Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 31

Thread: Opaque arguments

  1. #16
    ant
    Guest
    Code:
     try to debug your program at the source code level in which you can see the
    Assembly instructions in parallel with the C/C++ instructions...
    Right now iam using Ollydebugger.
    So, please... let me know how to do it with Ollydebugger where one can "see the Assembly instructions in parallel with the C/C++”.i mean configuration part of Olly??

    OR
    …i can begin with IDA free 4.9 freeware … or
    …may be start with IDA Pro 5.2 evaluation version.

    seeking your advice!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #17
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84
    naides …comments..
    Code:
    Jackall is looking for the code he wrote, and he is
    not finding it because he is looking in the wrong place.
    i had to open the executable in IDA pro and as you have point out it’s all right there. And you have clearly commented all the proceedings here.

    Code:
                    mov      [ebp+var_8], 3       i = 3
    .text:004012E2  mov eax, [ebp+var_8]          ; now i gets moved to eax
    .text:004012E5  mov [esp+18h+var_18], eax     ; now eax gets loaded into
                                        ; the stack, there is no push of a parameter
    
    .text:004012E8  call sub_401290      ; call test (i) 
    .text:004012ED  mov [ebp+var_4], eax ; the answer returned in eax is stored in j
    .text:004012F0  cmp [ebp+var_4], 1   ; is j== true?
    
    .text:004012FD  mov [esp+18h+var_18], offset aValueOfJD    ; "value of j=%d"
    .text:00401304  call   printf
    It took me a little time to distinguish it ….though I haven’t yet able to understand it fully well yet.
    what does the comment mean “ there is no push of a parameter ”?

    however...
    Thank you for your taking the time to comment all relevant lines of code without which, those codes would have remained intimidating to me as usual.

    Allow me also to thank …. Admiral .. Kayaker .. Polaris ..tHE mUTABLE .... and of course .. Woodmann for their contributions and encouragement .

    Regards…

  3. #18
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Here is a little rant I had about The stack dynamics
    http://71.6.196.237/forum/showthread.php?t=5849&highlight=good+mood

    Also look at the calling conventions blog by Nynaeve
    http://71.6.196.237/forum/search.php?searchid=451507

    What I meant with my comment "there is no push of a parameter" is that usually before a function is called, test(i), the value of i is pushed into the stack.
    In your code, this is not happening. That is why I suggest you using a more conventional C++ compiler, without optimizations and with more typical function calling conventions.

  4. #19
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    referance to bcc and ollydbg thats my playground

    get bcc 5.5 free commandline tools from borland (register with maybe penguin , penguin @a ntartica.com ) just a sleek 9 mb package it should be in your desktop in under a minute with todays inet speeds
    execute the installer -> point it to some root directory say f:\
    it will put all the contents into f:\borland\bcc55
    add f:\borland\bcc55\bin to your environment variable start->mycomputers->properties->advanced->enviroment vars ->path -> edit -> append without quotes ";f:\borland\bcc55\bin"

    goto f:\borland\bcc55\bin and create these two text files
    bcc32.cfg containing
    Code:
    F:\>type f:\Borland\BCC55\Bin\bcc32.cfg
    -I"F:\borland\bcc55\include"
    -L"F:\borland\bcc55\lib"
    F:\>
    and ilink32.cfg containing
    Code:
    F:\>type f:\Borland\BCC55\Bin\ilink32.cfg
    -L"F:\borland\bcc55\lib"
    F:\>
    you are all set now for compiling your first hello world from any directory

    Code:
    start -> run -> cmd -> cd /d f:\borland/bcc55
    md MyCrapExps
    edit MyFirstCrapExp.c
    
    type out your code
    Code:
    F:\Borland\BCC55\MYCRAP~1>type myFisrtCrapExp.c
    #include <stdio.h>
    
    int test (int h)
    {
            if (h == 3)
            {
                    return 0xDEAD1E55;
            }
            else
            {
                    return 0xDEAD;
            }
    }
    
    
    void main (void)
    
    {
            int j, i = 3;
    
            printf("My First Crap Experiment with bcc 5.5 and ollydbg for Source lev
    el Debugging\n");
            j = test(i);
            if(j != 0xDEAD)
            {
                    printf("%0x\n" ,j);
    
            }
    }
    
    F:\Borland\BCC55\MYCRAP~1>
    compile it with bcc32 -v

    Code:
    F:\Borland\BCC55\MYCRAP~1>bcc32 -v myFisrtCrapExp.c
    Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland
    myFisrtCrapExp.c:
    Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland
    
    F:\Borland\BCC55\MYCRAP~1>
    and fire up ollydbg with
    Code:
    F:\Borland\BCC55\MYCRAP~1> f:\odbg110\OLLYDBG.EXE f:\Borland\BCC55\mycrapexps\my
    FisrtCrapExp.exe
    if you have the right settings in ollydbg viz
    Code:
    options -> debugging options -> events --> make first pause at radio button selection at WinMain (if location is known )
    
    Question 
    what other two are and where do they stop ?
    ollydbg will automatically go to your main
    like

    Code:
    00401167 myFisrtC.main            PUSH    EBP
    00401168                          MOV     EBP, ESP
    0040116A                          PUSH    EBX
    0040116B                          MOV     EBX, 3
    00401170                          PUSH    myFisrtC.0040A128                           ; /format = "My First Crap Experiment with bcc 5.5 and ollydbg for Source level Debugging
    "
    00401175                          CALL    myFisrtC.___org_printf                      ; \___org_printf
    you want source side by side ? toggle the comment bar at the top
    if your bar isnt visible

    right click -> appearance -> showbar
    now toggle the comment to cycle through source , profile , and comments

    here is a pic to make you believe
    Attached Images Attached Images  
    Last edited by blabberer; June 25th, 2008 at 07:28. Reason: deleted two pics and added a combined pic (why two pics dont display ?)

  5. #20
    ant
    Guest
    With Borland C++ i tried the same code you've used.

    C:\mysource>bcc32 myc.c
    Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland
    myc.c:
    Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland
    C:\mysource>myc
    My Experiment with bcc 5.5 and OllyDbg for Source level Debugging
    dead1e55

    Opened myc.exe in Ollydebugger - ->options --> debugging options --> events and i selected *winmain radio button.
    Other 2 buttons seen here are *system break point and *entry point of main module.

    Code:
    " OllyDbg will automatically go to your main like "
    00401167 myFisrtC.main PUSH EBP
    00401168 MOV EBP, ESP
    0040116A PUSH EBX
    0040116B MOV EBX, 3

    In my case it is it goes to:
    00401000 > $ /EB 10 JMP SHORT myc.00401012
    00401002 |66 DB 66 ; CHAR 'f'
    00401003 |62 DB 62 ; CHAR 'b'
    00401004 |3A DB 3A ; CHAR ':'

    Code:
    " Toggle the comment to cycle through source , profile , and comments "
    Source or profile information are just blank for me but only comments are available.

    How do i get that info of source as shown by you in the screen shot of Ollydebugger?????
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #21
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    jackall
    have a look at http://www.ethicalhacker.net/content/view/165/2/
    it shows the same runtime of your program at the same address, and how to proceed with olly

    Quote Originally Posted by Polaris
    That code is rather typical output for MinGW
    you're right, it is Dev-C++ based on MinGW

    By the way, the runtime show us an interesting function found in Microsoft MSVCRT.DLL which is not documented at all

    Code:
    void __getmainargs(int *p_argc, char ***p_argv, char ***p_environ, int globbing, STARTUPINFO *p_startup);
    Regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  7. #22
    bilbo:

    Good to see you back. Don't stay away so long.

    Regards,
    JMI

  8. #23
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Damn, bilbo is back! Had a long and successful journey though Middle Earth? Any nice tales to tell about it?

    Welcome back indeed anyway! Will you be hanging around here some more again now?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  9. #24
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    Quote Originally Posted by ant View Post
    With Borland C++ i tried the same code you've used.

    C:\mysource>bcc32 myc.c
    Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland
    myc.c:

    How do i get that info of source as shown by you in the screen shot of Ollydebugger?????

    by reading my post a bit more carefully and by not missing some important things in my post

  10. #25
    ant
    Guest
    Code:
     by reading my post a bit more carefully and by not missing some important things in my post
    iam sorry for not concentrating enough and i missed the (-v) earlier. It looks just great now with the appearence of source.

    many thanks .
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    That is what fucking enrage me with programming. Just like my wife, computers are very picky about little details: a -v

  12. #27
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310

    Off Topic

    JMI, dELTA,
    happy to meet you again
    Quote Originally Posted by dELTA
    Will you be hanging around here some more again now?
    as long as my friend, Wizard Gandalf the Grey, will not call me away for more adventures...
    My best regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  13. #28
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Nice to hear that bilbo. Again, welcome back.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  14. #29
    Quote Originally Posted by ant View Post
    Is it advisable to use IDA Pro disassembler by a beginner ?????
    if with hexray plugin

  15. #30
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Wel, I'll be damned, been wondering where the Frodo clan was, welcome back Mr. Biggins, (or Belladonna),- tell Gandalf to bug off!

    Now to the subject, I used w32dasm for about a year until someone pointed out that it's easier to reverse with a REAL tool I would suggest keeping both around - occasionally the associated resource string in W32 is handy and correct. IDA is indispensible for .net ARM and all the other odd stuff.

    SiGiNT
    Last edited by SiGiNT; July 8th, 2008 at 14:25.

Similar Threads

  1. Dumping function arguments
    By xml in forum OllyDbg Support Forums
    Replies: 6
    Last Post: December 22nd, 2005, 08:57
  2. Log function arguments on __vbaStrCmp
    By Teerayoot in forum OllyDbg Support Forums
    Replies: 9
    Last Post: July 23rd, 2003, 14:04
  3. arguments
    By Anonymous in forum Bugs
    Replies: 7
    Last Post: May 13th, 2003, 00:16
  4. [Tip] Log all API calls and arguments
    By Wayne in forum OllyDbg Support Forums
    Replies: 1
    Last Post: November 15th, 2002, 04:20
  5. ida function arguments
    By noone in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: May 5th, 2001, 18:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •