Results 1 to 3 of 3

Thread: Can't "Step" after "Pause

  1. #1

    Can't "Step" after "Pause

    Try to do the following:

    1. Open "calc.exe" (for examle)
    2. Start it - "F9"
    3. Then "Pause" it - "F12"
    4. Press "Step" - "F8"

    Instead of one step "calc.exe" will running.
    What's the problem?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    Can't "Step" after "Pause

    Hello Lena

    Your operating system is Windows XP based, right?

    Well the magic lies in the instruction displayed before return in ollydbg's cpu window.
    Sysenter (intel, PII or later) or Syscall (amd) are used for usermode/kernelmode transitions (not only on windows, newer linux kernels use it too).

    In NT-based systems (Windows 2000 and the former), the kernel was entered using int 2E system trap, called the Native Call Interface (NCI).

    With newer processor generations a few special instructions were added to make user/kernel mode transition less costly (faster).
    Normally one could spend about 1500-2000 cycles for "traditional style" call gates/interrupts.
    Sysenter/Sysexit are actually very fast - compared to call gates - they "only" use like 150 cycles (consult intel documents for details).

    Whats the point... well
    Sysenter doesn't save the return address.
    It wipes out the user stack pointer too, thats why it gets saved away before sysenter.

    Before executing Sysexit itself (from kernel mode), EDX contains user mode return address and ECX the user mode stack pointer.
    (there is another important register while transitioning - the MSR - but thats another story...)

    So lets break it down for your case:

    If you pause calc.exe you see its pumping messages using traditional message loop:

    > user32.dll!_NtUserGetMessage@16() + 0xc
    calc.exe!_WinMain@16() + 0x25f
    calc.exe!_WinMainCRTStartup() + 0x174
    kernel32.dll!_BaseProcessStart@4() + 0x23

    Lets follow it (i commented each line before)



    ; eax contains the syscall number
    77D439FD B8 A5 11 00 00 mov eax,11A5h

    ; the shared system call address
    77D43A02 BA 00 03 FE 7F mov edx,7FFE0300h

    ; get to shared system call area
    77D43A07 FF D2 call edx

    ; pop 4 parameters (important: we land here after Sysexit)
    77D43A09 C2 10 00 ret 10h


    Ok ... whats at shared system call address:

    ; save away the sysexit trampoline (user mode return address)
    7FFE0300 8B D4 mov edx,esp

    ; lets do it .. make transition to kernel mode
    7FFE0302 0F 34 sysenter

    ; never reached
    7FFE0304 C3 ret


    Saw my last comment?
    Thats the important one why ollydbg behaves like you reported.

    When returning from Sysenter using Sysexit (kernel -> usermode), the execution is not resumed at "7FFE0304 C3 ret".
    Instead the "ret 10h" at 0x77D43A09 is used, because it was saved as return addr in EDX.
    Put a breakpoint at 0x77D43A09, single step and you will see .

    I just guess the author of ollydbg just overlooked this ... you might call it a bug .. well

    Hope i could help...


    A. Focht
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3

    Can't "Step" after "Pause


    Thanx a lot for your answer!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. how to generat "1" instead of "uncounted" license
    By joyung in forum The Newbie Forum
    Replies: 38
    Last Post: April 10th, 2012, 03:57
  3. Replies: 4
    Last Post: May 28th, 2009, 13:02
  4. Replies: 1
    Last Post: December 14th, 2007, 13:35
  5. Cracking .NET Applications "Step-By-Step"
    By LaBBa in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: August 26th, 2007, 12:01


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts