Thread: F9->Shift-F9 Exception passing in Olly
View Single Post
  #15  
Old 02-13-2005, 23:20
JuneMouse
 
Posts: n/a
to jmi i am purposely not editing the above post to add this if you think i should have edited the post then please reduce my post count by one but leave this post as it is thanks and regards

yes i was still poking with this so i modified the pe header back to its original
with regards to import table
i see it is crashing when accessing it
registers when crash
Quote:
EAX 00400000
ECX 777B3C93
EDX 00002010
EBX 00402010 <--- import table address that i modified back in pe header
ESP 0012F93C
EBP 0012F978
ESI 00131EE0
EDI 87CBCF87
EIP 77F8F85E
crash here
Quote:
77F8F84B MOV ECX, DWORD PTR DS:[EBX+10]
77F8F84E TEST ECX, ECX
77F8F850 JE 77F88B40
77F8F856 MOV EAX, DWORD PTR DS:[ESI+18]
77F8F859 MOV EDI, DWORD PTR DS:[EBX+C]
77F8F85C ADD EDI, EAX
77F8F85E CMP DWORD PTR DS:[ECX+EAX], 0
the above code is still in stack setup by ntoskrnl
not even ntdll has been mapped yet

call stack
Quote:
Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0012F97C 77F8651E 77F8F7B5 77F86519 0012F978
0012FC9C 77F96416 77F91B3B 77F96411 0012FC98
0012FD20 77F9FB67 Includes 77F96416 77F9FB65 0012FD1C
all these are mapped sections that are setting up the exe no physical dll
calls have been made yet not even Ldr blah blah

now if you notice ebx == 402010
and look at unmodified import table
Quote:
00000610 54 20 00 00 00 00 00 00 T ......
00000618 00 00 00 00 6A 20 00 00 ....j ..
00000620 08 20 00 00 4C 20 00 00  ..L ..
that is first thunk and blah blah
now modified has
Quote:
00000610 6B FF BB B7 B3 AF AB A7 k&yuml;&raquo;��&sup3;&macr;&laquo;��
00000618 A3 9F 9B 97 87 CF 8B 87 &pound;Ÿ›��‡&Iuml;‹‡
00000620 93 3C 7B 77 EA 2C 6B 67 ��<{w��,kg
now log details of crash
Log data, item 0
Address=77F8F85E
Message=Access violation when reading [77BB3C93]

so first thunk resolved + imagebase == 77bb3c93 invalid this hasnt been mapped anywhere this memory is neither allocated mapped or
nothing
whereeas in original
it will be
400000 + 2008 == 402008 will be valid

ok so it is upto the author to rectify this situation

bgrimm do you have any other working exe where you can reproduce what you were talking that runs in w2k so that i can try reproducing it
Reply With Quote