Results 1 to 12 of 12

Thread: can i change EIP when debug?

  1. #1
    lg888
    Guest

    can i change EIP when debug?

    can i change EIP when debug?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teerayoot
    Guest

    can i change EIP when debug?

    Yes,you can ,just right click on target line then select New origin here !
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    jimeeg
    Guest
    never mind - i got it.
    Last edited by jimeeg; November 7th, 2006 at 16:45. Reason: found solution
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Aw crap, I was just about to reply to that three year old post!

    (and yes, I do understand what really happened here, but this was funnier )
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #5

    reply~~~

    you can. thanx to all

  6. #6
    Well, but how to do it from Olly/OdbgScript?

    As far as I understand, "go" command is supposed to do it?
    And yes, it works but only once. Next "go" command in script releases
    program execution, and 2nd "New origin here" location is never reached.

    //go script example
    #log

    var ptIAT
    mov ptIAT, 401010
    go [ptIAT]
    log eip

    mov ptIAT, 401014
    go [ptIAT]
    log eip

    ret
    Log data
    Address Message

    --> var ptIAT
    --> mov ptIAT, 401010
    --> go [ptIAT]
    --> log eip
    eip: 0040102C | Entry address
    --> mov ptIAT, 401014
    --> go [ptIAT]
    00401025 INT3 command at gototest.00401025
    Debugged program was unable to process exception
    --> log eip
    eip: 00401025
    --> ret

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    changing light bulbs after six months
    anyway you have got some syntax problem
    are you sure you require the square brackets ?? this means you are asking the script to go to the pointer pointed by your var ptiat

    let me show a log from what i tried superficially

    Code:
    my script
    go 401e67
    log eip
    go 401e6c
    log eip
    go 401e71 
    log eip
    var ptIAT
    mov ptIAT, 401e76
    log [ptIAT]
    go [ptIAT]
    
    log eip
    Code:
    my log from above script
    Log data
    Address    Message
               eip = 00401E67
               eip = 00401E6C
               eip = 00401E71
               [ptIAT] = 8B006A53
               Process terminated, exit code 0
    Code:
     
    the code that was executed
    
    00401E65 >/$  6A 18            PUSH    18
    00401E67  |.  68 30114000      PUSH    00401130
    00401E6C  |.  E8 FF0C0000      CALL    __SEH_prolog
    00401E71  |.  BB 94000000      MOV     EBX, 94
    00401E76  |.  53               PUSH    EBX                                              ; /HeapSize = 0
    00401E77  |.  6A 00            PUSH    0                                                ; |Flags = 0
    00401E79  |.  8B3D 34104000    MOV     EDI, DWORD PTR DS:[<&KERNEL32.GetProcessHeap>]   ; |kernel32.GetProcessHeap
    so the script is waiting for the eip to become 8B006A53 in my case which can never happen and it happily finishes and gets terminated

    ok here is a solution

    Code:
    script 
    var count
    mov count ,0 
    log count
    go 401e67
    log eip
    go 401e6c
    log eip
    go 401e71 
    log eip
    
    mov eip,401e65
    inc count 
    log count
    
    go 401e67
    log eip
    go 401e6c
    log eip
    go 401e71 
    log eip
    
    mov eip,401e65
    inc count 
    log count
    
    go 401e67
    log eip
    go 401e6c
    log eip
    go 401e71 
    log eip
    
    mov eip,401e65
    inc count 
    log count
    
    go 401e67
    log eip
    go 401e6c
    log eip
    go 401e71 
    log eip
    
    mov eip,401e65
    inc count 
    log count
    log
    Code:
    Log data
    Address    Message
               count = 00000000
               eip = 00401E67
               eip = 00401E6C
               eip = 00401E71
               count = 00000001
               eip = 00401E67
               eip = 00401E6C
               eip = 00401E71
               count = 00000002
               eip = 00401E67
               eip = 00401E6C
               eip = 00401E71
               count = 00000003
               eip = 00401E67
               eip = 00401E6C
               eip = 00401E71
               count = 00000004
    Last edited by blabberer; August 22nd, 2007 at 12:02.

  8. #8
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Hey Blabberer,

    That is way too complicated!

    Can you make it any easier?

  9. #9
    Quote Originally Posted by blabberer View Post
    changing light bulbs after six months
    anyway you have got some syntax problem
    are you sure you require the square brackets ?? this means you are asking the script to go to the pointer pointed by your var ptiat
    ...
    Yes, it's a pointer in "bare bones" code for problem isolation.
    I reduced the code further, it doesn't work anyway.


    Script:
    Code:
    #log
    
    var ptIAT
    mov ptIAT, 401010
    go ptIAT
    log eip
    
    mov ptIAT, 401018
    go ptIAT
    log eip
    
    ret
    Log:
    Code:
               --> var ptIAT
               --> mov ptIAT, 401010
               --> go ptIAT
    00401023   INT3 command at gototest.00401023
               --> log eip
               eip: 00401024
               --> mov ptIAT, 401018
               --> go ptIAT
               Debugged program was unable to process exception
               --> log eip
               eip: 00401023
               --> ret
    Code under test:
    Code:
    00401010   . EB 00          JMP SHORT gototest.00401012
    00401012   > B8 01000000    MOV EAX,1
    00401017   . CC             INT3
    00401018   . EB 00          JMP SHORT gototest.0040101A
    0040101A   > B8 02000000    MOV EAX,2
    0040101F   . CC             INT3
    00401020 >/$ 90             NOP                                      ;<<<Entry point
    00401021  |. 90             NOP
    00401022  |. 90             NOP
    00401023  |. CC             INT3
    00401024  |. 50             PUSH EAX                                 ; /ExitCode
    00401025  \. E8 00000000    CALL <JMP.&kernel32.ExitProcess>         ; \ExitProcess
    What I'm doing wrong? Why "go" command doesn't change the code
    execution flow to addresses 401010, 401018?

  10. #10
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    Quote Originally Posted by naides View Post
    Hey Blabberer,

    That is way to complicated!

    Can you make it any easier?

    naides

    i am really sorry to put out these over convoluted and extremely complicated
    ways as example

    if a guru like you cant decipher them then mere mortals can never even understand the examples im really sorry

  11. #11
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Maannn!
    I was pointing, tongue in cheek, on the extra 10 miles you always take to make your posts clear and understandable, taking the time to compose an illustrted example of the right and the wrong way to solve the problem(s).
    Even I could understand the details of your post!

    I am no guru like you, indeed, are.
    the smiley means tongue in cheek.

  12. #12
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    the reply was not pointing directly at you naides
    its called convoluted sarcasm appreciating your reply and deriding someone elses at the same time

    the op didnt even try to understand the implications didnt try to read the script didnt try out the sample script and didnt try to build upon the sample and didnt think glanced at my post trashed it as bs and replies back wanting an answer for his go not going nowhere nothing else

Similar Threads

  1. MAC change - spoofing
    By Ja187 in forum Off Topic
    Replies: 2
    Last Post: December 14th, 2005, 18:45
  2. Making the change
    By Ryno in forum The Newbie Forum
    Replies: 10
    Last Post: March 14th, 2005, 12:40
  3. Hey i need to know how to change this please guys.
    By tyler in forum OllyDbg Support Forums
    Replies: 2
    Last Post: October 24th, 2004, 04:38
  4. change hwfp
    By crux_pt in forum The Newbie Forum
    Replies: 4
    Last Post: August 2nd, 2004, 08:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •