Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>FileParser reads binary data from <code>inline1.exe</code> and expects to see valid offsets and structure layout but instead access violation occur. The binary has no valid headers layout ets. Maybe the binary is compressed or encrypted.</p> <p>Manual stack reconstruction:</p> <pre><code>0:000&gt; kn =0012f674 0012f674 004071f1 # ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 00 0012f674 73dd1eb6 FileParser+0x71f1 01 0012f6ec 73dd1b9b mfc42!CWnd::OnWndMsg+0x2f4 02 0012f70c 73dd1b05 mfc42!CWnd::WindowProc+0x24 03 0012f76c 73dd2c9c mfc42!AfxCallWndProc+0x91 04 0012f790 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x36 05 0012f7b8 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x6a 06 0012f7e0 73ddca6f mfc42!CWnd::SendMessageToDescendants+0x6a 07 0012f808 73ddca0a mfc42!CFrameWnd::InitialUpdateFrame+0x5d 08 0012f814 73de3bd2 mfc42!CDocTemplate::InitialUpdateFrame+0x11 09 0012f844 73de13cf mfc42!CMultiDocTemplate::OpenDocumentFile+0x101 0a 0012fb78 73e3929c mfc42!CDocManager::OpenDocumentFile+0x14c 0b 0012fca0 73dd1fd3 mfc42!CFrameWnd::OnDropFiles+0x76 0c 0012fd1c 73dd1b9b mfc42!CWnd::OnWndMsg+0x411 0d 0012fd3c 73dd1b05 mfc42!CWnd::WindowProc+0x24 0e 0012fd9c 73dd1a58 mfc42!AfxCallWndProc+0x91 0f 0012fdbc 73e6847d mfc42!AfxWndProc+0x36 10 0012fde8 77d48709 mfc42!AfxWndProcBase+0x39 11 0012fe14 77d487eb user32!InternalCallWinProc+0x28 12 0012fe7c 77d489a5 user32!UserCallWinProcCheckWow+0x150 13 0012fedc 77d4bccc user32!DispatchMessageWorker+0x306 14 0012feec 73dd125a user32!DispatchMessageA+0xf 15 0012fefc 73ddb55f mfc42!CWinThread::PumpMessage+0x3c 16 0012ff14 73ddcf95 mfc42!CWinThread::Run+0x48 17 0012ff24 00409472 mfc42!AfxWinMain+0x6a 18 0012ffc0 7c816d4f FileParser+0x9472 19 0012fff0 00000000 kernel32!BaseProcessStart+0x23 </code></pre> <p>Unassemble from <code>File Parser+0x71f1</code> until <code>File Parser+0x7212</code> there is access violation occure.</p> <pre><code>004071ec e8e71b0000 call FileParser+0x8dd8 (00408dd8) 004071f1 84db test bl,bl 004071f3 0f846f050000 je FileParser+0x7768 (00407768) 004071f9 8b442414 mov eax,dword ptr [esp+14h] *Base address of inline1.exe binary 004071fd 8b483c mov ecx,dword ptr [eax+3Ch] *must be offset at _IMAGE_NT_HEADERS 00407200 8b5c0178 mov ebx,dword ptr [ecx+eax+78h]*must be _IMAGE_DATA_DIRECTORY 00407204 8d4c0118 lea ecx,[ecx+eax+18h] *must be _IMAGE_OPTIONAL_HEADER 00407208 03d8 add ebx,eax *must be VA _IMAGE_DATA_DIRECTORY 0040720a 8d4c2418 lea ecx,[esp+18h] * 0040720e 895c2434 mov dword ptr [esp+34h],ebx * 00407212 8b530c mov edx,dword ptr [ebx+0Ch] *Access violation here </code></pre> <p>Access violation occure because <code>ebx</code> point to <code>3fb80000</code> instead of inside binary file from <code>b80000</code> until <code>ImageSize: 00006000</code></p> <p>Base address inline1.exe loads in <code>eax</code> register. <code>mov eax,dword ptr [esp+14h]</code></p> <pre><code>0:000&gt; dps esp+14 L1 0012f510 00b80000 inline1 0:000&gt; lmvm inline1 start end module name 00b80000 00b86000 inline1 T (no symbols) Loaded symbol image file: inline1.exe Image path: C:\Documents and Settings\debasish mandal\Desktop\inline1.exe Image name: inline1.exe Timestamp: Sat Sep 28 21:27:18 2013 (52471176) CheckSum: 00011C84 ImageSize: 00006000 File version: 0.0.0.0 Product version: 0.0.0.0 File flags: 0 (Mask 0) File OS: 0 Unknown Base File type: 0.0 Unknown File date: 00000000.00000000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 </code></pre>
    singulars
    1. This table or related slice is empty.
    1. POCrash Debugging Win32 App
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USsergmat
    1. USsergmat
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POCrash Debugging Win32 App
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUndeletion
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COHow did you find the BasePtr StackPtr InstructionPtr used in kn =0012f674 0012f674 004071f1
      singulars
      1. PO
      1. USKjell Gunnar
    2. CO@sergmat - but where does the `3fb00000` come from? Do you perhaps have any link describing the `IMAGE_*` references you make?
      singulars
      1. PO
      1. USLieven Keersmaekers
    3. CO@KjellGunnar I looked at raw stack and try to find valid pair ReturnAddress near current eip and BasePointer near current esp. I hit it on the fourth or fifth attempt.
      singulars
      1. PO
      1. USsergmat
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload