Results 1 to 15 of 15

Thread: Plugin, Trick, Tool, Or something to let you search OllyDbg Analysis comments?

Hybrid View

  1. #1

    Question Plugin, Trick, Tool, Or something to let you search OllyDbg Analysis comments?

    I have to be using the wrong words, phrase or have settings messed up or not set correctly in OllyDbg. I am trying to search for a string that the analysis put in the CPU window. It seems that MOST of the analysis do appear in the find all string references but the one I am looking for is not! I am trying to find the analysis that says ASCII "ABCDEFGHJKLMNPRST..." Besides page-down through the entire code (in this case fairly long) is there some plugin, or setting or trick to finding those comments that do not list in the Text Strings Referenced.

    p.s.
    I honestly did read the FAQ I have googled, I have listened to lots of tutorials...

  2. #2
    Well, you can try to search it directly in the dump-window via Ctrl-B (search for binary string) either ASCII or UNICODE.
    It might be that the string you are searching isn't there at all, but is concatenated at runtime. In this case the chars can be apportioned around the code. Furthermore it's possible that the string is encrypted and will only become decrypted in a certain state of the program.
    My advice is to set a BP at the place where you've found it in the CPU-window and look from there, where this string comes from (when you see it there it must somehow be referenced).

    Hope that helps

    Regards
    darkelf
    I flout Chuck Norris, Spongebob barbecues underwater!

  3. #3
    Quote Originally Posted by Darkelf View Post
    Well, you can try to search it directly in the dump-window via Ctrl-B (search for binary string) either ASCII or UNICODE.
    It might be that the string you are searching isn't there at all, but is concatenated at runtime.lf
    I can find it by slowing page-downing through the document till I see it...but that is really slow.

    To me pictures are worth a thousand words.... Name:  SearchForASCII_String.jpg
Views: 6483
Size:  36.7 KB

    What I want to search for is the highlighted string ASCII "ABCDE..." I'm frustrated that it's a analysis comment AND appears on the screen yet you can't search for it? I mean from a application point of view that STRING is somewhere in OLLYDEBUG's memory and should be able to be searched for? Right?

    p.s. I tried to redact anything revealing what I was working on as I did read that's against the policy of the site.

  4. #4
    What you see on the right of the mnemonics window is not really a comment (well it is, because comments are shown there), but something Olly finds on the related memory address at runtime. When you change what's at this address, Olly will change the string you see on the right in an instant. Unfortunately, the pic you've posted is pretty small, thus I'm unable to actually identify the memory address. Would you mind uploading this pic somewhere whith a bigger resolution? Or even better upload the .exe somewhere. I will help you to get used to Olly a bit more.

    Regards
    darkelf

    P.S. Have you already done the lena-series of tuts?
    I flout Chuck Norris, Spongebob barbecues underwater!

  5. #5
    Quote Originally Posted by Darkelf View Post
    P.S. Have you already done the lena-series of tuts?
    No, I've watched a few dozen youtube ones and read some, but I'm going to take the hint and download that series now. I'd really like to get better at this and it's sorta like a bucket list thing...I've done minor stuff on my own but I really want to be able to figure out some of the bigger stuff. I will go through this tutorial.

    Quote Originally Posted by Darkelf View Post
    What you see on the right of the mnemonics window is not really a comment (well it is, because comments are shown there), but something Olly finds on the related memory address at runtime. When you change what's at this address, Olly will change the string you see on the right in an instant.
    YEP, I did figure out about your comments overriding the Ollydbg comments. ( I was kinda frustrated with that as well IN MY THOUGHTS it should OFFER up to you the Olly "comment" even better bring that up selected so as soon as you type a letter it goes away or you can hit say end and add your 2 cents.)

    Quote Originally Posted by Darkelf View Post
    Unfortunately, the pic you've posted is pretty small, thus I'm unable to actually identify the memory address. Would you mind uploading this pic somewhere with a bigger resolution?
    Here is a larger picture of the piece in question...
    Name:  SearchForASCII_big.jpg
Views: 6732
Size:  16.4 KB

    Quote Originally Posted by Darkelf View Post
    Or even better upload the .exe somewhere. I will help you to get used to Olly a bit more.
    I will PM you about this.

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    that is decoded on the fly

    ie instantaneous and it is dependent on eax

    so eax can take 0 to 0xffffffff so you are looking at a range of 2^32 PLACES

    NOW since this is user mode you can chop off 50% or 25% of that ranve based on Maxuserspace global

    and normally some where up or down the place you can get the real range for eax
    if you are lucky and if it resolves to 0 based index

    then ctrl+g and entering the constant 5******* and hittin yes should get you the ABCD******

Similar Threads

  1. [ New Tool ] IDA Plugin for Chinese Language Translation
    By Gunther in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: May 16th, 2014, 12:00
  2. Plugin OllyDbg : FullDisasm
    By BeatriX in forum Plugins (General)
    Replies: 48
    Last Post: May 8th, 2010, 15:12
  3. MalTrap v1.0a - Malware Analysis Tool
    By jayem in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: September 5th, 2009, 13:18
  4. DebugActiveProcessStop Plugin for OllyDbg
    By Teerayoot in forum Plugins (General)
    Replies: 13
    Last Post: November 8th, 2004, 07:53
  5. Plugin idea, need comments
    By psyCK0 in forum Plugins (General)
    Replies: 1
    Last Post: July 11th, 2004, 14:16

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •