Results 1 to 6 of 6

Thread: Ollydbg not disassembling optimized executable correctly.

  1. #1
    Greatwolf
    Guest

    Question Ollydbg not disassembling optimized executable correctly.

    I'm checking the produced assembly of an optimized executable I compiled with gcc. However one of the functions is just showing up as a bunch of 'db' bytes at a code address I know is a function(I had a printf printing out it's function address).

    Any idea why this is happening? There's a 'nop' 1 byte above the start of the function and 1 byte below it and I also have the base pointer omitted. Could these things cause ollydgb to not properly recognize a function? How can this problem be fixed? Is there any option(s) I can use in olly to make it properly recognize the function?

    Thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    What happens if you "reanalyze" while selecting the start address of it?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by Greatwolf View Post
    Any idea why this is happening? There's a 'nop' 1 byte above the start of the function and 1 byte below it and I also have the base pointer omitted. Could these things cause ollydgb to not properly recognize a function?

    Olly disassembler is actually pretty good for its very compact size, but it was written and conceived for more or less classical assemblers. Once you go into optimized code with the "modern" function prolog (No EBP concept, directly referring to the slippery ESP pointer, so no one, except a fucking computer can keep the fields in the stack straight), Olly and IDA get off base. The inserted nops may have to do with code alignment to optimize code feeding into the pipe and syncronization with other processors, virtual, real or coprocessors. In summary, legibility and elegance in the code is sacrificed to efficiency in the machine. . .

    Quote Originally Posted by Greatwolf View Post
    How can this problem be fixed? Is there any option(s) I can use in olly to make it properly recognize the function?

    Thanks
    IDA with emphasis in the I(nteractive) is the correct approach and even IDA requires painful analysis. imagine when you are going through unkown code, where you have NO idea where functions are or where they start. . .

  4. #4
    It's a game
    Join Date
    Apr 2011
    Location
    lost in translation
    Posts
    22
    I am pretty sure some comic by sapheads from the past solved this question..
    What I do is I select the area that is byte code in Olly and click binary edit and then just click OK.. This usually reanalyzes the code into asm instructions, if this doesn't work,I try locating that piece of memory in the dump and viewing it differently..If this doesn't work as well I set a break point on the code and just single step each instruction..

    http://hackerschool.org/DefconCTF/17/B300.html


    Hope that helps..
    So much is lost and I guess should never be found..

  5. #5
    Greatwolf
    Guest

    Question

    Thanks Ry4n. The link was helpful and the comic is rather cute. I tried the suggestions but no luck so far.

    @delta As far as trying to reanalyze it, it didn't seem to make any difference, the db bytes are still there.

    Is there no way to tell ollydbg to interpret a specified region of memory address as a bunch of instructions? It seems like something like this should be possible.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Greatwolf
    Guest

    Thumbs up

    Ok, I just tried it again and I got it to decode correctly! The trick was I had to actually modify one of the bytes or olly won't re-decode the instructions. So I just changed the first push ebp instruction at the beginning since that's pretty safe.

    Thanks for the tip everyone.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 0
    Last Post: October 21st, 2012, 11:18
  2. disassembling a save from game..
    By greg in forum The Newbie Forum
    Replies: 1
    Last Post: September 8th, 2008, 19:20
  3. eax not copied to clipboard correctly
    By britedream in forum OllyDbg Support Forums
    Replies: 1
    Last Post: March 18th, 2004, 04:41
  4. Backwards disassembling
    By squidge in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: October 31st, 2003, 19:35
  5. disassembling a console app
    By sirdan in forum The Newbie Forum
    Replies: 1
    Last Post: April 26th, 2003, 15:32

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •