Thread: Ollydbg revers searching

    Ollydbg revers searching

    Hi guys,

    let us assume my new programmed tool break throught the following
    Error: EIP: 00310031 (Output from ollydbg) !

    Now i want to know which function call invoke this error. Is there a possibility f.e. to log
    every function call and the belonging registers. (or better to execute backward from this flaw to see which function invoke it) My problem is that this error happens
    deep in the code whichs means i must quit long execute my code step by step to find the error.

    How do you to when you have an error similar to this and you want to know what is executed before this error.

    Thanks Stevo
    thats the exact error thats being displayed ?
    some kind of buffer overflow

    assuming your program returns there and the eip isnt being modified by

    you can ask ollydbg to stop before eip actually gets there

    with a conditional trace

    use ctrl+t

    type in
    dword ptr ss:[esp] == 401027 && byte ptr ds:[eip] == 0xc2

    substitute 401027 with 00310031 0xc2 is the opcode for retn n bytes
    if it returned with no nbytes opcode would be 0xc3

    and use ctrl+f11 (trace in)

    there could be many false positives and it could be slow
    but this conditional trace should get you the point live

    a sample pause tracing ollydbg itself is pasted below

    Log data, item 0
     Message=Conditional pause: dword ptr ss:[esp] == 401027 && byte ptr ds:[eip] == 0xc2
    0012FFB8   00401027  RETURN to OLLYDBG.00401027 from <JMP.&KERNEL32.GetModuleHandleA>
    0012FFBC   00000000
    0012FFC0   7C90EB94  ntdll.KiFastSystemCallRet
    eip when ollydbg paused
    code snippet where i ran the trace
    00401000 <ModuleEntryP> $ EB 10          JMP SHORT OLLYDBG.00401012
    00401002                  66             DB 66                                    ;  CHAR 'f'
    00401003                  62             DB 62                                    ;  CHAR 'b'
    00401004                  3A             DB 3A                                    ;  CHAR ':'
    00401005                  43             DB 43                                    ;  CHAR 'C'
    00401006                  2B             DB 2B                                    ;  CHAR '+'
    00401007                  2B             DB 2B                                    ;  CHAR '+'
    00401008                  48             DB 48                                    ;  CHAR 'H'
    00401009                  4F             DB 4F                                    ;  CHAR 'O'
    0040100A                  4F             DB 4F                                    ;  CHAR 'O'
    0040100B                  4B             DB 4B                                    ;  CHAR 'K'
    0040100C                  90             NOP
    0040100D                  E9             DB E9
    0040100E                . 28014B00       DD OFFSET OLLYDBG.___CPPdebugHook
    00401012                > A1 1B014B00    MOV EAX,DWORD PTR DS:[4B011B]
    00401017                . C1E0 02        SHL EAX,2
    0040101A                . A3 1F014B00    MOV DWORD PTR DS:[4B011F],EAX
    0040101F                . 52             PUSH EDX
    00401020                . 6A 00          PUSH 0                                   ; /pModule = NULL
    00401022                . E8 4BE00A00    CALL <JMP.&KERNEL32.GetModuleHandleA>    ; \GetModuleHandleA
    00401027                . 8BD0           MOV EDX,EAX
    runtrace details
    Address	Thread	Command	Registers and comments
        Flushing gathered information
    0040101F	Main	PUSH EDX
    00401020	Main	PUSH 0	pModule = NULL
    00401022	Main	CALL <JMP.&KERNEL32.GetModuleHandleA>
    004AF072	Main	JMP DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>]
    GetModuleHandleA	Main	MOV EDI,EDI
    7C80B52B	Main	PUSH EBP
    7C80B52C	Main	MOV EBP,ESP	EBP=0012FFB4
    7C80B52E	Main	CMP DWORD PTR SS:[EBP+8],0
    7C80B532	Main	JE SHORT kernel32.7C80B54C
    7C80B54C	Main	MOV EAX,DWORD PTR FS:[18]	EAX=7FFDF000
    7C80B552	Main	MOV EAX,DWORD PTR DS:[EAX+30]	EAX=7FFDC000
    7C80B555	Main	MOV EAX,DWORD PTR DS:[EAX+8]	EAX=00400000
    7C80B558	Main	JMP SHORT kernel32.7C80B548
    7C80B548	Main	POP EBP	EBP=0012FFF0
        End of gathered information, live log begins
    alt +k will normally not yield any usefull information because stack trace wont be working without a valid eip

