Olly woes: misleading arg.n

[jj2007]

I was testing a snippet for a frameless proc when I got deeply stuck with our friend Olly.
Instead of helping me to understand my own code, the three lines

Code Select Expand

mov edi, arg1 ; e.g. lpDest
mov esi, arg2 ; e.g. lpSrc
mov ebx, arg3 ; e.g. count


displayed as e.g.

Code Select Expand

mov edi, arg.2
mov esi, arg.3
mov ebx, arg.1

Reversed and confused order of arguments etc.
But the code worked as expected. It seems to depend on what comes immediately code before. And when Options/Analysis/Show recognized ARGs and LOCALs in disassembly is disabled, the correct [esp+n] code shows up.

Sorry for this rant, Olly is really my best friend in assembly, but it cost me an hour of testing until I realised that Olly gave me misleading messages. Maybe it cannot be fixed easily, so just take this post as a little warning to Olly noobs like me... don't trust the arg.n in frameless procedures ;-)

Code Select Expand

include \masm32\include\masm32rt.inc

.code
str1 db "Arg1", 0
str2 db "Arg2", 0
str3 db "Arg3", 0

; --------- paste this code just before start: , otherwise you need a PROTO ---------
OPTION PROLOGUE:NONE
OPTION EPILOGUE:NONE
; align 16 ; has no effect on modern CPUs
MyProc proc arg1_:DWORD, arg2_:DWORD, arg3_:DWORD
args= 3
savedregs= 4
EspOff equ esp+4*savedregs
arg1 equ [EspOff+1*4]
arg2 equ [EspOff+2*4]
arg3 equ [EspOff+3*4]
push edi ; all registers preserved, except eax ecx edx
push esi
push ebx
push ebp ; change savedregs if you do not need ebp

; int 3 ; check with Olly what you get here; do not trust Olly's arg.x
mov edi, arg1 ; e.g. lpDest
mov esi, arg2 ; e.g. lpSrc
mov ebx, arg3 ; e.g. count
mov ebp, 12345h

pop ebp
pop ebx
pop esi ; all registers preserved, except eax ecx edx
pop edi
  ret 4*args
MyProc endp
MyProc_END: ; label for csize macro
; invoke MyProc, chr$("Arg1"), chr$("Arg2"), chr$("Arg3") ; cut & paste after start:
OPTION PROLOGUE:PrologueDef
OPTION EPILOGUE:EpilogueDef
; ---------------------------- this line just before start: ------------------------------------
start:
invoke MyProc, offset str1, offset str2, offset str3
getkey
exit ; short form of invoke ExitProcess, 0

end start


[Jimg]

What do you mean-

displayed as e.g.
Code:
mov edi, arg.2
mov esi, arg.3
mov ebx, arg.1

How you you get that type of display?

All I get in Olly is

Code Select Expand

0040100F > 57               PUSH EDI
00401010   56               PUSH ESI
00401011   53               PUSH EBX
00401012   55               PUSH EBP
00401013   8B7C24 14        MOV EDI,DWORD PTR SS:[ESP+14]
00401017   8B7424 18        MOV ESI,DWORD PTR SS:[ESP+18]
0040101B   8B5C24 1C        MOV EBX,DWORD PTR SS:[ESP+1C]
0040101F   BD 45230100      MOV EBP,12345
00401024   5D               POP EBP
00401025   5B               POP EBX
00401026   5E               POP ESI
00401027   5F               POP EDI
00401028   C2 0C00          RETN 0C
0040102B > 68 0A104000      PUSH tst.str3                          ; ASCII "Arg3"
00401030   68 05104000      PUSH tst.str2                          ; ASCII "Arg2"
00401035   68 00104000      PUSH tst.str1                          ; ASCII "Arg1"
0040103A   E8 D0FFFFFF      CALL tst.MyProc
0040103F   E8 0C000000      CALL tst.ret_key
00401044   6A 00            PUSH 0
00401046   E8 31000000      CALL tst.ExitProcess                   ; JMP to kernel32.ExitProcess
0040104B   CC               INT3



[BogdanOntanu]

You can not expect from Olly to guess your arguments for a non standard procedure frame.

This is one advantage of EBP based (ie. standard) procedure frames.

And of course that when you disable analysis then Olly will show plain /simple disassembly with no "arg.1" and such stuff.

I guess that with non standard procedure frames the Call Stack display might also be misleading.

[jj2007]

How you you get that type of display?

Options/Analysis/Show recognized ARGs and LOCALs in disassembly :thumbu

[Jimg]

How you you get that type of display?

Options/Analysis/Show recognized ARGs and LOCALs in disassembly :thumbu

That didn't make any difference for me.  That's in Options/Debugging Options/Analysis1 right?  Must be some other option also required.

[jj2007]

That didn't make any difference for me.  That's in Options/Debugging Options/Analysis1 right?  Must be some other option also required.

You have Olly 1.x - no such service. Try Olly2, link see top post. It is otherwise very stable. Although I still have not found out how to get any of these beasts to display my variable and procedure names... ::)

[Jimg]

Well, gee.  It still a beta.  Now's your chance to give him some feedback.

[Mark Jones]

...Although I still have not found out how to get any of these beasts to display my variable and procedure names... ::)

Use MS Link and produce a .pdb file.

Edit: Also check the log window to see if it shows the debugging data being recognized and loaded.

[BogdanOntanu]

That didn't make any difference for me.  That's in Options/Debugging Options/Analysis1 right?  Must be some other option also required.

You have Olly 1.x - no such service.

Version 1.10 has this option also.

1) Activate this option in Analysis1
2) Go to code window and press Ctrl+A.
3) Olly will analyze your program and show you arguments and locals (sometimes it makes mistakes).