Results 1 to 6 of 6

Thread: comments (once again)

  1. #1
    JSch
    Guest

    comments (once again)

    Hello folks,

    at the moment I'm a little bit disappointed about ollydbg since for the third time I lost almost all comments.

    I'm working on a self-extracting application which need to be started (F9) within Ollydbg to extract all the interesting routines into memory. I then interrupt the programm execution (F12) to do my analyses.

    All comments I made to the extracting routines (directly loaded by Ollydbg) are present. All comments regarding the extracted routines (which appear during run-time) are gone.
    Trying to attach the udd-file manually (executable modules -> update .udd-file now) failed, since the extracted code isn't listed as a executable module.

    I then tried a plugin named Labelmaster which, unfortunately, saves 0-Byte files now and then. No backup-files being generated, my comments are gone once again.

    Is somebody familar with this problem and can give some hint?

    Thank you all for your help,

    JSch
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,481
    Blog Entries
    15
    if the routines are in runtime memory allocations (memory allocated by VirtualAlloc and their friends)
    ollydbg does not save those comments (for ollydbg to save labels and comments it needs analysed module)

    also there is a possibilty that the runtime memory is different every time
    so the address doesnt match so ollydbg may be unable to name them back

    if this memory is same every time then you can try Analyze this plugin by joestewert and ask it to analyze the memory space

    and then try commenting out (ollydbg saves unknown memory maps udd with a mainmodule_1.udd etc )

    and then reload

    if that application is shareable (non commercial or your own or malware or crackme ) get me a link so that i can see if i can do some thing about saving the comments

  3. #3
    JSch
    Guest
    Hallo blabberer,

    thank you for your quick reply. In the meantime I tried the AnalyzeThis-plugin as you suggestet. Unfortunately it doesn't work even though the programm code resides at the same memory address every time.

    By chance I came across a plugin called LCB which is supposed to be outranging Labelmaster. As not to be expected different it doesn't work so well: When trying to save some comments an error popped up:

    Die Anweisung in "0x02d2831e" verweist auf Speicher in "0x00000000" ...
    "unknown software exception" (0xc0000027) ist an der Stelle 0x7c80e0b9 aufgetreten...
    (sorry just german; I don't know what the english version would say...)

    Anybody familar with this?

    Thank you very much,

    JSch
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,481
    Blog Entries
    15
    oops i missed your reply it seems

    anyway LCB still uses plugingetvalue(VAL_CPUDASM)
    and FindModule();

    which wont reliably get the comments of places that arent in the module

    analysethis didnt work means it erred with a message box saying the address is not in any known module ??

    or it analysed properly but the udd didnt contain your comments ??

    can you make ollydbg display a list of comments you added by doing

    right click -> search for user defined comment ?

    if yes then you can right click and save that comments to some txt file and
    run a simple restorer

    insertname (address,NM_COMMENT);

  5. #5
    JSch
    Guest
    LCB still uses plugingetvalue(VAL_CPUDASM) and FindModule()
    Are there better functions to extract comments? Maybe on a rainy sunday I'll try to add a backup function to the plugin...

    analysethis didnt work means it erred with a message box saying ...
    "Adress 0x...... does not have any modul associated with it".

    if yes then you can right click and save that comments to some txt file
    Nice hint. I've already seen the 'search comment' command but didn't catch the 'save to clipboard' option. Thank you.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,481
    Blog Entries
    15
    well ollydbg api agnostic ways can get proper results

    in your case to use VirtualQuery() _MEMORY_BASIC_INFORMATION
    use the page's limit to walk the NAMES with olldybg's Findname() FindNnextname() (you would need to provide a wrapper to limit the search's address space) this ollydbg api searches global address space

    kinda tedious if you have say more than 10 20 pages of non module address space

    also if you search the board you can find a post by me which enumerates how to leech off comment in non module space and make a map
    and use MAPconvertor plugin to replace labels
    to read about linker map files format look for matt-pietreks article on msdn under the hood

    or look for pistis debug something helper

Similar Threads

  1. olly plugin for comments
    By miker in forum Plugins (General)
    Replies: 7
    Last Post: January 3rd, 2007, 17:30
  2. Hilarious asm comments
    By blurcode in forum Off Topic
    Replies: 11
    Last Post: July 9th, 2006, 17:21
  3. comments from sources
    By t4b in forum OllyDbg Support Forums
    Replies: 2
    Last Post: February 14th, 2006, 12:47
  4. how to you save comments
    By clafrieda in forum OllyDbg Support Forums
    Replies: 1
    Last Post: February 11th, 2006, 10:53
  5. Request for comments---Do you like the colors ?
    By tsehp in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: November 1st, 2000, 19:55

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •