_INITDIALOG
            hFocus = 002A0138 ('En&able',class='Button',parent=003D012C)
            Parm = 0
0040103B  COND: <WinProc>


i dont radasm so i cant do your ctrl+d and also i dont have xp to confirm if it has some problems
but on w2k it works fine on ollydbg

you can make olly jit and cature the exception and  look at stack back trace

or may be post the call stack of main thread ( dont forget to actualize as there may be stale data in that window )

look below for call stack details


Call stack of main thread
Address    Stack      Procedure / arguments                                                    Called from                  Frame
0012FCB4  77E3A3D0  Maybe piccam.DlgProc                                                      user32.77E3A3CD              0012FCB0
0012FCB8  003F012C    hWnd = 003F012C ('PicCam',class='#32770')
0012FCBC  00000111    Message = WM_COMMAND
0012FCC0  000003EA    age = Notify = MENU/BN_CLICKED... ID = 1002.
0012FCC4  002B0138    hControage = 002B0138 ('Dis&able',class='Button',parent=003F012C)
0012FCD4  77E28C59  user32.77E3A3B8                                                          user32.77E28C54              0012FCD0
0012FCD8  0040103B    Arg1 = 0040103B
0012FCDC  003F012C    Arg2 = 003F012C
0012FCE0  00000111    Arg3 = 00000111
0012FCE4  000003EA    Arg4 = 000003EA
0012FCE8  002B0138    Arg5 = 002B0138
0012FD10  77E1622D  Maybe user32.77E28B9A                                                    user32.77E16226              0012FD0C
0012FD14  003F012C    Arg1 = 003F012C
0012FD18  00000111    Arg2 = 00000111
0012FD1C  000003EA    Arg3 = 000003EA
0012FD20  002B0138    Arg4 = 002B0138
0012FD24  00000000    Arg5 = 00000000
0012FD40  77E17361  user32.77E16063                                                          user32.SendMessageW+3F        0012FD3C
0012FD60  77E30963  user32.SendMessageW                                                      user32.77E3095E              0012FD5C
0012FD64  003F012C    hWnd = 3F012C
0012FD68  00000111    Message = WM_COMMAND
0012FD6C  000003EA    age = Notify = MENU/BN_CLICKED... ID = 1002.
0012FD70  002B0138    hControage = 002B0138 ('Dis&able',class='Button',parent=003F012C)
0012FD74  77E2C150  user32.77E3091F                                                          user32.77E2C14B              0012FDFC
0012FD8C  77E28676  user32.77E2C058                                                          user32.77E28671              0012FDFC
0012FE00  77E2E078  user32.77E27DB5                                                          user32.77E2E073              0012FDFC
0012FE04  002B0138    Arg1 = 002B0138
0012FE08  00000202    Arg2 = 00000202
0012FE0C  00000000    Arg3 = 00000000
0012FE10  000B002E    Arg4 = 000B002E
0012FE14  00000001    Arg5 = 00000001
0012FE24  77E3A3D0  user32.77E2E02F                                                          user32.77E3A3CD              0012FE20
0012FE28  002B0138    Arg1 = 002B0138
0012FE2C  00000202    Arg2 = 00000202
0012FE30  00000000    Arg3 = 00000000
0012FE34  000B002E    Arg4 = 000B002E
0012FE44  77E14605  user32.77E3A3B8                                                          user32.77E14600              0012FE40
0012FE48  77E2E02F    Arg1 = 77E2E02F
0012FE4C  002B0138    Arg2 = 002B0138
0012FE50  00000202    Arg3 = 00000202
0012FE54  00000000    Arg4 = 00000000
0012FE58  000B002E    Arg5 = 000B002E
0012FED0  77E1A7BA  user32.77E14321                                                          user32.DispatchMessageW+6    0012FECC
0012FEDC  77E2EC65  user32.DispatchMessageW                                                  user32.IsDialogMessageW+3CC  0012FEFC
0012FEE0  0012FF18    pMsg = WM_LBUTTONUP hw = 2B0138 ("Dis&able") Keys = 0 X = 46. Y = 11.
0012FF00  77E334DC  user32.IsDialogMessageW                                                  user32.77E334D7              0012FEFC
0012FF04  003F012C    hWnd = 003F012C ('PicCam',class='#32770')
0012FF08  004ABDA8    pMsg = WM_DESTROY hw = 2B0138 ("Dis&able")
0012FF3C  77E44184  user32.77E3338E                                                          user32.77E4417F              0012FF38
0012FF40  003F012C    Arg1 = 003F012C
0012FF44  00000000    Arg2 = 00000000
0012FF48  00000010    Arg3 = 00000010
0012FF4C  00000000    Arg4 = 00000000
0012FF60  77E38CB4  user32.77E440B3                                                          user32.DialogBoxIndirectPara  0012FF5C
0012FF64  00400000    Arg1 = 00400000
0012FF68  00404160    Arg2 = 00404160
0012FF6C  00000000    Arg3 = 00000000
0012FF70  0040103B    Arg4 = 0040103B
0012FF74  00000000    Arg5 = 00000000
0012FF78  00000003    Arg6 = 00000003
0012FF80  77E3ED19  user32.DialogBoxIndirectParamAorW                                        user32.DialogBoxParamA+45    0012FF7C
0012FF84  00400000    Arg1 = 00400000
0012FF88  00404160    Arg2 = 00404160
0012FF8C  00000000    Arg3 = 00000000
0012FF90  0040103B    Arg4 = 0040103B
0012FF94  00000000    Arg5 = 00000000
0012FF98  00000002    Arg6 = 00000002
0012FFAC  00401034  piccam.DialogBoxParamA                                                    piccam.<ModuleEntryPoint>+2F  0012FFA8
0012FFB0  00400000    hInst = 00400000
0012FFB4  000003E8    pTemplate = 3E8
0012FFB8  00000000    hOwner = NULL
0012FFBC  0040103B    DlgProc = piccam.DlgProc
0012FFC0  00000000    lParam = NULL
0012FFC4  7C59893D  Maybe piccam.<ModuleEntryPoint>                                          KERNEL32.7C59893A            0012FFF0


i dont still think olly has a bug :)




Posted on 2005-05-05 07:33:04 by bluffer
I got the feeling that sometheing is related here to XP.

Can you tell me please how can I generate those logs? I don't know these logging features of OllyDbg and I looked over OllyDbg's help file, but I did not succed to generate the same logs, that you have posted. I succeded to get some brief logs, not so detailed, like yours.
Please tell me how to do it, and I will post the logs.

Thanks for your time.
Posted on 2005-05-05 08:33:17 by bszente
I think you guys are looking into the topic from the wrong direction.

1) We see that the crash is located at 7C91E305h within ntdll.dll. But the problem is that bszente did not even call any ntdll.dll functions. So how did that happen? Most likely something wrong with ollydbg; but that is just my preliminary analysis.

2) I loaded ntdll.dll into IDA and downloaded the pdb file from msdn and take a look at the address where the crash occurs.

.text:7C91E305 loc_7C91E305:                          ; CODE XREF: LdrProcessRelocationBlockLongLong(x,x,x,x,x)+3Ej
.text:7C91E305                                        ; DATA XREF: .text:off_7C91E4AEo
.text:7C91E305                movzx  eax, word ptr ; case 0x1
.text:7C91E308                shl    eax, 10h
.text:7C91E30B                add    eax, edx
.text:7C91E30D                jmp    short loc_7C91E329


So what is Ldr-related functions? I had to look into "Inside Windows 2000" to find out some information on it.


Ntdll also contains many support functions, such as the image loader (functions that start with Ldr), the heap manager, and Win32 subsystem process communication functions (functions that start with Csr), as well as general run-time library routines (functions that start with Rtl). It also contains the user-mode asynchronous procedure call (APC) dispatcher and exception dispatcher.


So the Ldr-related functions are support functions that deals with image loader. That means that the bug could not have originated from bszente's code, but it must have came from ollydbg (As such a crash did not occur when bszente runs the exe normally).

Posted on 2005-05-05 09:06:38 by roticv
Thank you roticv for the investigation.
It's very strange, because as I said before only with keybord shortcuts is problem. If I put a breakpoint and I use the toolbar buttons instead of F9 the execution will go normal, and the error will not occur. I think normally it should not matter if I use keyboard shortcuts or toolbar buttons.

bluffer, if you have time, please explain me briefly how can I generate those logs, thanks.

Regards,
bszente
Posted on 2005-05-05 09:36:01 by bszente
bszente
the first log was done by using conditional log breakpoint aka shift+f4
to do it
you select the line where you want to log
in you example i selected your dialog procs first instruction
on its own olly wont know it is a message loop or winproc() which has  standard parameters
so you will see only two radio button enabled  viz pause and log expression
in the expression box if you enter ---> read up always points to wParam
in a standard winproc
olly will log them as 110,111,30,202, etc etc
now there is a list box below which has assumed by expression as default
if you change it to wm_msg xxx
olly will crack those 111 110 etc as WM_COMMAND,WM_INITDIALOG etc etc
and will log it for you
that is the result of first part above decoding

now you can help olly assume some thing using analysis-->assume arguments

so if you select winproc and apply it
olly will from now onwards assume it to be standard winproc
and will display a comment like this
0040103B    PUSH    EBP                              ;  Decoded as <WinProc>

now if you press shift+f4 on this line again you will see the third radio button has also been enabled
you select to log always or set conditions  what ever you wish
olly will log all the function arguments
viz
hwnd,msg,wParam,lParam

===============
================
now as far as stack is concerned
it is just pressing ctrl+k when ever you have olly in paused condition
and right click copy pasting to note pad  befor e copying you should always remeber to
right click actualize on all windows coz they may not reflect the actual status unless
you demand (a smart worker concept i am as smart as my boss is)

hope i explained it in a manner you could understand 
post if you have some question
have fun
regards




Breakpoints, item 0
Address=0040103B
Module=piccam
Active=Log
Disassembly=PUSH    EBP
Posted on 2005-05-05 10:36:38 by bluffer
Thank you bluffer for your post. You explained well, it was very helpful.
From now one I can debug a lot more easyer.

I think this thread can be considered solved.
Posted on 2005-05-05 11:18:23 by bszente
i dont know if it is solved or not :) as long as there isnt a clear cut verdict i wont think it is solved for me :)
but i was poking around catching debug strings and i think it some how must be related to ntvdm loading that gets mixed up in xp
coz you are opening com1 port  on another machine com1 wasnt available so your exe failed to run
so i hexed your exes (com1 to com2 and catched this debug string )

Call stack of main thread
Address    Stack      Procedure / arguments                                                              Called from                  Frame
0012F4B0  77F99A45  ntdll.DbgPrint                                                                    ntdll.77F99A40                0012F72C
0012F730  77E87F6A  KERNEL32.LdrGetDllHandle                                                          KERNEL32.77E87F65            0012F72C
0012F784  77E8DBF3  KERNEL32.GetModuleHandleForUnicodeString                                          KERNEL32.77E8DBEE            0012F780
0012F7A4  77E1DA9D  KERNEL32.GetModuleHandleW                                                          user32.77E1DA97              0012F7A0
0012F7A8  0012F9F0    pModule = "C:\Documents and Settings\Administrator\Desktop\index\piccam1.exe"
0012F7AC  77E1DA33  user32.WowGetModuleHandle                                                          user32.77E1DA2E              0012F7C4
0012F7C8  77E1D839  user32.CopyImageFromRes                                                            user32.77E1D834              0012F7C4
0012FC98  77E1D74C  user32.CopyIcoCur                                                                  user32.77E1D747              0012FC94
0012FCB4  77E1CCD1  user32.InternalCopyImage                                                          user32.77E1CCCC              0012FCB0
0012FCDC  77F9FB83  Includes user32.77E1CCD1                                                          ntdll.KiUserApcDispatcher+20  0012FCD8



0012F4B0  77F99A45  RETURN to ntdll.77F99A45 from ntdll.DbgPrint
0012F4B4  77F999CE  ASCII "LDR: LdrGetDllHandle, searching for %ws from %ws
"
0012F4B8  0012F4D8  UNICODE "C:\Documents and Settings\Administrator\Desktop\index\piccam1.exe"


some old school types could help here :)
Posted on 2005-05-05 12:52:05 by bluffer
Well this problem is beyond me.  :sad:
That's true with the Com1 port, but as I said before, I tested this problem with the simple ReBar tutorial project included in the RadASM package, and also with another project of mine, and I could reproduce the error, so ntvdm should not be relevant... I don't know :|

As a conclusion: the error is not strictly related to my program. It can be reproduced with other programs too and it happens ONLY with the keyboard shortcuts. Thus all these arguments leads me to the conclusion what roticv said, that the problem lies in OllyDbg, or more exactly the problem comes from an incompatibiliy between OllyDbg and XP (I have SP2).
That's why it would be important to test this by also other people to see that only my Windows is broken or not.
On what Windows did you tested it, roticv?
Posted on 2005-05-05 14:24:32 by bszente