I have made a Win32 PE program which has the byte codes to several instructions stored in its .DATA section. At the end of the .CODE section are a bunch of NOPs serving as place holders. The program writes a valid sequence of instruction bytecodes (taking into account byte ordering) to the area filled by the NOPs and appends an instruction to jump back to a location in the program where the results are processed. The problem is that the jump instruction is never reached and when the execution is halted by an illegal operation, CS:IP is pointing at some random, terribly wrong memory location.

When i try to trace through the program with OllyDebug, the 1st dword of NOPs is listed as a dd (in otherwords, OllyDebug thinks that the instructions are data, not code). After the program has written instruction bytecodes to the free area, the first dword of those instructions appears as a dd. OllyDebug is unwilling to put a break point on the dd, and when i place a breakpoint on the 1st valid instruction after the dd, it is never reached.

I do not see why OllyDebug decides to call the prefectly valid bunch of instructions a piece of data instead of a piece of code, or how windows can fail to execute the instructions, even if it does think that they are data.

Please help! This has been a very frustrating problem for me.
Posted on 2002-02-09 17:40:24 by LOLTH

You may be using the debugger in a context that it was not written to handle. Usually a debugger loads the file when it starts so modified code may not be read once it loads.

One thing you need to get the swing of is how jumps are coded by an assembler, it is distance based so usually you do code modifications using relative addressing, not absolute addressing.

Have a look at the SMC example in MASM32 to see what it does. Its simple code that replaces one function with another but it uses more or less normal code to determine the starting offset of the function being replaced.


Posted on 2002-02-10 00:40:42 by hutch--
OK thanks!
I looked at the SMC example, and i realized that i should use normal byte offset jumps instead of the jmp dword ptr variety. It works fine now. Thanks alot!
Posted on 2002-02-10 15:12:37 by LOLTH