Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: patching code directly with ollydbg

  1. #1
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647

    patching code directly with ollydbg

    This post stems from a question that Ksbrace asked me in a different thread. I did not know the answer but I think it is an interesting proposition.

    While tracing with olly (or SoftIce), we can change code instructions using the -assemble- feature, or data contents at will.

    These changes are done in memory, not in disk.
    Is it possible to have ollydbg to permanently record those changes to the file in the disk?

    At face value it should not be possible: The file in question is open and loaded by the OS because its code is being run so file access should be denied, but the intended changes could be wiritten to a copy of the file in the disk.

    I vaguely remember seeing some thing like that in a olly plugin, but alas, I do not remember its name and I cannot find it now.
    Is there such a utility?
    Last edited by naides; January 23rd, 2006 at 12:36.

  2. #2
    Sure it's possible.

    Highlight the changes you want to save (in the disassembly or data window) and right-click, 'Copy to executable', 'Selection'. Of course, this only works if the VA you're at maps back to a part of the disk image via the PE Header (so modifying the section table in the virtual image will cause trouble with this feature).

    Regards
    Admiral

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Oh well.
    That was sweet and simple admiral.
    I am still learning my way around Ollydbg.

  4. #4
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    You also have to be carefull if you are dealing with self-modifying code - I've worked on one that was written in RealBasic and it looped through the code several times - on every pass call and jump addresses would change - modifying and writing to the executable can be disasterous, but in it's infinite wisdom (and Oleg's), it will save a .bak of the original.

    SiGiNT
    Last edited by SiGiNT; January 24th, 2006 at 19:21.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  5. #5
    ksbrace
    Guest
    Thanks for the info!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6

    the complete method is

    Highlight the code changed
    right click-COPY TO EXECUTABLE
    in the new window appear
    right click - SAVE FILE

    Ricardo Narvaja

  7. #7
    Hello:

    That is right Ricardo, but I cannot save with OllyDbg the code in a 'cave' done at the end of another section, that is, not in the .code section. Do you know why?

    Thanks

    Nacho_dj

  8. #8
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi Nacho_dj.
    Seems like Ollydbg saves modifications made in the cpu window only. If you want to save modifications made in other sections you have to dump (with a simpe Go-to command, ctrl-g) the code in the cpu window and then save.

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    why cant you copy modifications done in another section right from there it self ?

    right click copy to executable thats all

    the only problem is that if you have done modification in many sections then you use this right click thingy it will save all those that are in the section you have selected and not in other sections

    you should either save them seperately


    or

    use alt+e (view executable --> right click --> view executable file --> right click -->save file)

    see the atttached pic

    oops the board doesnt accept big pictures (800*600 screeshot) it seems and my paint doesnt know how to resize the pic without fscking it up

    i attached it as zip
    Attached Files Attached Files

  10. #10
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    You can see I'm definitly a non Olly-user...

    Thx Blabberer

  11. #11

    You cannot save

    Olly show you the sections and you can write in a virtual part of a section in OLLY, but only you can save to the exe, if this part is not only virtual.

    When a section is loaded if VIRTUAL SIZE is more big than RAW SIZE, the program fill with zeros the virtual part, and olly show you this part, if you write in this virtual only part, you canīt save in exe, this part donīt exist in the exe is only virtual.

    If you need write, open the program in a hexeditor, increase the size of the section till RAW SIZE will be equal to VIRTUAL SIZE and in this case you can write in any part of the section without problem, all you see in OLLY is ipart of the exe.

    Sorry for my bad english, i hope you understand.

    Ricardo

  12. #12

    the extreme

    the extreme case is a section with RAW SIZE =0 and for example VIRTUAL SIZE=1000

    you see in OLLYDBG 1000 bytes but are all virtual, the size of teh section in the exe is 0 LONG, if you write in the 1000 virual bytes, in olly where will be stored when you save is the exe is 0 LONG, is imposiible, you need open the exe in HEXEDITOR and add 1000 bytes to the size of teh section

    RAW SIZE will be 1000 and VIRTUAL SIZE = 1000

    and when you write in any part of the section can be stored in the exe.

    Ricardo

  13. #13
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    well i answered beliving he is talking about an existing real cave in other section
    not some virtual only non existing caves

    @ricardo
    if he was not talking about real caves then what you are saying is absolutely correct but in the case ollydbg will warn saying unable to locate data


    but making a virtaul only to physical is no big deal i think atleast
    the old proc dump used to do it in a jiffy giving you
    1400 zero padded bytes to iczelions tute-02 in code section when you asked it to rebuild pe
    and used to hide a this exe was built by lorraine and etc string
    which wasnt visible on loaded image but available only in pe header
    physically

    i think playing around with ollydump should yield a real image with file alignment = section alignment easily with all those inviisble 0000 physically present in the exe

  14. #14
    Many thanks for your answers mates!

    But when I was trying to do the patch in another sections, as I told you before, I opened the file in an hex editor simultaneously to Olly.

    I did the test of patching the zeroes of another section than .code just behind an existing string in the file followed by zeroes, such as the hex editor showed me. So in this case no virtual allocation was involved. And OllyDbg didn't show the option "Copy to executable" enabled when rigth clicked.

    Anyway, I will try your work-arounds when getting home...

    Cheers

    Nacho_dj

    BTW: ĄRicardo no te preocupes, se te entiende perfectamente, saludos!

    blabberer: very funny the picture, hehe
    Last edited by Nacho_dj; January 27th, 2006 at 07:03.

  15. #15
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    funny ? i thought i attached a wrong pron pic and downloaded to confirm if it was really funny

    well it has two windows one is the regular where you see the isasm and dump
    ad you could see the blah blah string as well as push referring that address one in
    dump and another in code section

    the window which has the save is done via alt+e save and to show the complete contents of the file the mode has been changed to text 64
    if you notice some 4 bytes are highlighted in the right window which would show you a h==0x68 == push opcode and you can see the string down below in english

    well they say pictures talk thousand words but it seems this pic is talking more confusion than words

    anyway i just dumped iczelions tut with ollydump and i see it turns the
    2.5 kb exe into 16 kb exe (4 sections each a page size) so its easy to ad zeroes without hexeditor

Similar Threads

  1. detecting or preventing patching in memory (code and data)
    By Paradigm in forum The Newbie Forum
    Replies: 12
    Last Post: April 13th, 2013, 12:36
  2. DLL code patching at runtime ...
    By kappasm in forum The Newbie Forum
    Replies: 11
    Last Post: February 6th, 2011, 06:13
  3. How to directly talk to USB device?
    By cEnginEEr in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: June 3rd, 2009, 09:44
  4. EPROM code patching
    By philkin in forum The Newbie Forum
    Replies: 12
    Last Post: November 24th, 2004, 00:15
  5. vb p-code patching
    By NikDH in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: January 25th, 2001, 19:28

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •