2

alt text

What does this mean in the 2nd column?

==
|
|
|
|
==
wamp
  • 5,789
  • 17
  • 52
  • 82
  • Did you change any code in runtime? Try pressing `Control-A` to force OllyDbg to reanalyze the code and identify the arguments correctly to the API calls. – jyz Oct 09 '10 at 16:38
  • Also I copied some of the hexcode from your program into a hex editor, and it seems that this is not **code**... seems to be data. Are you sure this is part of an executable file? – jyz Oct 09 '10 at 22:54

2 Answers2

1

If you mea nthe bracket from 0x00401038 to 0x00401042, then it's most probably some wrong analyzed code. Normally, those brackets specify where individual functions start (at the $ sign) and end (where the bracket ends); however, this is not 100% reliable as your screenshot proves.

Etan
  • 17,014
  • 17
  • 89
  • 148
1

The bracket denotes a subroutine (a.k.a. function or procedure). The dollar sign indicates that OllyDbg has actually found a call reference to the address 0x401038.

The weird thing in that subroutine is that the MessageBoxA function is expecting four arguments but only one seems to be being passed in it. It's possible that the code has been obfuscated in some way. At least the code above the subroutine doesn't seem to be compiler-generated, as it contains some senseless instructions.

Smi
  • 13,850
  • 9
  • 56
  • 64