Symbolic debugging with Olly

jj2007 · January 05, 2010, 02:11:11 PM

The testbed below may be helpful in convincing OllyDbg to show symbolic names - a real advantage for debugging your code.

This works fine under the following conditions:
A. Assembler is ml.exe, version 6.15
Notes:
- commandline options are /c /coff /Zi (/Zd does not make a difference)
- 6.15 knows SSE2, in contrast to 6.14, but is not included in the Masm32 package; try the GeneSys version
- 6.14 introduces a few extra jmps on top of file but works fine if you have no SSE code
- Jwasm works fine but not always, and has minor problems with local variables ¹⁾

B. Linker is link.exe, version 6.14
Notes:
- command line options are /debug /Subsystem:xxx and nothing else.
- polink seems not to work, but maybe somebody knows a trick...?
- link version 9.0 produces "fatal error LNK1101: incorrect MSPDB80.DLL version; recheck installation of this product" (I did reinstall Visual C++ Express from here)

C. Debugger is OllyDbg version 1.1 (Odbg110.zip)
Notes:
- Olly 2.0 is sometimes more powerful but no symbols, sorry...!
- In Olly 1.0, choose the following debugging options:
DisAsm: Show symbolic addresses
Stack: Show names of local variables (this affects the stack window in the lower right corner, very handy!)
Analysis 1: Show ARGs and LOCALs in procedures
Analysis 2: Show arguments of known functions

Code Select

include \masm32\include\masm32rt.inc

MyProc	PROTO: DWORD, :DWORD

Externdef	MyLabel:NEAR
Externdef	MyLabelInProc:NEAR

.data
MyDword	dd 123
MyString	db "Ciao", 0
hw	db "Hello World at 1024 bytes", 0

.data?
AnyVar	dd ?

.code
start:	jmp MyLabel
	m2m AnyVar, MyDword
MyLabel:
	mov AnyVar, 12345678h
	invoke MyProc, offset MyString, MyDword
	print offset hw, 13, 10, 10
	getkey
	invoke ExitProcess, 0

MyProc proc ptrMyString, MyDwordArg
LOCAL MyLocVarA:DWORD, MyRect:RECT
LOCAL Loc4Bytes[4]:BYTE
  lea edx, Loc4Bytes
  mov MyLocVarA, 12345678h
  mov MyRect.left, 123h
  mov MyRect.top, 456h
  mov MyRect.right, 321h
  mov MyRect.bottom, 654h
  je MyLabelInProc
  inc eax
  jmp MyLabelInProc
  mov eax, ptrMyString
  sub eax, ecx
  mov ecx, MyDwordArg
MyLabelInProc::
  ret
MyProc endp

end start

If everything works fine, you will see the testbed code as below.

Code Select

<ModuleEntryPoint>    $/EB 0C              jmp short MyLabel
00401012              .|FF35 00404000      push dword ptr [MyDword]
00401018              .|8F05 40414000      pop dword ptr [AnyVar]
MyLabel               >\C705 40414000 7856>mov dword ptr [AnyVar], 123456>
00401028              . FF35 00404000      push dword ptr [MyDword]
0040102E              . 68 04404000        push offset MyString           ;  ASCII "Ciao"
00401033              . E8 20000000        call MyProc
00401038              . 68 09404000        push offset hw                 ; /Arg1 = 00404009 ASCII "Hello World at 1024 bytes"
0040103D              . E8 76000000        call StdOut                    ; \StdOut
00401042              . 68 23404000        push offset ??001A             ; /Arg1 = 00404023 ASCII CR,LF,LF,""
00401047              . E8 6C000000        call StdOut                    ; \StdOut
0040104C              . E8 9F000000        call ret_key
00401051              . 6A 00              push 0                         ; /ExitCode = 0
00401053              . E8 3A010000        call ExitProcess               ; \ExitProcess
MyProc                $ 55                 push ebp
00401059              . 8BEC               mov ebp, esp
0040105B              . 83C4 E8            add esp, -18
0040105E              . 8D55 E8            lea edx, [local.Loc4Bytes]
00401061              . C745 FC 78563412   mov [local.MyLocVarA], 1234567>
00401068              . C745 EC 23010000   mov [local.MyRect], 123
0040106F              . C745 F0 56040000   mov [local.MyRect+4], 456
00401076              . C745 F4 21030000   mov [local.MyRect+8], 321
0040107D              . C745 F8 54060000   mov [local.MyRect+C], 654
00401084              . 74 0B              je short MyLabelInProc
00401086              . 40                 inc eax
00401087              . EB 08              jmp short MyLabelInProc
00401089              . 8B45 08            mov eax, [arg.ptrMyString]
0040108C              . 2BC1               sub eax, ecx
0040108E              . 8B4D 0C            mov ecx, [arg.MyDwordArg]
MyLabelInProc         > C9                 leave
00401092              . C2 0800            retn 8

1) JWasm misinterprets Local variables in the lower right corner:

redskull · January 05, 2010, 09:09:39 PM

Additionally, you can open the 'source' window to view your original source code, and observe the highlighted line as your step through. I would guess, however, that you would need the /Zd option for this.

-r

Vortex · January 05, 2010, 09:16:24 PM

Hi Jochen,

Nice work. Why not to create a HTML or a pdf document?

jj2007 · January 05, 2010, 11:04:33 PM

Quote from: Vortex on January 05, 2010, 09:16:24 PM
Hi Jochen,

Nice work. Why not to create a HTML or a pdf document?

Hi Erol,
Thanks, but why create one? This is an HTML document :bg
But jokes apart: There should be a Campus subforum "Welcome to noobs" explaining the top ten useful tools and the top ten pitfalls when coding in Masm. Strictly limited in size, and moderated. For example, the .if eax<0 thing pops up regularly, and how many times have the older members here typed the links to the Iczelion tutes, or the path to the Masm32 help files that apparently are unreachable for the ordinary unguided noob...?

jj2007 · January 05, 2010, 11:16:10 PM

Quote from: redskull on January 05, 2010, 09:09:39 PM
Additionally, you can open the 'source' window to view your original source code, and observe the highlighted line as your step through. I would guess, however, that you would need the /Zd option for this.

-r

Red,
I only see an empty window when I click on View, Source. /Zd is on. What's the trick?

redskull · January 06, 2010, 12:30:59 AM

The "trick" (read: bug) is to double-click the source line in the CPU window to open it the first time; subsequent times will open normal.

To eludicate: When you initially load the file, you should see the current source line appear in the CPU window, in the 4-line box inbetween the dissassembly and the memory dump. Something like:

test.asm:25. invoke ExitProcess,NULL

Double click on THAT line, exactly, and it will open up the 'source' window, displaying your source, with the current line highlighted. Stepping through it will change the line, as appropriate. If you close the Source window, you can open it normally (via the 'S' box on the far right of the menu bar), provided you opened it via the double-click method earlier at least once.

my build commands:

ml /c /coff /Zi /Zd test.asm
link /subsystem:windows /debug /release test.obj

-r

jj2007 · January 06, 2010, 12:44:34 AM

Quote from: redskull on January 06, 2010, 12:30:59 AM
in the 4-line box inbetween the dissassembly and the memory dump. Something like:

test.asm:25. invoke ExitProcess,NULL

Double click on THAT line, exactly, and it will open up the 'source' window

Great, very helpful :U

But apparently, /Zd is not needed...

herge · January 07, 2010, 01:55:15 PM

hi JJ2007:

Try imstalling the Redistribute 2008 from Microsoft!
Always run VCvars32 before you use ML or CL.
You only need to do this if you don t start VC Express.
This is also explained in Assembler and C sub forum.

Regards: herge

jj2007 · January 07, 2010, 02:34:35 PM

Quote from: herge on January 07, 2010, 01:55:15 PM
Always run VCvars32 before you use ML or CL.

Hi Herge,
I wish it would be that simple...

Code Select

C:\Program Files\Microsoft Visual Studio 9.0\VC\bin>"C:\Program Files\Microsoft
Visual Studio 9.0\Common7\Tools\vsvars32.bat"
Setting environment for using Microsoft Visual Studio 2008 x86 tools.

So far, so good. But when I build the file, the linker yells an "application failed because it could not find mspdb80.dll" box at me. If I copy the file to \masm32\bin\mspdb80.dll, I get the other error: fatal error LNK1101: incorrect MSPDB80.DLL version ...

Anyway, ml 6.15 or JWasm work fine.

Regards,
Jochen

WryBugz · January 07, 2010, 11:13:27 PM

Quoteunreachable for the ordinary unguided noob...?

but jj = you guys are my guide. :U

qWord · January 07, 2010, 11:32:21 PM

Quote from: jj2007 on January 07, 2010, 02:34:35 PM... If I copy the file to \masm32\bin\mspdb80.dll, I get the other error: fatal error LNK1101: incorrect MSPDB80.DLL version ...

I've the same problem with ml/link v9.0 ... but with version 10 it works (include in Visual Studio 2010 beta).

qWord

redskull · January 08, 2010, 12:16:56 AM

I have no trouble with version 9, specifically 9.00.21022.08. Here is my 'minimum install'

ml.exe
link.exe
mspdb80.dll
msobj80.dll
mspdbcore.dll
mspdbserv.exe

As an interesting side note, mspdbserv.exe is launched whenever you link with the /DEBUG switch, and stays active pretty much forever. I'm not sure if this is by design or not (to make subsequent linking go faster), but it can only be killed via task manager.

-r

qWord · January 08, 2010, 12:45:00 AM

mspdbserv.exe ... that was the missing link :bg

GregL · January 08, 2010, 03:50:37 AM

Quote from: jj... If I copy the file to \masm32\bin\mspdb80.dll, I get the other error: fatal error LNK1101: incorrect MSPDB80.DLL version ...

Don't copy the file to \masm32\bin, but do put the original location of mspdb80.dll (%VSINSTALLDIR%Common7\IDE) in your PATH so link.exe can find it. That has always worked for me.

herge · January 08, 2010, 09:58:36 AM

Hi JJ2007:

Start VC2008 c++, Tools 2008 Command Prompt
Do your thing here. Does it work now.

Add the directory where ML or CL is to your path.
This has to be done manually.
Also set INCLUDE environmental variable.

I think you can run ML and CL with out starting VC2008 but I
will agree it s a pain in the butt to do.

Regards: herge

News:

Symbolic debugging with Olly

WryBugz