Good day!

When examining one software, I encountered the following code fragment, after which the application under study crashes with an error accessing an inaccessible memory area ( Access Violation ):

alt text

Good image quality.

Here you can see what we usually used to observe in the data section. But this is, obviously, a section of code. I would really like you to enlighten: what is it? Anti debugging method? Incorrect interpretation of code in OllyDBG? Or JIT code?

Thank.

    1 answer 1

    These are unsupported OllyDbg instructions. Manually drove the incorrectly recognized bytes into the hex editor, saved it to a file, and opened it in the HT Editor in disassembly mode, the following happened:

    660fd6442430 movq [esp+00000030], xmm0 660fd6442438 movq [esp+00000038], xmm0

    We see that Olka not only did not recognize 5 bytes marked as data, but also incorrectly recognized the next 7 bytes (i.e., all up to AND AL,38 inclusive).

    • Thanks, helped. The only interesting thing is why Olly did not deign to "sew" the recognition of the miserable 57 MMX / SSE instructions. All modern Intel processors support SIMD SSE technology, but there is no support in the most popular debugger ... - AseN
    • 2
      @ 0xFFh, on www.ollydbg.de support for MMX / SSE is declared, although version 1.10 is possible (if you use it) just the same does not support them. - insolor