-
-
[求助]OD运行程序引发运行异常
-
发表于: 2010-3-18 03:31
-
小生开发一OD插件,调试完成后在使用中发现运行不太稳定,初怀疑插件开发有BUG,在代码中排查未发现问题,后一次偶然的机会发现不使用插件情况下OD运行的程序在断点稍多,断下次数稍多的情况下也会出现执行异常,多数为内存访问异常,但根据程序代码中显示,程序对此类数据也有访问判断,奇怪的是判断后应当跳转的位置却没发生跳转致使后续的0内存访问错误,请高手帮忙解答一下问题出在那里OD 本身问题还是有什么我没发现到的执行陷阱。。。。。不胜感激;操作顺序如下:
OD加载程序后断下F9执行,等待界面出现后在程序中查找所有模块间的调用并对查找到的所有调用下断,程序立即断下,然后F2取消断点 再F9执行,如此重复操作大概30断点后程序正常执行。
稍等游戏出现0内存访问错误。
反汇编代码如下(小游戏雷电):
004141E0 /$ 8B4424 04 MOV EAX, DWORD PTR [ESP+4]
004141E4 |. 83EC 08 SUB ESP, 8
004141E7 |. 85C0 TEST EAX, EAX
004141E9 |. 53 PUSH EBX
004141EA |. 56 PUSH ESI
004141EB |. 57 PUSH EDI
004141EC |. 0F84 5A010000 JE 0041434C
004141F2 |. 8B18 MOV EBX, DWORD PTR [EAX]
004141F4 |. 83C0 0C ADD EAX, 0C
004141F7 |. 895C24 0C MOV DWORD PTR [ESP+C], EBX
004141FB |. 8B48 F8 MOV ECX, DWORD PTR [EAX-8]
004141FE |. 894424 18 MOV DWORD PTR [ESP+18], EAX
00414202 |. 8D5424 10 LEA EDX, DWORD PTR [ESP+10]
00414206 |. 894C24 10 MOV DWORD PTR [ESP+10], ECX
0041420A |. 8D4424 0C LEA EAX, DWORD PTR [ESP+C]
0041420E |. 52 PUSH EDX
0041420F |. 8D4C24 24 LEA ECX, DWORD PTR [ESP+24]
00414213 |. 50 PUSH EAX
00414214 |. 8D5424 24 LEA EDX, DWORD PTR [ESP+24]
00414218 |. 51 PUSH ECX
00414219 |. 8D4424 24 LEA EAX, DWORD PTR [ESP+24]
0041421D |. 52 PUSH EDX
0041421E |. 50 PUSH EAX
0041421F |. E8 ACFEFFFF CALL 004140D0
00414224 |. 83C4 14 ADD ESP, 14
00414227 |. 85C0 TEST EAX, EAX
00414229 |. 0F84 1D010000 JE 0041434C
0041422F |. A1 C89A9D00 MOV EAX, DWORD PTR [9D9AC8]
00414234 |. 8B5424 20 MOV EDX, DWORD PTR [ESP+20]
00414238 |. 8B3D 6C869D00 MOV EDI, DWORD PTR [9D866C]
0041423E |. 8B7424 1C MOV ESI, DWORD PTR [ESP+1C]
00414242 |. 2BC2 SUB EAX, EDX
00414244 |. 8B4C24 10 MOV ECX, DWORD PTR [ESP+10]
00414248 |. 48 DEC EAX
00414249 |. 894424 20 MOV DWORD PTR [ESP+20], EAX
0041424D |. 8B0485 C0869D>MOV EAX, DWORD PTR [EAX*4+9D86C0]
00414254 |. 03C7 ADD EAX, EDI
00414256 |. 03C6 ADD EAX, ESI
00414258 |. 83F9 04 CMP ECX, 4
0041425B |. 0F8C B0000000 JL 00414311
00414261 |> 8B4C24 0C /MOV ECX, DWORD PTR [ESP+C]
00414265 |. 8B7424 18 |MOV ESI, DWORD PTR [ESP+18]
00414269 |. 8BD1 |MOV EDX, ECX
0041426B |. 8BF8 |MOV EDI, EAX
0041426D |. C1E9 02 |SHR ECX, 2
00414270 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI], DWORD PTR [ESI]
00414272 |. 8BCA |MOV ECX, EDX
00414274 |. 83E1 03 |AND ECX, 3
00414277 |. F3:A4 |REP MOVS BYTE PTR ES:[EDI], BYTE PTR [ESI]
00414279 |. 8B15 64869D00 |MOV EDX, DWORD PTR [9D8664]
0041427F |. 8B4C24 0C |MOV ECX, DWORD PTR [ESP+C]
00414283 |. 8B7424 18 |MOV ESI, DWORD PTR [ESP+18]
00414287 |. 2BC2 |SUB EAX, EDX
00414289 |. 8BD1 |MOV EDX, ECX
0041428B |. 03F3 |ADD ESI, EBX ; 00000190
0041428D |. 8BF8 |MOV EDI, EAX
0041428F |. 897424 18 |MOV DWORD PTR [ESP+18], ESI
00414293 |. C1E9 02 |SHR ECX, 2
00414296 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI], DWORD PTR [ESI] ; 此时 [EDI = 021BFF80] = ???
00414298 |. 8BCA |MOV ECX, EDX
0041429A |. 83E1 03 |AND ECX, 3
0041429D |. F3:A4 |REP MOVS BYTE PTR ES:[EDI], BYTE PTR [ESI]
0041429F |. 8B15 64869D00 |MOV EDX, DWORD PTR [9D8664]
004142A5 |. 8B4C24 0C |MOV ECX, DWORD PTR [ESP+C]
004142A9 |. 8B7424 18 |MOV ESI, DWORD PTR [ESP+18]
004142AD |. 2BC2 |SUB EAX, EDX
004142AF |. 8BD1 |MOV EDX, ECX
004142B1 |. 03F3 |ADD ESI, EBX
004142B3 |. 8BF8 |MOV EDI, EAX
004142B5 |. 897424 18 |MOV DWORD PTR [ESP+18], ESI
004142B9 |. C1E9 02 |SHR ECX, 2
004142BC |. F3:A5 |REP MOVS DWORD PTR ES:[EDI], DWORD PTR [ESI]
004142BE |. 8BCA |MOV ECX, EDX
004142C0 |. 83E1 03 |AND ECX, 3
004142C3 |. F3:A4 |REP MOVS BYTE PTR ES:[EDI], BYTE PTR [ESI]
004142C5 |. 8B15 64869D00 |MOV EDX, DWORD PTR [9D8664]
004142CB |. 8B4C24 0C |MOV ECX, DWORD PTR [ESP+C]
004142CF |. 8B7424 18 |MOV ESI, DWORD PTR [ESP+18]
004142D3 |. 2BC2 |SUB EAX, EDX
004142D5 |. 8BD1 |MOV EDX, ECX
004142D7 |. 03F3 |ADD ESI, EBX
004142D9 |. 8BF8 |MOV EDI, EAX
004142DB |. 897424 18 |MOV DWORD PTR [ESP+18], ESI
004142DF |. C1E9 02 |SHR ECX, 2
004142E2 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI], DWORD PTR [ESI]
004142E4 |. 8BCA |MOV ECX, EDX
004142E6 |. 83E1 03 |AND ECX, 3
004142E9 |. F3:A4 |REP MOVS BYTE PTR ES:[EDI], BYTE PTR [ESI]
004142EB |. 8B0D 64869D00 |MOV ECX, DWORD PTR [9D8664]
004142F1 |. 8B7C24 18 |MOV EDI, DWORD PTR [ESP+18]
004142F5 |. 2BC1 |SUB EAX, ECX
004142F7 |. 8B4C24 10 |MOV ECX, DWORD PTR [ESP+10]
004142FB |. 83E9 04 |SUB ECX, 4
004142FE |. 03FB |ADD EDI, EBX
00414300 |. 83F9 04 |CMP ECX, 4
00414303 |. 897C24 18 |MOV DWORD PTR [ESP+18], EDI
00414307 |. 894C24 10 |MOV DWORD PTR [ESP+10], ECX
0041430B |.^ 0F8D 50FFFFFF \JGE 00414261
00414311 |> 85C9 TEST ECX, ECX
出现错误后游戏退出。
因为程序开始有类似0地址引发的访问异常,而执行自建保护代码,所以怀疑怀疑游戏执行时首次执行到该位置主动引发一个异常,而执行 VirtualAllocEx 分配内存,自建保护内存分配完整代码如下 :
00BF7BCF B8 5A69BFF0 MOV EAX, F0BF695A
00BF7BD4 64:8F05 0000000>POP DWORD PTR FS:[0]
00BF7BDB 83C4 04 ADD ESP, 4
00BF7BDE 55 PUSH EBP
00BF7BDF 53 PUSH EBX
00BF7BE0 51 PUSH ECX
00BF7BE1 57 PUSH EDI
00BF7BE2 56 PUSH ESI
00BF7BE3 52 PUSH EDX
00BF7BE4 8D98 2E120010 LEA EBX, DWORD PTR [EAX+1000122E]
00BF7BEA 8B53 18 MOV EDX, DWORD PTR [EBX+18]
00BF7BED 52 PUSH EDX
00BF7BEE 8BE8 MOV EBP, EAX
00BF7BF0 6A 40 PUSH 40
00BF7BF2 68 00100000 PUSH 1000
00BF7BF7 FF73 04 PUSH DWORD PTR [EBX+4]
00BF7BFA 6A 00 PUSH 0
00BF7BFC 8B4B 10 MOV ECX, DWORD PTR [EBX+10]
00BF7BFF 03CA ADD ECX, EDX
00BF7C01 8B01 MOV EAX, DWORD PTR [ECX]
00BF7C03 FFD0 CALL EAX ;VirtualAllocEx
00BF7C05 5A POP EDX ; DemonSta.00400000
00BF7C06 8BF8 MOV EDI, EAX
00BF7C08 50 PUSH EAX
--------------------------------------------------------------------------------------------------
为何会出现上面的情况十分不解,麻烦高手给点意见 ,谢谢。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
