PDA

View Full Version : An Unusual Crash


Suteki
November 4th, 2007, 19:04
Hi I have a problem with the ASM code of a game. It is a 32 bit application. When I view a unit in the game, the application crashes. I have an OllyDBG debug log.

Code:
0040AC1B 0F88 DC000000 JS S.0040ACFD ; JMP 0040ACFD
0040AC21 0FB72E MOVZX EBP,WORD PTR DS:[ESI]
0040AC24 83C6 02 ADD ESI,2
0040AC27 032D C1CE5000 |ADD EBP,DWORD PTR DS:[50CEC1]
0040AC2D 8B0D C9CE5000 |MOV ECX,DWORD PTR DS:[50CEC9]
0040AC33 8B1D CDCE5000 |MOV EBX,DWORD PTR DS:[50CECD]
0040AC39 85C9 |TEST ECX,ECX
0040AC3B 74 3D |JE SHORT S.0040AC7A
0040AC3D 33D2 |/XOR EDX,EDX
0040AC3F 8A55 00 MOV DL,BYTE PTR SS:[EBP] ; 015EA475 <--Crash
0040AC42 45 INC EBP
0040AC43 84D2 TEST DL,DL
0040AC45 78 26 ||JS SHORT S.0040AC6D
0040AC47 F6C2 40 ||TEST DL,40
0040AC4A 75 10 ||JNZ SHORT S.0040AC5C
0040AC4C 03EA ||ADD EBP,EDX
0040AC4E 2BCA ||SUB ECX,EDX
0040AC50 74 28 ||JE SHORT S.0040AC7A
0040AC52 ^79 E9 ||JNS SHORT S.0040AC3D
0040AC54 F7D9 ||NEG ECX
0040AC56 2BE9 ||SUB EBP,ECX
0040AC58 8BD1 ||MOV EDX,ECX
0040AC5A EB 35 ||JMP SHORT S.0040AC91
0040AC5C 80E2 BF ||AND DL,0BF
0040AC5F 45 ||INC EBP
0040AC60 2BCA ||SUB ECX,EDX
0040AC62 74 16 ||JE SHORT S0040AC7A
0040AC64 ^79 D7 ||JNS SHORT S.0040AC3D
0040AC66 F7D9 ||NEG ECX
0040AC68 4D ||DEC EBP
0040AC69 8BD1 ||MOV EDX,ECX
0040AC6B EB 48 ||JMP SHORT S.0040ACB5
0040AC6D 80E2 7F ||AND DL,7F
0040AC70 2BCA ||SUB ECX,EDX
0040AC72 74 06 ||JE SHORT S.0040AC7A
0040AC74 ^79 C7 |\JNS SHORT S.0040AC3D
0040AC76 2BF9 |SUB EDI,ECX
0040AC78 03D9 |ADD EBX,ECX
0040AC7A 85DB |TEST EBX,EBX
0040AC7C 7F 04 |JG SHORT S.0040AC82
0040AC7E 03FB |ADD EDI,EBX
0040AC80 EB 60 |JMP SHORT S.0040ACE2
0040AC82 33D2 |XOR EDX,EDX
0040AC84 8A55 00 MOV DL,BYTE PTR SS:[EBP] <-- Crash
0040AC87 45 INC EBP
0040AC88 84D2 TEST DL,DL
0040AC8A 78 47 JS SHORT S.0040ACD3
0040AC8C F6C2 40 |TEST DL,40
0040AC8F 75 21 |JNZ SHORT S.0040ACB2
0040AC91 2BDA |SUB EBX,EDX
0040AC93 79 02 |JNS SHORT S.0040AC97
0040AC95 03D3 |ADD EDX,EBX
0040AC97 33C0 |XOR EAX,EAX
0040AC99 53 |PUSH EBX
0040AC9A 8A45 00 MOV AL,BYTE PTR SS:[EBP] <--Crash
0040AC9D 45 ||INC EBP
0040AC9E 8A98 C1CD5000 ||MOV BL,BYTE PTR DS:[EAX+50CDC1]
0040ACA4 47 ||INC EDI
0040ACA5 4A ||DEC EDX
0040ACA6 885F FF MOV BYTE PTR DS:[EDI-1],BL
0040ACA9 ^75 EF JNZ SHORT S.0040AC9A
0040ACAB 5B POP EBX
0040ACAC 85DB |TEST EBX,EBX
0040ACAE ^7F D2 |JG SHORT S.0040AC82
0040ACB0 EB 30 |JMP SHORT S.0040ACE2
0040ACB2 80E2 BF |AND DL,0BF
0040ACB5 2BDA |SUB EBX,EDX
0040ACB7 79 02 |JNS SHORT S.0040ACBB
0040ACB9 03D3 |ADD EDX,EBX
0040ACBB 33C0 |XOR EAX,EAX
0040ACBD 8A45 00 |MOV AL,BYTE PTR SS:[EBP] <--Crash
0040ACC0 45 |INC EBP
0040ACC1 8A80 C1CD5000 |MOV AL,BYTE PTR DS:[EAX+50CDC1]
0040ACC7 8807 |/MOV BYTE PTR DS:[EDI],AL
0040ACC9 47 ||INC EDI
0040ACCA 4A ||DEC EDX
0040ACCB ^75 FA |\JNZ SHORT S.0040ACC7
0040ACCD 85DB |TEST EBX,EBX
0040ACCF ^7F B1 |JG SHORT S.0040AC82
0040ACD1 EB 0F |JMP SHORT S.0040ACE2
0040ACD3 80E2 7F |AND DL,7F
0040ACD6 2BDA |SUB EBX,EDX
0040ACD8 79 02 |JNS SHORT S.0040ACDC
0040ACDA 03D3 |ADD EDX,EBX
0040ACDC 03FA |ADD EDI,EDX
0040ACDE 85DB |TEST EBX,EBX
0040ACE0 ^7F A0 |JG SHORT S.0040AC82
0040ACE2 8B2D C5CE5000 |MOV EBP,DWORD PTR DS:[50CEC5]
0040ACE8 8B1D D1CE5000 |MOV EBX,DWORD PTR DS:[50CED1]
0040ACEE 03FD |ADD EDI,EBP
0040ACF0 4B |DEC EBX
0040ACF1 891D D1CE5000 |MOV DWORD PTR DS:[50CED1],EBX
0040ACF7 ^0F89 24FFFFFF \JNS S.0040AC21


The "JS S.0040ACFD" is a jump I think that starts the "unit draw" function and the rest is it in action.

I've found (if this helps any)

That on the code:
Code:
0040AC1B 0F88 DC000000 JS S.0040ACFD ; JMP 0040ACFD
0040AC21 0FB72E MOVZX EBP,WORD PTR DS:[ESI]


If I go ahead and just replace 0040AC21 with "JMP 0040ACFD" I no longer get the crash, however there are A Lot of graphical glitches on the screen. (things missing, or are "invisible" at certain angles, and the cursor disappears)
Code:
0040AC1B |. 0F88 DC000000 JS S.0040ACFD ; JMP 0040ACFD
0040AC21 E9 D7000000 JMP S.0040ACFD
0040AC26 90 NOP


Another forum attempted to help me, if you would like to see what has already been suggested/talked about. Here's the link http://www.asmcommunity.net/board/index.php?topic=28794.msg203470#msg203470 ("http://www.asmcommunity.net/board/index.php?topic=28794.msg203470#msg203470")

I look forward to your responces.

Kayaker
November 5th, 2007, 02:35
Well, you might be seeing the effect of debugger detection.

So um, you commented this 4 times

MOV *,BYTE PTR SS:[EBP] ; <--Crash

If it crashed on the first instance, how do you know about the other crash points?


MOV DL,BYTE PTR SS:[EBP] ; 015EA475 <--Crash

So what's at 015EA475? I would guess it's an invalid address and you're getting a C0000005 memory read access violation. How does it crash, are you getting an error message? If the app crashes you can get a crash dump or maybe view the event log, not that it would really help you.

What is in DS:[50CEC1]? Maybe 015E0000? Might be a memory mapped address that was never mapped because of a debugger check, something like that.

You haven't shown anything or even asked a question that can be given much of an answer really.

Suteki
November 5th, 2007, 03:00
It crashes in different places, but most of the time it crashes on 40ac3f, but occasionally it crashes at the others. Mostly if I mess with the code.

015EA475 was already commented inside of the Debugger (OllyDBG) but that address ends up being ADD DWORD PTR DS:[ESI],ESI

All it says is that it encountered a problem and needs to close. The Event log shows this Exception:
Exception Information

Code: 0xc0000005 ACCESS_VIOLATION Flags: 0x0000000
Record: 0x0000000000000000 Address: 0x000000000040ac3f

It crashed on 40ac3f which is 0040AC3F MOV DL,BYTE PTR SS:[EBP] ; 015EA475

SS:[01DDFF6C]=???
DL=00

Is what is shown as well.

I think it's pointing to something being invalid, I've tried messing with the code for quite a while now, and I don't know how to patch the exception to make it valid.

Any other information I can give that would help I would be more than happy to give. I'm somewhat new to ASM/ASM forums and getting help about the code so I'm not exactly sure what information you need.

evlncrn8
November 5th, 2007, 05:41
looks like ebp is being trashed, trace and see where

blabberer
November 5th, 2007, 12:19
ebp is always valid with some address
so ebp can hold anything from stack top to stack bottom about a pagesize granularity i think to start with
assuming ebp is 12000 to 13000 [ebp] might hold 0000000 to 0xffffffff
so dl will get anything from 0 to 0xff

doesnt look like it should crash there from what i glanced

so some thing is changing the ebp to invalid address
and it seems so in code above

0040AC27 032D C1CE5000 |ADD EBP,DWORD PTR DS:[50CEC1]

so one would need what is at 50cec1
but above it ther is a movzx word ptr

so ebp is already truncated there by 4 bytes movzx == mov zero extended
so ebp will be anything from 00000000 to 0000ffff

so it could be possible that you are barking up a wrong tree