Hi guys below is my problem
Hi if you run the TLS programm in olly with Windows7 as OS,i can only see the call by ntdll.dll where the address ranges are from 7****** and not able to find tls callback address.
I already choose the system entry point as a debugger option in olly
i found the address in CFF and IDA as 0X400010.but why there is a difference in olly.can anyone help here
below is some snippet of CODE
77AB0542 . 8975 FC MOV DWORD PTR [EBP-4],ESI
77AB0545 . EB 0E JMP SHORT ntdll.77AB0555
77AB0547 . 33C0 XOR EAX,EAX
77AB0549 . 40 INC EAX
77AB054A . C3 RET
77AB054B . 8B65 E8 MOV ESP,DWORD PTR [EBP-18]
77AB054E . C745 FC FEFFF>MOV DWORD PTR [EBP-4],-2
77AB0555 > E8 DF22FBFF CALL ntdll.77A62839
77AB055A . C3 RET
77AB055B 90 NOP
77AB055C 90 NOP
77AB055D 90 NOP
77AB055E 90 NOP
77AB055F 90 NOP
77AB0560 /$ 8BFF MOV EDI,EDI
77AB0562 |. 55 PUSH EBP
77AB0563 |. 8BEC MOV EBP,ESP
77AB0565 |. 83EC 10 SUB ESP,10
77AB0568 |. 803D EC02FE7F>CMP BYTE PTR [7FFE02EC],0
77AB056F |. 74 11 JE SHORT ntdll.77AB0582
77AB0571 |. 8B45 0C MOV EAX,DWORD PTR [EBP+C]
77AB0574 |. 8160 68 FFFEF>AND DWORD PTR [EAX+68],FDFFFEFF
below is a screenshot
Hi if you run the TLS programm in olly with Windows7 as OS,i can only see the call by ntdll.dll where the address ranges are from 7****** and not able to find tls callback address.
I already choose the system entry point as a debugger option in olly
i found the address in CFF and IDA as 0X400010.but why there is a difference in olly.can anyone help here
below is some snippet of CODE
77AB0542 . 8975 FC MOV DWORD PTR [EBP-4],ESI
77AB0545 . EB 0E JMP SHORT ntdll.77AB0555
77AB0547 . 33C0 XOR EAX,EAX
77AB0549 . 40 INC EAX
77AB054A . C3 RET
77AB054B . 8B65 E8 MOV ESP,DWORD PTR [EBP-18]
77AB054E . C745 FC FEFFF>MOV DWORD PTR [EBP-4],-2
77AB0555 > E8 DF22FBFF CALL ntdll.77A62839
77AB055A . C3 RET
77AB055B 90 NOP
77AB055C 90 NOP
77AB055D 90 NOP
77AB055E 90 NOP
77AB055F 90 NOP
77AB0560 /$ 8BFF MOV EDI,EDI
77AB0562 |. 55 PUSH EBP
77AB0563 |. 8BEC MOV EBP,ESP
77AB0565 |. 83EC 10 SUB ESP,10
77AB0568 |. 803D EC02FE7F>CMP BYTE PTR [7FFE02EC],0
77AB056F |. 74 11 JE SHORT ntdll.77AB0582
77AB0571 |. 8B45 0C MOV EAX,DWORD PTR [EBP+C]
77AB0574 |. 8160 68 FFFEF>AND DWORD PTR [EAX+68],FDFFFEFF
below is a screenshot
Attachments
tls.jpg (729.47 KiB) Viewed 226 times