Page 2 of 2 FirstFirst 12
Results 16 to 17 of 17

Thread: Tracing Over System Calls In OllyDbg

  1. #16
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    ok i tested this a bit and it seems to comply for me any one else who want to test and complain are welcome to do so here

    here is the source for the plugin i compiled and linked it with bcc 5.5

    Code:
    #include <windows.h>
    #include "plugin.h"
    
    typedef VOID	(__cdecl *SOMEROUTINE)	(int bufferone,int buffertwo,int a,int b,int c);
    #define BufferOne		0x4DED08
    #define	BufferTwo		0x4DFD08
    #define FoundSeq		0x4b486a
    #define XPOS			0x200
    #define YPOS			0x200	
    
    HINSTANCE			hinst; 
    HWND				hwmain;
    SOMEROUTINE  someroutine 	= (SOMEROUTINE)0x443e64;
    
    
    #pragma argsused
    BOOL WINAPI DllEntryPoint(HINSTANCE hi,DWORD reason,LPVOID reserved) {
    	if (reason==DLL_PROCESS_ATTACH)
    		hinst=hi;
    	return 1;
    };
    
    extc int _export cdecl ODBG_Plugindata(char shortname[32]) {
    	strcpy(shortname,"SkipSequencesInRunTrace");
    	return PLUGIN_VERSION;
    };
    
    #pragma argsused
    extc int _export cdecl ODBG_Plugininit( int ollydbgversion,HWND hw,ulong *features) {
    	if (ollydbgversion<PLUGIN_VERSION)
    		return -1;
    	hwmain=hw;
    	Addtolist(0,0,"SkipSequencesInRunTrace Plugin");
    	Addtolist(0,-1,"  As Usual Dedicated To Oleh Yuschuk");
    	return 0;
    };
    
    #pragma argsused
    extc int _export cdecl ODBG_Pluginmenu(int origin,char data[4096],void *item) {
    	switch (origin) {
    		    case PM_MAIN:
    				strcpy(data,"0 &SkipSequencesInRunTrace|1 &About");
    				return 1;
    				default: break;
    	};
    	return 0;
    };
    
    #pragma argsused
    extc void _export cdecl ODBG_Pluginaction(int origin,int action,void *item) {
    	t_dump *		foo;
    	t_table * 		valref;
    	t_ref *			data;
    	int				noofitems,i;
    	
    	if (origin==PM_MAIN) {
    		switch (action){
    			case 0:
    				foo = (t_dump *)Plugingetvalue( VAL_CPUDASM );
    				someroutine( BufferOne, BufferTwo, 1, XPOS, YPOS ); 
    				Findallsequences( foo, (t_extmodel (*)[8])BufferTwo, foo->sel0, (char *)FoundSeq );
    				valref = ( t_table * )Plugingetvalue( VAL_REFERENCES );
    				noofitems = valref->data.n;
    				data = ( t_ref * )valref->data.data;
    				for(i=0;i<noofitems;i++){
    					if(data->type == TY_REFERENCE){
    						Modifyhittrace(data->addr,(data->addr+ data->size),ATR_RTSKIP);
    					}
    					data++;
    				}
    				break;
    
    			case 1:
    				MessageBox(hwmain,
    					"SkipSequencesInRunTrace\n"
    					"Copyright (C) From Genesis to Eternity Blabberer",
    					"SkipSequencesInRunTrace",MB_OK|MB_ICONINFORMATION);
    				break;
    
    			default:
    				break;
    		};
    	};
    };
    also attaching the project here
    Attached Files Attached Files

  2. #17
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Thanks, I understand the behaviour now. Though I don't really understand why the first instruction in the sequence is skipped, er, not skipped, er, skipped from being skipped. You know what I mean...

    If I try to skip the first 3 instructions, entering the sequence as written:

    01006440 PUSH EBX
    01006441 PUSH ESI
    01006442 PUSH EDI
    01006443 MOV DWORD PTR SS:[EBP-18],ESP

    The runtrace skips the 2nd and 3rd instructions but not the 1st:

    01006440 PUSH EBX
    01006443 MOV DWORD PTR SS:[EBP-18],ESP


    Oh well, maybe that's a useful behaviour since it "marks" where the skipped sequence begins. Fair enough.

    Nice plugin magic as usual btw. Copyright (C) From Genesis to Eternity

Similar Threads

  1. Kernel Tracing
    By t321 in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: September 17th, 2012, 15:57
  2. Programming Loader under MAC -> API Calls
    By Drigo in forum The Newbie Forum
    Replies: 6
    Last Post: September 1st, 2009, 21:10
  3. Tracing into IIS
    By mashedpatatas in forum The Newbie Forum
    Replies: 2
    Last Post: March 19th, 2003, 11:37
  4. Calls and jumps to imported functions???
    By homunculus in forum OllyDbg Support Forums
    Replies: 5
    Last Post: February 5th, 2003, 00:50
  5. Tracing into Dll's?
    By Argoth in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: January 22nd, 2001, 16:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •