Hi, I'm new to the forums, and I am in need of some help. However I'm unsure how ask the question in a way you all would need it to be stated in order to help me. I'm not sure what information you need so I'll give what I know, and then see what you guys need.
I have some code that seems to keep crashing on a few different offsets. I've read the debug log and it seems that it keeps crashing on invalid pointers, but I'm unsure how to fix it.
The Code is as follows:
As you can see it Crashes on the "MOV AL,BYTE PTR SS:" I'm unsure why...I've tried changing the registers for EBP to different things thinking I somehow messed up somewhere but it's a no go. Like I previously stated, I'm unsure what information you need, so if this isn't enough please tell me what information you need so that I can better assist you.
I look forward to your responses.
I have some code that seems to keep crashing on a few different offsets. I've read the debug log and it seems that it keeps crashing on invalid pointers, but I'm unsure how to fix it.
The Code is as follows:
0040AC1B 0F88 DC000000 JS S.0040ACFD ; JMP 0040ACFD
0040AC21 0FB72E MOVZX EBP,WORD PTR DS:
0040AC24 83C6 02 ADD ESI,2
0040AC27 032D C1CE5000 |ADD EBP,DWORD PTR DS:[50CEC1]
0040AC2D 8B0D C9CE5000 |MOV ECX,DWORD PTR DS:[50CEC9]
0040AC33 8B1D CDCE5000 |MOV EBX,DWORD PTR DS:[50CECD]
0040AC39 85C9 |TEST ECX,ECX
0040AC3B 74 3D |JE SHORT S.0040AC7A
0040AC3D 33D2 |/XOR EDX,EDX
0040AC3F 8A55 00 MOV DL,BYTE PTR SS: ; 015EA475 <-Crash
0040AC42 45 INC EBP
0040AC43 84D2 TEST DL,DL
0040AC45 78 26 ||JS SHORT S.0040AC6D
0040AC47 F6C2 40 ||TEST DL,40
0040AC4A 75 10 ||JNZ SHORT S.0040AC5C
0040AC4C 03EA ||ADD EBP,EDX
0040AC4E 2BCA ||SUB ECX,EDX
0040AC50 74 28 ||JE SHORT S.0040AC7A
0040AC52 ^79 E9 ||JNS SHORT S.0040AC3D
0040AC54 F7D9 ||NEG ECX
0040AC56 2BE9 ||SUB EBP,ECX
0040AC58 8BD1 ||MOV EDX,ECX
0040AC5A EB 35 ||JMP SHORT S.0040AC91
0040AC5C 80E2 BF ||AND DL,0BF
0040AC5F 45 ||INC EBP
0040AC60 2BCA ||SUB ECX,EDX
0040AC62 74 16 ||JE SHORT S0040AC7A
0040AC64 ^79 D7 ||JNS SHORT S.0040AC3D
0040AC66 F7D9 ||NEG ECX
0040AC68 4D ||DEC EBP
0040AC69 8BD1 ||MOV EDX,ECX
0040AC6B EB 48 ||JMP SHORT S.0040ACB5
0040AC6D 80E2 7F ||AND DL,7F
0040AC70 2BCA ||SUB ECX,EDX
0040AC72 74 06 ||JE SHORT S.0040AC7A
0040AC74 ^79 C7 |\JNS SHORT S.0040AC3D
0040AC76 2BF9 |SUB EDI,ECX
0040AC78 03D9 |ADD EBX,ECX
0040AC7A 85DB |TEST EBX,EBX
0040AC7C 7F 04 |JG SHORT S.0040AC82
0040AC7E 03FB |ADD EDI,EBX
0040AC80 EB 60 |JMP SHORT S.0040ACE2
0040AC82 33D2 |XOR EDX,EDX
0040AC84 8A55 00 MOV DL,BYTE PTR SS: <-- Crash
0040AC87 45 INC EBP
0040AC88 84D2 TEST DL,DL
0040AC8A 78 47 JS SHORT S.0040ACD3
0040AC8C F6C2 40 |TEST DL,40
0040AC8F 75 21 |JNZ SHORT S.0040ACB2
0040AC91 2BDA |SUB EBX,EDX
0040AC93 79 02 |JNS SHORT S.0040AC97
0040AC95 03D3 |ADD EDX,EBX
0040AC97 33C0 |XOR EAX,EAX
0040AC99 53 |PUSH EBX
0040AC9A 8A45 00 MOV AL,BYTE PTR SS: <--Crash
0040AC9D 45 ||INC EBP
0040AC9E 8A98 C1CD5000 ||MOV BL,BYTE PTR DS:
0040ACA4 47 ||INC EDI
0040ACA5 4A ||DEC EDX
0040ACA6 885F FF MOV BYTE PTR DS:,BL
0040ACA9 ^75 EF JNZ SHORT S.0040AC9A
0040ACAB 5B POP EBX
0040ACAC 85DB |TEST EBX,EBX
0040ACAE ^7F D2 |JG SHORT S.0040AC82
0040ACB0 EB 30 |JMP SHORT S.0040ACE2
0040ACB2 80E2 BF |AND DL,0BF
0040ACB5 2BDA |SUB EBX,EDX
0040ACB7 79 02 |JNS SHORT S.0040ACBB
0040ACB9 03D3 |ADD EDX,EBX
0040ACBB 33C0 |XOR EAX,EAX
0040ACBD 8A45 00 |MOV AL,BYTE PTR SS: <--Crash
0040ACC0 45 |INC EBP
0040ACC1 8A80 C1CD5000 |MOV AL,BYTE PTR DS:
0040ACC7 8807 |/MOV BYTE PTR DS:,AL
0040ACC9 47 ||INC EDI
0040ACCA 4A ||DEC EDX
0040ACCB ^75 FA |\JNZ SHORT S.0040ACC7
0040ACCD 85DB |TEST EBX,EBX
0040ACCF ^7F B1 |JG SHORT S.0040AC82
0040ACD1 EB 0F |JMP SHORT S.0040ACE2
0040ACD3 80E2 7F |AND DL,7F
0040ACD6 2BDA |SUB EBX,EDX
0040ACD8 79 02 |JNS SHORT S.0040ACDC
0040ACDA 03D3 |ADD EDX,EBX
0040ACDC 03FA |ADD EDI,EDX
0040ACDE 85DB |TEST EBX,EBX
0040ACE0 ^7F A0 |JG SHORT S.0040AC82
0040ACE2 8B2D C5CE5000 |MOV EBP,DWORD PTR DS:[50CEC5]
0040ACE8 8B1D D1CE5000 |MOV EBX,DWORD PTR DS:[50CED1]
0040ACEE 03FD |ADD EDI,EBP
0040ACF0 4B |DEC EBX
0040ACF1 891D D1CE5000 |MOV DWORD PTR DS:[50CED1],EBX
0040ACF7 ^0F89 24FFFFFF \JNS S.0040AC21As you can see it Crashes on the "MOV AL,BYTE PTR SS:" I'm unsure why...I've tried changing the registers for EBP to different things thinking I somehow messed up somewhere but it's a no go. Like I previously stated, I'm unsure what information you need, so if this isn't enough please tell me what information you need so that I can better assist you.
I look forward to your responses.
What operating system?
Under windows, your SS: points somewhere within the first 64k of the 32-bit address space at the point of error .. it is very unlikely that the stack is actualy located there and I suggest that there is an incorrect assumption somewhere along the way
You set the 32-bit EBP by zero extending from a 16-bit value at the top of your snippet .. perhaps you meant to use SS: or something so that the address is relative to the top of the stack rather than relative to 0
Under windows, your SS: points somewhere within the first 64k of the 32-bit address space at the point of error .. it is very unlikely that the stack is actualy located there and I suggest that there is an incorrect assumption somewhere along the way
You set the 32-bit EBP by zero extending from a 16-bit value at the top of your snippet .. perhaps you meant to use SS: or something so that the address is relative to the top of the stack rather than relative to 0
I'm under windows.
I tried changing the first "MOV DL,BYTE PTR SS:" to "MOV DL,BYTE PTR SS:" but I still get the crash. So I tried changing all of them to ESP+EBP and still had the crashing result, did I understand you correctly?
I tried changing the first "MOV DL,BYTE PTR SS:" to "MOV DL,BYTE PTR SS:" but I still get the crash. So I tried changing all of them to ESP+EBP and still had the crashing result, did I understand you correctly?
I dont think you did.. it was just a suggestion..
I really have no idea what your code is supposed to be doing .. you never took the time to try to explain what you expected of it
If this is for windows then I am almost certain that something about your "movzx ebp, word ptr " is incorrect .. the value in ebp after this when used as a pointer points to within the first 64k of memory .. why would you want to do that?
You know, getting help is a two way street.
I really have no idea what your code is supposed to be doing .. you never took the time to try to explain what you expected of it
If this is for windows then I am almost certain that something about your "movzx ebp, word ptr " is incorrect .. the value in ebp after this when used as a pointer points to within the first 64k of memory .. why would you want to do that?
You know, getting help is a two way street.
Am I the only person who thinks that this is a 16-bit application debugged with a 32-bit debugger, showing 32-bit opcodes?
I am fairly certain that..
0040AC21 0FB72E MOVZX EBP,WORD PTR DS:
0040AC24 83C6 02 ADD ESI,2
..would not appear in 16-bit mode .. ie, if we are assuming that 'ebp' really is 'bp' then there is nothing to zero extend, right?
(I agree that this is output from a debugger or disassembler)
0040AC21 0FB72E MOVZX EBP,WORD PTR DS:
0040AC24 83C6 02 ADD ESI,2
..would not appear in 16-bit mode .. ie, if we are assuming that 'ebp' really is 'bp' then there is nothing to zero extend, right?
(I agree that this is output from a debugger or disassembler)
But then, woulnd't it be "movzx bp, BYTE PTR DS:" ? This code sure seems strange.
But then, woulnd't it be "movzx bp, BYTE PTR DS:" ? This code sure seems strange.
no it wouldnt..
in 16 bit dword regs requires prefix bytes, in 32-bit word regs require prefix bytes .. it isnt that everything gets "promoted" or whatever ..
also, look at the literal addresses...
0040AC27 032D C1CE5000 |ADD EBP,DWORD PTR DS:[50CEC1]
0040AC2D 8B0D C9CE5000 |MOV ECX,DWORD PTR DS:[50CEC9]
0040AC33 8B1D CDCE5000 |MOV EBX,DWORD PTR DS:[50CECD]
those are well above the 20-bit address range so it can't even be "fake mode" or whatever that hybrid was called .. there is about 8 megabytes of stuff between these instructions and his static data (if this is flat mode)
Under windows, your SS: points somewhere within the first 64k of the 32-bit address space at the point of error ..
Can't be assured that, look at the code:
0040AC21 0FB72E MOVZX EBP,WORD PTR DS:
0040AC24 83C6 02 ADD ESI,2
0040AC27 032D C1CE5000 |ADD EBP,DWORD PTR DS:[50CEC1]
Initially EBP is below 64 KB and hence invalid since the [0KB..64KB) range is ALWAYS invalid. But the last instruction in the code fragment above adds a DWORD to EBP so the range gets extended. DWORD [50CEC1] possibly acts as a base pointer here.
In other part EBP gets substracted by ECX before reaching the faulting instruction, maybe that part and its dependencies must be checked with more attention.
The output looks like OllyDebug, and OllyDebug won't load 16-bit applications... so it probably is a 32bit application.
What I don't understand is why you post the OllyDebug disassembly, instead of the corresponding piece of code from your source.asm file. Which assembler do you use?
What I don't understand is why you post the OllyDebug disassembly, instead of the corresponding piece of code from your source.asm file. Which assembler do you use?
It is a 32 bit application, the code is from OllyDebug. And it's a game, that when I view a unit in the game, the game for some reason crashes. I didn't upload an asm source because I only have the code that I have debugged. And this is what is showing the cause of the crashes. I should of mentioned this before, but I thought the code would be more important.
The "JS S.0040ACFD" is a jump I think that starts the "unit draw" function and the rest is it in action.
I've found (if this helps any)
That on the code:
If I go ahead and just replace 0040AC21 with "JMP 0040ACFD" I no longer get the crash, however there are A Lot of graphical glitches on the screen. (things missing, or are "invisible" at certain angles, and the cursor disappears)
I'm not sure what other code sections you would need. I could try and get the register information for certain offsets if that would help.
I appreciate all of you that have replied thus far.
The "JS S.0040ACFD" is a jump I think that starts the "unit draw" function and the rest is it in action.
I've found (if this helps any)
That on the code:
0040AC1B 0F88 DC000000 JS S.0040ACFD ; JMP 0040ACFD
0040AC21 0FB72E MOVZX EBP,WORD PTR DS:If I go ahead and just replace 0040AC21 with "JMP 0040ACFD" I no longer get the crash, however there are A Lot of graphical glitches on the screen. (things missing, or are "invisible" at certain angles, and the cursor disappears)
0040AC1B |. 0F88 DC000000 JS StarCraf.0040ACFD ; JMP 0040ACFD
0040AC21 E9 D7000000 JMP StarCraf.0040ACFD
0040AC26 90 NOP
I'm not sure what other code sections you would need. I could try and get the register information for certain offsets if that would help.
I appreciate all of you that have replied thus far.
While we've just recently set up a subforum for
Low Level Discussion, please do review The Community Rules - we aren't keen on reverse engineering.
Now, your purpose might not be bad etc., but you're still poking specifically around in other people's code. We can't have that here, Woodmann's forums is a much better place for that kind of stuff.
I'm locking this thread, but do feel free to talk about programming on this forum :)
Low Level Discussion, please do review The Community Rules - we aren't keen on reverse engineering.
Now, your purpose might not be bad etc., but you're still poking specifically around in other people's code. We can't have that here, Woodmann's forums is a much better place for that kind of stuff.
I'm locking this thread, but do feel free to talk about programming on this forum :)