Results 1 to 15 of 15

Thread: Value Process

  1. #1

    Smile Value Process

    Is there any process to pause olly when the registers EAX, EDX, ECX etc contain a string.

    Like,

    EAX 0012346 "Tiger"


    So basically i want to pause my olly when the eax value contain Tiger string. Is there any plugin or any way to do this

  2. #2
    I don't think that is possible so easily without massive processor utilisation.

    Best thing is to find text in memory and set BP on first byte.

  3. #3
    Problem is this, the string is generating while the application is running. The application is allocating a specific part of memory to right that string. I can see that string in eax but the value is like

    EAX 00112345 UNICODE "TIGER"

    So when i am loading target in olly and trying to get to the va 00112345, not able to do so. Only while running i have acess to taht section.

    I tried to put bp on writing first byte but then again its not breaking but the memory value changed to

    EAX 00112536 UNICODE "TIGER"

    I also tried to search in memory and ascii strings but the string is not appearing because its generating only while the application is in running mode.

    So the way which i found just break when the eax get that value and make the patches there. But how to break at that point any one knows please let me know )

  4. #4
    What is your overall aim? Ie, what are you trying to do with this?

    Why is that value written to that location?

    Maybe someone can suggest an alternative means.

  5. #5
    basically want to patch verification url of an application and want to redirect it to my custom url.

    But continuous switching going on in memory adderss so its becoming headache. So the only way which i got is this that just make a right patch when the register value show that url. Just want to get the the location where first time the value show in eax. Because that value just go ahead and become complex. Just trying to get the first location of url generation.
    Last edited by Jo_ti; August 21st, 2009 at 04:25.

  6. #6
    If the app is connecting to a server itself to do the verification (rather than spawning a web browser process) then wouldn't setting a breakpoint on something like gethostbyname be easier? You can then divert program flow away from the function, change the name, or even just return a result pointing to your own PC.

    Or, if the name is static and you want it for personal use only, just change the hosts file to point that name to your own PC and let the OS do it.

    If you want the full url rather than just address, you'll probably find it much easier after the return from gethostbyname or similar.

  7. #7

    Smile

    The main problem is this that program is not breaking at this api, this is the only api which is very common in this process, Apart from that if there is any other api which is related to this please do post. i will try all of them, i hope it will break at any api. So that i can add my custom url

  8. #8
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    While the process is running set hardware BP on that memory section on access, this can be very simple or long and tortuous - reload - each time it breaks do a search of that section for "Tiger" if found either bp on memory access or HW bp on access.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  9. #9
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Here is exactly what you are looking for:

    http://www.woodmann.com/collaborative/tools/index.php/OllyStepNSearch

    All your base are belong to CRCETL.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  10. #10
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    dELTA,

    The older version of S&S which I use frequently, because it seems to work better than the newer versions much to my consternation, does NOT log strings in EAX, (but most times the string passes thru at least 2 registers), it's been a while since I've tried a newer version so maybe this has been fixed, I'm still using 0.5.0 plugin 1.10 - I tried the latest 6 months to a year ago and the log was almost empty, and I'm not usually looking for a specific string - If our friend believes that your name appearing in EAX is the beginning of the encryption/decryption process, he's got some learning to do, usually your serial shows up after many, many passes later.

    It's also possible on slower machines to watch EAX and click in the register window to pause it.

    SiGiNT
    Last edited by SiGiNT; September 3rd, 2009 at 19:10.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  11. #11
    i tried this one, i spent all my day but did not get anything useful with this plugin. I hope so it work for someone.

  12. #12
    i have very small question, so i dont think so opening a new topic should be good for this so i am just asking here.

    Today while editind i noted small thing which i think i need to learn. While editing strings in olly dbg, i found that if i am writing.

    "My name is jo_ti"

    I used Space bar button after each word and that thing write 20 in hex window

    That means the hex value of Space is 20?

    What if i want it should write 00. Means which key i should press.

  13. #13
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    The ASCII value of "space" is indeed 0x20. To write a true 00 byte, the best option is to edit in hexadecimal, where you write each byte with digits from 0 to F.

  14. #14
    Ya you are write naide, i know about that but i want to know any quick key like Spacebar which just do my job. Because if the string is long or if there are lots of string to patch then it will take time

  15. #15
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Things are a little more complicated than that. If you write a true 00 byte in a string, it will be interpeted as "end of the string", by most text handling functions, effectively discarding the rest of the string away.
    If the string is written in Unicode, the Olly editor automagically inserts the 00 in the right places, so you neewd not worry about placing the 00 yourself.
    You can insert any ASCII char using the keypad of the keyboard like this : push [alt], rapidly key in the three decimal digits of the ascii char you want, in this case, 000. hardly a quick solution. Last resort, install a macro generator in your system and program some key combination, such as [alt]0 to generate the 00 byte.

Similar Threads

  1. Injecting 64-Bit DLL Into 32-Bit Process
    By walied in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: January 27th, 2013, 01:00
  2. Process Patching
    By evn in forum The Newbie Forum
    Replies: 2
    Last Post: January 22nd, 2004, 14:16
  3. Api Spy & Api Mon Terminate Process
    By Aquatic in forum The Newbie Forum
    Replies: 3
    Last Post: May 8th, 2003, 05:35
  4. Process patching yet again
    By crUsAdEr in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: April 23rd, 2002, 17:32
  5. Getting a Process's Address map?
    By Lutrosis in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: September 16th, 2001, 23:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •