http://bugs.winehq.org/show_bug.cgi?id=7635
------- Additional Comments From focht@gmx.net 2007-25-04 11:58 ------- Hello,
this is due to the technical nature of wine.
Basically the debugger can't read/disassemble the memory location of the current EIP. Remember: Wine is a different beast, not a "pure" windows PE user process environment. The suspended threads EIP is very likely in ELF/thunk/syscall area - this address space is usually not seen by windows usermode debugger (using process APIs, mapped views/virtual queries).
Single step/over (F7/F8), look at EIP and you will notice it changes. The 0x8000004 exceptions in console each time you step are the debuggers single step event/exception.
Open "memory" window and compare EIP range. If you see EIP pointing to an area not being mapped as memory range, it's probably executing in ELF/thunk/syscall area.
It happens in various situations, for instance if you instruct the debugger to "break on new modules" event. It will always stop in ELF code.
Resolution:
1) single /step/over/run until return/ to get the EIP into mapped range. The disassembly will appear again and all is fine.
2) open the "excutable modules" window and click any PE module - it will show disassembly again (though EIP remains in ELF code).
3) put breakpoints on imports that will be executed first (after debuggee was paused due to dll loader event)
It's nasty, i know ...
Though i retired from ollydbg/win32asm/RCE community long time ago, i will of course help/explain any issues regarding this fine piece of software :)
Regards