1

I have the typical AV error message from a customer, and the map file from the same build as the customer is using. I must be doing something wrong, because I just cannot find that address. The error message is:

Access violation at address 5053B2B2 in module 'ZZZZ.exe'. Read of address FFFFFFC4.

The image base used (in FinalBuilder) is $5053FFEF. The UPX exe compressor is also used, but that should not matter, I guess.

The top of the map file looks like this (start, length, name, class):

0001:50531000 05413280H .text                   CODE
0002:55945000 0002EADCH .itext                  ICODE
0003:55974000 0011A744H .data                   DATA
0004:55A8F000 000B41A0H .bss                    BSS
0005:00000000 00000154H .tls                    TLS
0006:50530000 00000000H .pdata                  PDATA

I have read that I should take into account a code offset that is usually $1000. Is 50531000 from the map file above the calculated address then?

Then the calculation would be 5053B2B2 minus 50531000 = A2B2. I cannot find any relevant in the map file for that. Any tips?

AmigoJack
  • 5,234
  • 1
  • 15
  • 31
LandShark
  • 63
  • 2
  • 7
  • 2
    Recompile your application with MadExcept or Eurekalog (to name but 2). They will tell you which line of source code (procedure name) caused the AV. – Freddie Bell Apr 25 '23 at 05:46
  • Thanks, I have tried both of them on other occasions, but would really like to learn how to use separate map-files like this. – LandShark Apr 25 '23 at 07:01
  • You can also use JEDI to work with mapfiles: https://blog.dummzeuch.de/2014/03/08/using-jcldebug/ – Delphi Coder Apr 25 '23 at 08:52
  • Yes, on the your link it says "Once you put a map file into the same directory as the executable, your call stack will contain the names of the methods rather than just the addresses." Uploading the map-file only when needed...That is something I might look into in the future. Suits me, thanks. Would still really like to use what I have now. The address of an AV and a map-file. – LandShark Apr 25 '23 at 13:05
  • @LandShark the AV gives you an absolute memory address within the running process. You can iterate the process's loaded modules looking for the closest module whose base address does not exceed the AV's address, then subtract that base address from the AV address to get a relative offset within that module. If the module is the EXE then look in the map file for the function whose offset is closet to but doesn't exceed the calculated offset. You likely won't find an *exact* match since the code likely crashed *in the middle* of a function, but you will know the function and the offset inside it – Remy Lebeau Apr 25 '23 at 22:16
  • @LandShark but, you are using an EXE compressor, so that may throw off the offsets when compared to the map file, which is generated before the EXE is compressed. – Remy Lebeau Apr 25 '23 at 22:19
  • You are right, Remy, the UPX exe compressor is a problem. I made a sample application using JclDebug with an external map-file. It worked fine untill I compressed the exe. One would think that if the information in the map-file is inserted into the exe before compression, then it would work? – LandShark Apr 27 '23 at 14:08
  • I just checked. When the map-file info is embedded in the exe using MakeJclDbg, the UPX compressor still makes it unusable. JclDebug is not recognising the info, and will not start tracking. – LandShark Apr 28 '23 at 09:08

0 Answers0