Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: bug in a game

  1. #1
    Dj Heiko
    Guest

    bug in a game

    Hi,

    I have a problem with a game.
    At beginning I post the code were the bug came (ecx is 00000000)

    Code:
    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00428A95(C)
    |
    :00428AC9 8B4E04                  mov ecx, dword ptr [esi+04]
    :00428ACC 8D7EF4                  lea edi, dword ptr [esi-0C]
    :00428ACF 57                      push edi
    :00428AD0 E84BEFFFFF              call 00427A20
    :00428AD5 8B46F8                  mov eax, dword ptr [esi-08]
    :00428AD8 8B0D60EF5200            mov ecx, dword ptr [0052EF60]
    :00428ADE 8B401C                  mov eax, dword ptr [eax+1C]
    :00428AE1 8B89F0190100            mov ecx, dword ptr [ecx+000119F0]
    It comes at EIP 00428AC9

    I know this line is a indirect pointer but I donīt know where esi+04 looks to get the worth for ecx.
    But I think esi+04 looks in this case where no worth is for ecx.

    Can I look in a table when esi+04 is a number what number ecx will get?
    So I can edit esi berfor the bug comes.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Quote Originally Posted by Dj Heiko
    Hi,

    I have a problem with a game.
    At beginning I post the code were the bug came (ecx is 00000000)

    Code:
    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00428A95(C)
    |
    :00428AC9 8B4E04                  mov ecx, dword ptr [esi+04]
    :00428ACC 8D7EF4                  lea edi, dword ptr [esi-0C]
    :00428ACF 57                      push edi
    :00428AD0 E84BEFFFFF              call 00427A20
    :00428AD5 8B46F8                  mov eax, dword ptr [esi-08]
    :00428AD8 8B0D60EF5200            mov ecx, dword ptr [0052EF60]
    :00428ADE 8B401C                  mov eax, dword ptr [eax+1C]
    :00428AE1 8B89F0190100            mov ecx, dword ptr [ecx+000119F0]
    It comes at EIP 00428AC9

    I know this line is a indirect pointer but I donīt know where esi+04 looks to get the worth for ecx.
    But I think esi+04 looks in this case where no worth is for ecx.

    Can I look in a table when esi+04 is a number what number ecx will get?
    So I can edit esi berfor the bug comes.
    Have you considered using OllyDebug instead? It would make your life a bit easier...

    In Olly, you can not only view the contents of ESI in the dump window, you can (on W2K or XP) set a hardware breakpoint on up to four locations and the program will stop when it toasts the value. It even has the ability to do single step trace logging and debugger hiding. Way cool stuff.

    Anyway, check out the following (xx becomes tt)

    For OllyDbg
    http://home.t-online.de/home/Ollydbg

    Quick Start of commands
    http://home.t-online.de/home/Ollydbg/quickst.htm

    Plug-ins and links (definitely get OllyScript!!!)
    http://ollydbg.win32asmcommunity.net/stuph/

    For the Forums
    http://ollydbg.win32asmcommunity.net

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by Dj Heiko
    Hi,

    I have a problem with a game.
    At beginning I post the code were the bug came (ecx is 00000000)

    Code:
    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00428A95(C)
    |
    :00428AC9 8B4E04                  mov ecx, dword ptr [esi+04]
    :00428ACC 8D7EF4                  lea edi, dword ptr [esi-0C]
    :00428ACF 57                      push edi
    :00428AD0 E84BEFFFFF              call 00427A20
    :00428AD5 8B46F8                  mov eax, dword ptr [esi-08]
    :00428AD8 8B0D60EF5200            mov ecx, dword ptr [0052EF60]
    :00428ADE 8B401C                  mov eax, dword ptr [eax+1C]
    :00428AE1 8B89F0190100            mov ecx, dword ptr [ecx+000119F0]
    It comes at EIP 00428AC9

    I know this line is a indirect pointer but I donīt know where esi+04 looks to get the worth for ecx.
    But I think esi+04 looks in this case where no worth is for ecx.

    Can I look in a table when esi+04 is a number what number ecx will get?
    So I can edit esi berfor the bug comes.

    You can examine the value pointed by [esi+04] by typing in Softice

    d @ [esi + 04]

    But I suspect the origin of the bug is not the actual value pointed by [esi + 04] but rather that [esi + 04] points to an unmapped or invalid area of the memory, which certainly will generate a exception when you try to move it into ECX.

  4. #4
    Dj Heiko
    Guest
    The problem ist that this call was gone through many times and it works.
    I testet very much (I work with softice but I have ollydebug too)

    I find out that this call worked but any time the bug comes. I donīt know why.
    The game donīt crash at this instruction
    but several instructions later.
    There ecx (is 00000000) copy to esi (it gos 0000000 too)


    Code:
    * Referenced by a CALL at Addresses:
    |:00428535   , :00428A73   , :00428A9E   , :00428AD0   
    |
    :00427A20 83EC08                  sub esp, 00000008
    :00427A23 55                      push ebp
    :00427A24 56                      push esi
    :00427A25 8BF1                    mov esi, ecx
    :00427A27 8B5608                  mov edx, dword ptr [esi+08]
    :00427A2A 8B4E04                  mov ecx, dword ptr [esi+04]
    :00427A2D 3BCA                    cmp ecx, edx
    :00427A2F 57                      push edi
    :00427A30 8974240C                mov dword ptr [esp+0C], esi
    :00427A34 0F84D2000000            je 00427B0C
    :00427A3A 8B442418                mov eax, dword ptr [esp+18]

    The bug is than in line 0042A27 (Iīm sure why)

    The pointer to ecx (00428AC9) has nearly every time a other worth.
    So I have to look if the pointer is beside a worth or so on.

    Any tips?
    Last edited by Dj Heiko; February 21st, 2004 at 13:10.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    It seems to me like you either have to analyze and understand the surrounding code more (the real "bug" is often not located at the same line of code as the line that results in a crash because of the bug), or do an inline patch that checks if these pointer registers contain valid addresses (!= 0 ?) before referencing them.

  6. #6
    Dj Heiko
    Guest
    yes so I set several breakpoints with softice and get out that on EIP 00428AC9 ecx=00000000 but its clear on this line it isnīt the real bug.
    But I dontīt know what I can do now.

    I have the chance to write code before 00427A20 (where the game crash) because there are several nop lines.

    There I write

    Code:
    cmp ecx, 00000000
    je EIP
    at EIP I jump to a other bigger nop place and there I tried much.
    So when the indirect pointer is beside a right worth for ecx I can edit esi.

    But I doīīt know what to do.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Dj Heiko
    Guest
    Can nobody help me?

    Or donīt you understand what I want?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Like I said in my last post, you must try to understand where the real bug is in the code, and then fix it, not just patch blindly. We cannot understand it for you (and certainly not without seeing the code).

  9. #9
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    using olly, set a conditional breakpoint on that line for when ecx == 0. then trace back from there to see where and why ecx was set to 0 for that instance

  10. #10

    As Above

    Hi,

    Wrong move to analyse the function, before understanding where its coming from. I can see that its a conditional call. The first breakpoint I would put, is where the comparision is being made (even before the call instruction that would subsequently be called).

    Then, take a look at all registers. You may need to work in IDA rather than ICE/Ollydbg before you come to a conclusion about the area where the wrong value is set.

    A good tip is to understand what's happening to the function BEFORE its being called.

    Yeah! I know. Its painful. But then again, no one said RCE would be a joyride.

    Have Phun
    Blame Microsoft, get l337 !!

  11. #11
    Dj Heiko
    Guest
    Yes you are right but I said, ecx going 00000000 on EIP 00428AC9.
    But I donīt know why. I donīt know what to do now.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Oh for christ sakes...

  13. #13
    Dj Heiko
    Guest
    Whats this for a post?
    This help me nothing, if you think it isnīt very intelligent what I write then write rather nothing.

    The problem is I looked for the bug where it can happende but there isnīt a call near.
    The call will be indirect called ^^ with a register or so on.

    And usually the game go without a crash through the code so what can I edit.
    I think I can only repair the bug before the game crash.

    But I donīt understand the indirect pointer (00428AC9)
    It esi is often 5/6 times a other worth but ecx is nevertheless identy.
    But a other time the worth of ecx change and will be a while identy.

    from where gets esi+04 the worth for ecx??
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    i answered your question above. please re-read my post

  15. #15
    He said:

    "trace back from there to see where and why ecx was set to 0 for that instance."

    Look ABOVE the point in the code where you found "ecx+00000000." You have to find where the code changes or sets "esi+4" and/or ecx to "00000000" or where is checks it or changes it, or even DOES NOT CHANGE IT. You have to stop the code ABOVE your error and TRACE back to the point of the error and observe what is happening to ecx.

    Regards,
    JMI

Similar Threads

  1. old game
    By ronald in forum The Newbie Forum
    Replies: 4
    Last Post: December 22nd, 2011, 00:40
  2. game training
    By tdennist in forum The Newbie Forum
    Replies: 7
    Last Post: November 17th, 2004, 06:22
  3. Reversing our M$ game: Minesweeper
    By ZaiRoN in forum Mini Project Area
    Replies: 14
    Last Post: January 29th, 2004, 08:49
  4. Cracking a game
    By Hatem Al-Naggar in forum The Newbie Forum
    Replies: 1
    Last Post: December 28th, 2003, 14:07
  5. driver the game
    By hoekeirs in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: February 24th, 2001, 17:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •