I was testing a snippet for a frameless proc when I got deeply stuck with our friend Olly.
Instead of helping me to understand my own code, the three lines
mov edi, arg1 ; e.g. lpDest
mov esi, arg2 ; e.g. lpSrc
mov ebx, arg3 ; e.g. count
displayed as e.g.
mov edi, arg.2
mov esi, arg.3
mov ebx, arg.1
Reversed and confused order of arguments etc.
But the code worked as expected. It seems to depend on what comes immediately code before. And when Options/Analysis/Show recognized ARGs and LOCALs in disassembly is disabled, the correct [esp+n] code shows up.
Sorry for this rant, Olly (http://www.ollydbg.de/version2.html)is really my best friend in assembly, but it cost me an hour of testing until I realised that Olly gave me misleading messages. Maybe it cannot be fixed easily, so just take this post as a little warning to Olly noobs like me... don't trust the arg.n in frameless procedures ;-)
include \masm32\include\masm32rt.inc
.code
str1 db "Arg1", 0
str2 db "Arg2", 0
str3 db "Arg3", 0
; --------- paste this code just before start: , otherwise you need a PROTO ---------
OPTION PROLOGUE:NONE
OPTION EPILOGUE:NONE
; align 16 ; has no effect on modern CPUs
MyProc proc arg1_:DWORD, arg2_:DWORD, arg3_:DWORD
args= 3
savedregs= 4
EspOff equ esp+4*savedregs
arg1 equ [EspOff+1*4]
arg2 equ [EspOff+2*4]
arg3 equ [EspOff+3*4]
push edi ; all registers preserved, except eax ecx edx
push esi
push ebx
push ebp ; change savedregs if you do not need ebp
; int 3 ; check with Olly what you get here; do not trust Olly's arg.x
mov edi, arg1 ; e.g. lpDest
mov esi, arg2 ; e.g. lpSrc
mov ebx, arg3 ; e.g. count
mov ebp, 12345h
pop ebp
pop ebx
pop esi ; all registers preserved, except eax ecx edx
pop edi
ret 4*args
MyProc endp
MyProc_END: ; label for csize macro
; invoke MyProc, chr$("Arg1"), chr$("Arg2"), chr$("Arg3") ; cut & paste after start:
OPTION PROLOGUE:PrologueDef
OPTION EPILOGUE:EpilogueDef
; ---------------------------- this line just before start: ------------------------------------
start:
invoke MyProc, offset str1, offset str2, offset str3
getkey
exit ; short form of invoke ExitProcess, 0
end start
What do you mean-
Quotedisplayed as e.g.
Code:
mov edi, arg.2
mov esi, arg.3
mov ebx, arg.1
How you you get that type of display?
All I get in Olly is
0040100F > 57 PUSH EDI
00401010 56 PUSH ESI
00401011 53 PUSH EBX
00401012 55 PUSH EBP
00401013 8B7C24 14 MOV EDI,DWORD PTR SS:[ESP+14]
00401017 8B7424 18 MOV ESI,DWORD PTR SS:[ESP+18]
0040101B 8B5C24 1C MOV EBX,DWORD PTR SS:[ESP+1C]
0040101F BD 45230100 MOV EBP,12345
00401024 5D POP EBP
00401025 5B POP EBX
00401026 5E POP ESI
00401027 5F POP EDI
00401028 C2 0C00 RETN 0C
0040102B > 68 0A104000 PUSH tst.str3 ; ASCII "Arg3"
00401030 68 05104000 PUSH tst.str2 ; ASCII "Arg2"
00401035 68 00104000 PUSH tst.str1 ; ASCII "Arg1"
0040103A E8 D0FFFFFF CALL tst.MyProc
0040103F E8 0C000000 CALL tst.ret_key
00401044 6A 00 PUSH 0
00401046 E8 31000000 CALL tst.ExitProcess ; JMP to kernel32.ExitProcess
0040104B CC INT3
You can not expect from Olly to guess your arguments for a non standard procedure frame.
This is one advantage of EBP based (ie. standard) procedure frames.
And of course that when you disable analysis then Olly will show plain /simple disassembly with no "arg.1" and such stuff.
I guess that with non standard procedure frames the Call Stack display might also be misleading.
Quote from: Jimg on May 16, 2009, 09:54:42 PM
How you you get that type of display?
Options/Analysis/Show recognized ARGs and LOCALs in disassembly :thumbu
Quote from: jj2007 on May 16, 2009, 10:59:38 PM
Quote from: Jimg on May 16, 2009, 09:54:42 PM
How you you get that type of display?
Options/Analysis/Show recognized ARGs and LOCALs in disassembly :thumbu
That didn't make any difference for me. That's in Options/Debugging Options/Analysis1 right? Must be some other option also required.
Quote from: Jimg on May 16, 2009, 11:07:55 PMThat didn't make any difference for me. That's in Options/Debugging Options/Analysis1 right? Must be some other option also required.
You have Olly 1.x - no such service. Try Olly2, link see top post. It is otherwise very stable. Although I still have not found out how to get any of these beasts to display my variable and procedure names... ::)
Well, gee. It still a beta. Now's your chance to give him some feedback.
Quote from: jj2007 on May 16, 2009, 11:17:14 PM
...Although I still have not found out how to get any of these beasts to display my variable and procedure names... ::)
Use MS Link and produce a .pdb file.
Edit: Also check the log window to see if it shows the debugging data being recognized and loaded.
Quote
That didn't make any difference for me. That's in Options/Debugging Options/Analysis1 right? Must be some other option also required.
Quote
You have Olly 1.x - no such service.
Version 1.10 has this option also.
1) Activate this option in Analysis1
2) Go to code window and press Ctrl+A.
3) Olly will analyze your program and show you arguments and locals (sometimes it makes mistakes).