Results 1 to 3 of 3

Thread: Running a Trace in Olly

  1. #1

    Running a Trace in Olly


    I have a sample which makes use of some antidebugging tricks. A brief overview is that, it jumps to a subroutine which installs an exception handler and then triggers a memory access violation. When you pass the exception to the installed exception handler it brings you back to the instruction which triggered the exception and this cycle continues until the value of one register becomes 0.

    In short,

    call <subroutine1>
    Exception Handler Code comes here
    xor eax, eax
    push dword ptr fs:[eax]
    mov dword ptr fs:[eax], esp
    add eax, 40
    sub dword ptr ds:[004xxxxx], eax

    Now, the memory address, 004xxxxx lies inside the code section which is not writable and hence a memory access violation is triggered. I pass the exception to the program which brings it to the Exception Handler code. However, this cycle repeats. It checks the value of a particular register, edx which was set to a large value like 15000 at the starting of the program.

    dec edx
    jnz <section>

    Now, I want it to skip that jump to section which will happen only when edx = 0. If I do it manually, I need to pass the exception of memory access violation to the program every time. That is not possible.

    How do I achieve something like this?

    What I did to resolve?

    Instead of stepping through the code and passing the exception to the program, I set a breakpoint on KiUserExceptionDispatcher routine. Now, I run the program and anytime an exception is triggered, I hit my breakpoint. I can see the value of the edx register decrementing everytime I do this, so I thought of running a trace.

    TOC edx == 0

    and then started the trace, but it runs only once. I need to press enter everytime in the Command Bar to make it run once everytime which does not serve the purpose.

    I hope my question is clear.


  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    you have a subroutine which install a seh and then creates an access violation and in the seh handler there are these two instructions

    dec edx (edx when you first hit exception contains 15000)
    and then jnz some_where and if you have to jump to somewhere you have to pass hop around 150000 times ?? is that what you are saying ????

    why cant you just modify edx then and there when you are on the line (if edx is used further down)?
    why cant you flip the flags when you are on the line (if edx is not used further down)
    why cant you set edx to 0 before you enter seh ?

    or is it something else you are talking about

  3. #3
    Thanks, that is correct. I can modify the value of edx register and also the Z flag to make it jump to the code I want it to.

    The thing is, after the exception handler completes its work, where should it jump to?

    Isn't it the value of the EIP Register as stored in the Context Record?

    So, what I did now is, I modify the register edx value to 0 and step over to the code which modifies the value of _Context.eip. After the exception handler completes its work, I set a breakpoint on the address pointed to by _CONTEXT.eip.

    Now, when I run the program it hits that point. The code shows up as data and when I try to Analyze the code (Using Olly Debugger, Analyze!) Function, it doesn't work.

    Let me know if I can PM you to send you the code/sample.

Similar Threads

  1. Run Trace
    By tutenKam in forum The Newbie Forum
    Replies: 7
    Last Post: January 19th, 2014, 01:28
  2. Running A Progam Through Olly
    By Elec0 in forum Bugs
    Replies: 0
    Last Post: August 23rd, 2008, 10:30
  3. Question to Trace-Log
    By squareD in forum OllyDbg Support Forums
    Replies: 3
    Last Post: September 22nd, 2005, 06:52
  4. Run Trace question
    By Anonymous in forum OllyDbg Support Forums
    Replies: 3
    Last Post: July 21st, 2003, 21:53
  5. Run Trace problem
    By Anonymous in forum OllyDbg Support Forums
    Replies: 3
    Last Post: June 26th, 2003, 08:07


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts