Hello,

is there a way once I mistakenly follow the code inside a library call to jump to the line code just after the return from such a function call????

H.

homunculus: ALT+F9 if u enter in win32api calls or you can use -/+ to navigate through OD history

I remember a menu item somewhere ...

H.

if i understand you correctly you press f7 on any api call call like getmodulehandle a and you end up in library and have to trace through it to return to the next line of command in app

if that is the case once you mistakenly go inside press -(minus sign) to return to the original instruction then navigate to the next line by down arrow and set a breakpoint there and press f9 you return to the next line without tracing through the lib call

by the way you can also play with set conditon on runtrace (eip option)and use ctrl + f12 to achieve the same result

oh me anon would you say something more on playing with set conditons on runtrace? How would you obtain the same result?

H.

homunculuswell when you are using debugger you have to try something for yourself too

anyway here is how you can do it
00401000 > $ 6A 00 PUSH 0 ; /pModule = NULL
00401002 . E8 DF010000 CALL 004011E6 ; \GetModuleHandleA f7 here
00401007 . A3 A0314000 MOV DWORD PTR DS:[4031A0], EAX come here

and end up here

004011E6 FF25 14204000 JMP NEAR DWORD PTR DS:[402014];KERNEL32.GetModuleHandleA

now click debug or use CTRL+T
check mark the EIP is in Range CheckBox
enter 401005 in the from edit box |<----- dont ask me where is from or to edit
enter 401010 in the to edit box | box i have named them so
press ok
press CTRL+F12
the debugger stops at 401007 with the message
conditional pause: EIP in range 401005...401010

this debugger is a great tool devote some time and learn the intricacies of it
it will be very very usefull just shooting out questions wont help (dont misunderstand me i say this as a matter of fact)

sorry i hate to post cosecutive mails but had to do this
all the above described jugglery i did in ollydbg 1.06 which did not have the alt+f9 hotkey as TBD rightly pointed out pressing alt+f9 in 1.08 does the job of returning you to usercode when you are in a librarycall

for TBD

if you have seh in the application and you pass exception by shift+f7 and press alt+f9 it should stop at the user code at sehhandler isnt it doesnt seem to do it returns to the result of seh any ideas why so

oh me anon: i didnt understand fully how SEH works. usually i ALT+F9 to bypass the exception if the SEH handler treats the exception.

:mental note: study SEH

oh me anon you are right, but apart learning to use the debugger's features what I sometimes feel missing is a general knowledge of how things work behind the curtain ... and I'm talking of things such as the PE format, the IAT, and so on.
But I do dedicate it time ... and a lot in fact :-)

H.

Sorry guys, but does someone know if alt+F7, alt+F8 and alt+F9 are equivalent in passing the exception on?

H.

normally I just use the "pass on exception to program" and see what happens. However, if the exception seems to do something interesting (Eg. carying on execution of the main flow of the program), I then search the stack for the last seh handler (which Ollydbg nicely marks for us), put a breakpoint there and then execute the "pass on exception to program" function which lands yet nicley into the first opcode of the exception handler.

forgot to sign above post. sorry.

TBD: Can you please disable anonymous posts so I stop doing this? It's too easy to click "Post message" and forget to type in login name. Sometimes login name is there, sometimes it's not.

Norm: i also sometimes post as anonymous.

i always loved msgb that have the anon posts - if i have a question, i post and wait an answer and disappear in web darkness.

so the solution is to look everytime before "Post a message" if you have a "Logged as: " or you have your name in the Login box so dont be lazy