Results 1 to 6 of 6

Thread: Olly 2.0 does not follow a jump properly

  1. #1
    deamon32
    Guest

    Olly 2.0 does not follow a jump properly

    Alright I have done plenty of tutorials and have successfully reversed a few applications that our programmers have written at work. I am currently working on a C++ application to try and build a keygen. I have run into a very weird issue which I do not know if I am simply missing something or if this is a bug or what is going on, I would still consider myself a noob at most of the more advanced techniques so sorry if this is something obvious, I have tried to google an answer to this issue with no success.

    I have attached two screen shots of the issue so hopefully this will provide enough information to help explain what I am talking about. The before JMP.gif shows olly right before executing the jump, the jump is supposed to be followed and the EIP register points at the correct instruction.

    Once I step over the instruction the EIP register goes to a completely different instruction as expected and I have absolutely no idea why, this can be seen in the after JMP.gif. I have stepped over plenty of instructions in this code already and have not found any other weird issues, as far as I know this is just straight c++ code with no self modifying code or any sort of debugging techniques or countermeasures.

    *edit* The URL's seem to only work sometimes so I have included the direct links *edit*
    Before
    http://picasaweb.google.com/lh/photo/YWSh9cnCGfbgUCZ1vnzHMw?feat=directlink

    After
    http://picasaweb.google.com/lh/photo/bdJ0xIZK6ksPySPQIkZdqQ?feat=directlink

    I am running Windows XP SP3 x86 with the latest version of Olly 2.0
    Last edited by deamon32; May 13th, 2010 at 16:27.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    GuangZor
    Guest
    After you execute the JE instruction, the program jumps to the correct place but EIP register doesn't contain the address of the destination of that jump, but another address...

    Have you tested the target in OllyDbg 1.10?

    I'm curious to know why this happens too, lets wait for someone
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    deamon32
    Guest
    I was downloading Olly 1.10 to see right before I saw your post .

    Everything works properly in Olly 1.10, so I will use that for now. I would still like to try and figure this out if at all possible.

    Thank you
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Quote Originally Posted by deamon32 View Post
    I was downloading Olly 1.10 to see right before I saw your post .

    Everything works properly in Olly 1.10, so I will use that for now. I would still like to try and figure this out if at all possible.

    Thank you
    Can you share your suspicious code?

  5. #5
    deamon32
    Guest
    Quote Originally Posted by prn View Post
    Can you share your suspicious code?
    I will have to check with the programmers to see if they can build a sample app that cuts out any of the important code which I can submit. I wont hold my breath but I will see what they think.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Quote Originally Posted by deamon32 View Post
    I will have to check with the programmers to see if they can build a sample app that cuts out any of the important code which I can submit. I wont hold my breath but I will see what they think.
    Thank you. I wish you success when you will build this sample!

Similar Threads

  1. Malware creates new thread, how do I follow it?
    By Resource in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: July 18th, 2009, 23:11
  2. Malware refuses to run properly on VMWare
    By Cthulhu in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: January 20th, 2009, 06:18
  3. Good guidelines to follow?
    By d3k in forum The Newbie Forum
    Replies: 8
    Last Post: July 31st, 2008, 18:42
  4. Not tracing properly
    By malikah in forum OllyDbg Support Forums
    Replies: 2
    Last Post: March 31st, 2008, 11:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •