Results 1 to 7 of 7

Thread: Dumping function arguments

  1. #1
    xml
    Guest

    Dumping function arguments

    I'm reverse engineering a relatively small program so that I can reimplement it in java for my phone. I'm pretty sure that it's a fairly simple exercise, but I need to dump the function arguments for a set of key internal functions within the program. I took a look at dumbug which does exactly what I want, i.e. allow me to specify function prototypes and print them out as they are called. Unfortunately, it only works with exported symbols, which isn't sufficient.

    I can use ollydbg's conditional log breakpoints to dump (it appears) a maximum of one argument per function call, and even then I can't get it to dump, say, an array of 32 bytes in hex.

    Can someone tell me what's the best way to do this, or point me at an example? Do I need to write a plugin, is there one already, or could I do it with ollyScript?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15

    Dumping function arguments

    one argument per function ? if ollydbg can recognize the function
    viz as an example MessageBoxA
    if you set a conditional break point (shift+f4)
    condition == nothing
    explanation = = nothing
    pause program == never
    log value of expression == never
    log function arguments == always

    then it would log all the function arguments to that call not one argument per call


    Log data
    Address Message
    7F920000 Module C:\WINDOWS\SYSTEM\MSSHRUI.DLL
    7FBF0000 Module C:\WINDOWS\SYSTEM\MPR.DLL
    7F950000 Module C:\WINDOWS\SYSTEM\SVRAPI.DLL
    7FB00000 Module C:\WINDOWS\SYSTEM\MSNET32.DLL
    00477660 CALL to MessageBoxA
    hOwner = 00000744 ('OllyDbg',class='OLLYDBG',wndproc=004323D4)
    Text = "File 'C:\WINDOWS\Desktop\odbg110\register.txt' is probably not a 32-bit Portable Executable. Try to load it anyway?"
    Title = "Not a valid PE file"
    Style = MB_YESNO|MB_ICONQUESTION|MB_DEFBUTTON2|MB_TASKMODAL
    004AF516 CALL to MessageBoxA from OLLYDBG.00477660
    hOwner = 00000744 ('OllyDbg',class='OLLYDBG',wndproc=004323D4)
    Text = "File 'C:\WINDOWS\Desktop\odbg110\register.txt' is probably not a 32-bit Portable Executable. Try to load it anyway?"
    Title = "Not a valid PE file"
    Style = MB_YESNO|MB_ICONQUESTION|MB_DEFBUTTON2|MB_TASKMODAL


    like above

    now if the call is not recognized by ollydbg as standard call
    but some user coded proc you would need to do some spleunking to findout how many params are passed to that call

    and then use analyze assume arguments stdcall

    for example if you try to shift+f4 on this call you will see log function arguments is grayed up

    if you goback you will see that it pops up 1c from stack == 7 arguments


    0040BA38 |. E8 0BA50000 CALL OLLYDBG._Disasm ; \_Disasm
    0040BA3D |. 83C4 1C ADD ESP,1C



    so right click --> analysis -->assume arguments --> stdfunc7-->apply


    00415F48>/&#036; 55 PUSH EBP ; Decoded as <StdFunc7>



    now if you try shift+f4
    you can seee the log function arguments enabled
    if you ask ollydbg to log now
    it will log all the arguments to that call


    00415F48 CALL to Assumed StdFunc7 from OLLYDBG.00447302
    Arg1 = 0078E775
    Arg2 = 00000007
    Arg3 = BFF76899
    Arg4 = 00000000
    Arg5 = 0078DE0C
    Arg6 = 00000004
    Arg7 = 00000000
    00415F48 CALL to Assumed StdFunc7 from OLLYDBG.00447302
    Arg1 = 0078E774
    Arg2 = 00000008
    Arg3 = BFF76898
    Arg4 = 00000000
    Arg5 = 0078DE0C
    Arg6 = 00000004
    Arg7 = 00000000
    00415F48 CALL to Assumed StdFunc7 from OLLYDBG.00428D53
    Arg1 = 0078ED68
    Arg2 = 00000010
    Arg3 = 00401000
    Arg4 = 01998D5C
    Arg5 = 004CE45C
    Arg6 = 00000005
    Arg7 = FFFC5AA7


    hope thats what you were looking for

  3. #3
    xml
    Guest

    Dumping function arguments

    Excellent, that's a lot closer, thanks. That seems to allow me to log any integer function arguments, but if the argument is a pointer to a string, or a pointer to an array of bytes, there isn't a standard way of logging them? If it's a string, I suppose I could put a conditional log breakpoint at the call entry point to log [esp+4] as a string, and then one instruction later I could log [esp+8]?

    Basically the program I'm looking at does some hashing and encryption and I want to log all the data being passed to the encryption and hashing functions.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15

    Dumping function arguments

    well answering some thing generic is easy a specific question need some
    examples or some snippet of code and some exact requirement

    can you post the call the function the actuall passed string or whatever
    so that i can answer ?

    generic answer to log a lot of bytes would be to
    set break on consequnt address and ask olly to log
    [esp+4] on first line
    [esp+0c] on second line 0c coz push ebp would alter esp and the next 4 bytes would be located 4 bytes down etc


    but if you want to log lot of data it would be best to modify the commandline plugin to add a logging function and use it
    with pass the following commands to plugin when paused option

    i think some one added a logging plugin here in this forum
    i did not test it but i think its named clb some thing check it out
    i remember coz i answered one of the authours query
    use google site search the forums search function is kinda screwd up

    ok check this thread out i fetched it from google take a look at my additional code to commandline plugin exapmle
    that should give you some insights
    http://ollydbg.win32asmcommunity.net/index.php?action=vthread&topic=14 93&forum=2&page=-1


    also this is the plugin that the guy released after that question
    try it out
    http://ollydbg.win32asmcommunity.net/index.php?action=vthread&forum=2& topic=1501

  5. #5
    xml
    Guest

    Dumping function arguments

    Thanks, cblp seems to be something like what I need, but it doesn't seem to be doing anything. I'll investigate.

    To be more specific, there are functions such as:
    md5_update(md5_ctx *c, void *data, int len)
    des_set_key(des_cblock *key, des_key_schedule *sched)

    If the first function is called, I want to log len, data[0..len] (but a sufficient fixed number will do), and in the second I want to log the appropriate sizes of the data as hex in the two arguments. If a function takes a char *, then I'd probably want to log the argument as a string.

    dumbug: http://www.phenoelit.de/dumbug/ allows you to specify function arguments like this:
    int CreateProcessA(
    [in] char * lpApplicationName,
    [in] char * lpCommandLine,
    [in] void * lpProcAttr,
    [in] void * lpThreadAttr,
    [in] int bInherit,
    [in] int dwFlags,
    [in] void * lpEnv,
    [in] char * lpCurrentDir,
    [in] void * lpStartup,
    [out]void * lpProcInfo
    );

    but as I said earlier, it only works on exported functions.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15

    Dumping function arguments

    well i found some md5.exe from net

    http://www.msoworld.com/programming/md5.zip

    the code in c is as follows

    static void MDString (string)
    char *string;
    {
    MD_CTX context;
    unsigned char digest[16];
    unsigned int len = strlen (string);

    MDInit (&context);
    MDUpdate (&context, string, len);
    MDFinal (digest, &context);

    printf ("MD%d (&#92;"%s&#92;") = ", MD, string);
    MDPrint (digest);
    printf ("&#92;n");
    }


    now i added assume arguments to that md5update

    004010F1 |. 57 PUSH EDI ; /Arg3
    004010F2 |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20] ; |
    004010F6 |. 56 PUSH ESI ; |Arg2
    004010F7 |. 51 PUSH ECX ; |Arg1
    004010F8 |. E8 53030000 CALL MD5.00401450 ; &#92;Assumed StdFunc3

    00401450 /&#036; 53 PUSH EBX ; Decoded as <StdFunc3>



    set these breaks
    Breakpoints
    Address Module Active Disassembly Comment
    00401135 MD5 Always RETN
    00401450 MD5 Log "md5&#036;string" PUSH EBX
    00401451 MD5 Log "md5&context" PUSH EBP log [[esp+8]]
    00401452 MD5 Log "md5&context" PUSH ESI log [[esp+0ch]+4]
    00401453 MD5 Log "md5&context" MOV ESI,DWORD PTR SS:[ESP+10] log [[esp+10h]+8]
    00401457 MD5 Log "md5&context" PUSH EDI log [[esp+10h]]+10h
    [/i]

    and recieved these dumped bytes of the context


    Log data
    Address Message
    OllyDbg v1.10
    Command line plugin v1.10
    Written by Oleh Yuschuk
    Bookmarks sample plugin v1.06 (plugin demo)
    Copyright (C) 2001, 2002 Oleh Yuschuk

    Console file 'C:&#92;WINDOWS&#92;Desktop&#92;md5&#92;md5.exe'
    Arguments '-s"hello you xml this is how i would say you dump"'
    New process with ID FFFCB789 created
    004022FE Main thread with ID FFFAC035 created
    00400000 Module C:&#92;WINDOWS&#92;DESKTOP&#92;MD5&#92;MD5.EXE
    BFF70000 Module C:&#92;WINDOWS&#92;SYSTEM&#92;KERNEL32.DLL
    004022FE Program entry point
    00401450 COND: md5&#036;string = ???
    00401450 CALL to Assumed StdFunc3 from MD5.004010F8
    Arg1 = 0063FD8C
    Arg2 = 00760DFD ASCII "hello you xml this is how i would say you dump"
    Arg3 = 0000002E
    00401451 COND: md5&context = 67452301
    00401452 COND: md5&context = EFCDAB89
    00401453 COND: md5&context = 98BADCFE
    00401457 COND: md5&context = 67452311
    00401450 COND: md5&#036;string = €
    00401450 CALL to Assumed StdFunc3 from MD5.0040153C
    Arg1 = 0063FD8C
    Arg2 = 0040A200
    Arg3 = 0000000A
    00401451 COND: md5&context = 67452301
    00401452 COND: md5&context = EFCDAB89
    00401453 COND: md5&context = 98BADCFE
    00401457 COND: md5&context = 67452311
    00401450 COND: md5&#036;string = p
    00401450 CALL to Assumed StdFunc3 from MD5.00401549
    Arg1 = 0063FD8C
    Arg2 = 0063FD50
    Arg3 = 00000008
    00401451 COND: md5&context = 67452301
    00401452 COND: md5&context = EFCDAB89
    00401453 COND: md5&context = 98BADCFE
    00401457 COND: md5&context = 67452311
    00401135 Breakpoint at MD5.00401135


    now if you recompile the commandline plugin to addtolist() on function
    Int Expression like i said in the link you can use
    .? log [[esp+8]] etc to be logged

  7. #7
    xml
    Guest

    Dumping function arguments

    Thanks for all your help. I think you've given me enough info to be able to get what I want. Will give it a go for the next couple of days and see what I come up with. Incidentally cblp output the data in a log file (didn't read the documentation) and it looks like I could make a small mod to that to give me the data in the format I want too. Cheers.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. IDA auto function arguments
    By taylorjonl in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: May 3rd, 2005, 08:02
  2. reading arguments before a function call
    By wirepair in forum Plugins (General)
    Replies: 2
    Last Post: February 23rd, 2005, 06:34
  3. Log function arguments on __vbaStrCmp
    By Teerayoot in forum OllyDbg Support Forums
    Replies: 9
    Last Post: July 23rd, 2003, 14:04
  4. arguments
    By Anonymous in forum Bugs
    Replies: 7
    Last Post: May 13th, 2003, 00:16
  5. ida function arguments
    By noone in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: May 5th, 2001, 18:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •