Page 1 of 3 123 LastLast
Results 1 to 15 of 33

Thread: Logging conditional jumps plug in or script?

  1. #1

    Logging conditional jumps plug in or script?

    I had an idea for a script or plugin to log all conditional jumps while animating in conjuction with Ctrl-F8. Forgive me if one already exists.

    While animating, when a conditional jump is encountered, Id like to log the address, the command and whether or not the jump was taken.

    First, is this possible?
    Second, if so, could anyone help me script it?

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    You'd probably be better off just using Process Stalker (Google it).

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    right click--> search for all commands -> JCC const --> right click set conditional log break point on all commands

    a sample output from calc.exe for above search

    Found commands
    Address                             Disassembly                               Comment
    0100163D                            JA SHORT calc.0100165B
    01001659                            JNB SHORT calc.01001639
    01001679                            JE SHORT calc.01001681
    0100167F                            JNZ SHORT calc.0100168C
    0100168A                            JNZ SHORT calc.01001675
    01001694                            JE calc.010017C2
    0100169C                            JNZ SHORT calc.010016AA
    010016A2                            JE SHORT calc.010016C4
    010016A8                            JE SHORT calc.010016C4
    010016AE                            JNZ SHORT calc.010016B9
    010016C2                            JNZ SHORT calc.0100169A
    010016CA                            JE calc.010017C2
    010016D9                            JE calc.0100178A
    010016E1                            JE SHORT calc.0100173F
    010016E6                            JE SHORT calc.01001712
    010016EB                            JE calc.0100178A
    010016F3                            JE SHORT calc.0100173F
    010016F8                            JNZ calc.010017B3
    01001704                            JE SHORT calc.01001712
    0100170A                            JE SHORT calc.01001712
    01001710                            JNZ SHORT calc.0100171D
    0100171B                            JNZ SHORT calc.01001700
    01001731                            JE SHORT calc.0100173F
    01001737                            JE SHORT calc.0100173F
    0100173D                            JNZ SHORT calc.0100174A
    01001748                            JNZ SHORT calc.0100172D
    0100175E                            JLE SHORT calc.0100176C
    0100176E                            JGE SHORT calc.010017B3
    0100177C                            JE SHORT calc.0100178A
    01001782                            JE SHORT calc.0100178A
    01001788                            JNZ SHORT calc.01001795
    01001793                            JNZ SHORT calc.01001778
    010017A7                            JLE SHORT calc.010017B3
    010017BC                            JNZ calc.010016D3
    010017D3                            JNZ SHORT calc.01001845
    0100183F                            JNZ SHORT calc.01001845
    01001A08                            JE SHORT calc.01001A16
    01001ABB                            JE SHORT calc.01001AC0
    01001ACB                            JE SHORT calc.01001AD0
    01001AD9                            JE SHORT calc.01001AF3
    01001B0B                            JE SHORT calc.01001B22
    01001B18                            JE SHORT calc.01001B22
    01001B25                            JE calc.01001E2D
    01001B3B                            JE SHORT calc.01001B77
    01001B86                            JE SHORT calc.01001BDA
    01001BAD                            JE calc.01001CF0
    01001C12                            JE SHORT calc.01001C36
    01001C57                            JLE SHORT calc.01001C3D
    01001C73                            JLE SHORT calc.01001CF0
    01001D01                            JE SHORT calc.01001D23
    01001D13                            JE SHORT calc.01001D23
    01001D26                            JE SHORT calc.01001D3F
    01001D8C                            JE SHORT calc.01001DC4
    01001DE4                            JNZ SHORT calc.01001DEB
    01001E30                            JE SHORT calc.01001E40
    01001F8B                            JE SHORT calc.01001FA8
    01001F92                            JE SHORT calc.01001FA8
    01001FC2                            JE calc.010020A8
    01001FDD                            JNZ SHORT calc.01001FE3
    01001FF6                            JG SHORT calc.01002049
    01002018                            JNZ SHORT calc.01002038
    0100202D                            JNZ SHORT calc.01002033
    0100205D                            JNZ SHORT calc.010020AF
    0100206B                            JE SHORT calc.01002076
    0100208F                            JE SHORT calc.010020A2
    010020B4                            JG SHORT calc.010020C7
    01002150                            JE SHORT calc.01002161
    0100215F                            JNZ SHORT calc.010021A7
    01002169                            JE SHORT calc.01002179
    01002177                            JE SHORT calc.01002193
    01002191                            JNZ SHORT calc.010021A7
    010021B2                            JNZ SHORT calc.01002149
    0100223B                            JE SHORT calc.0100224D
    01002314                            JE SHORT calc.01002324
    01002327                            JE SHORT calc.01002335
    01002350                            JNZ SHORT calc.01002361
    01002364                            JE SHORT calc.010023B6
    01002386                            JE SHORT calc.01002394
    010023D8                            JE SHORT calc.010023EF
    010023DE                            JE SHORT calc.010023EA
    010023F3                            JE SHORT calc.01002407
    01002404                            JNZ SHORT calc.01002407
    0100242F                            JL SHORT calc.01002434
    0100243C                            JE SHORT calc.01002449
    01002455                            JE SHORT calc.0100245B
    01002459                            JE SHORT calc.010024B7
    01002460                            JGE SHORT calc.01002477
    01002464                            JE SHORT calc.0100246D
    0100247E                            JNZ SHORT calc.010024A0
    01002482                            JNZ SHORT calc.010024A0
    01002486                            JNZ SHORT calc.010024A0
    01002494                            JE SHORT calc.010024A8
    01002497                            JNZ SHORT calc.010024A0
    0100249E                            JBE SHORT calc.010024AF
    010024AD                            JNZ SHORT calc.010024A0
    010024C5                            JE SHORT calc.010024D2
    010024D6                            JE SHORT calc.010024E6
    010024FA                            JNZ SHORT calc.01002501
    010024FF                            JE SHORT calc.01002505
    01002537                            JNZ SHORT calc.0100253C
    01002547                            JE SHORT calc.01002564
    01002552                            JNZ SHORT calc.0100255F
    0100255A                            JNZ SHORT calc.01002591
    0100256A                            JNZ SHORT calc.0100256F
    01002575                            JG SHORT calc.0100257B
    0100257D                            JE SHORT calc.0100258B
    01002582                            JNZ SHORT calc.01002591
    01002589                            JNZ SHORT calc.01002591
    010025A1                            JE SHORT calc.010025AF
    010025B7                            JE SHORT calc.010025D8
    010025C0                            JNZ SHORT calc.010025FA
    010025DF                            JE SHORT calc.010025FF
    010025F4                            JE SHORT calc.010025FF
    010025F8                            JE SHORT calc.010025FF
    0100266B                            JB SHORT calc.01002675
    01002673                            JBE SHORT calc.010026D0
    0100267B                            JB SHORT calc.01002685
    01002683                            JBE SHORT calc.010026D0
    0100268B                            JB SHORT calc.01002695
    01002693                            JBE SHORT calc.010026D0
    0100269B                            JB SHORT calc.010026A5
    010026A3                            JBE SHORT calc.010026D0
    010026A8                            JE SHORT calc.010026D0
    010026AD                            JE SHORT calc.010026D0
    010026B2                            JE SHORT calc.010026D0
    010026B7                            JE SHORT calc.010026D0
    010026BC                            JE SHORT calc.010026D0
    010026D8                            JE SHORT calc.010026F0
    010026DD                            JE SHORT calc.010026F0
    010026E2                            JE SHORT calc.010026F0
    010026EA                            JNZ calc.010027CF
    010026F6                            JE calc.0100277E
    010026FF                            JB SHORT calc.01002706
    01002704                            JBE SHORT calc.01002754
    01002709                            JB SHORT calc.01002710
    0100270E                            JBE SHORT calc.01002754
    01002712                            JB SHORT calc.0100271C
    0100271A                            JBE SHORT calc.01002754
    01002722                            JB SHORT calc.0100272C
    0100272A                            JBE SHORT calc.01002754
    01002732                            JB SHORT calc.0100273C
    0100273A                            JBE SHORT calc.01002754
    01002742                            JB SHORT calc.0100274C
    0100274A                            JBE SHORT calc.01002754
    01002752                            JNZ SHORT calc.010027A7
    01002781                            JB SHORT calc.0100278B
    01002789                            JBE SHORT calc.01002790
    0100278E                            JNZ SHORT calc.010027A7
    010027AF                            JB SHORT calc.010027E5
    010027B7                            JA SHORT calc.010027E5
    010027C2                            JGE SHORT calc.010027CF
    010027CD                            JNZ SHORT calc.010027DB
    010027E8                            JB SHORT calc.0100283F
    010027ED                            JA SHORT calc.0100283F
    010027F5                            JE SHORT calc.01002822
    01002819                            JNZ SHORT calc.01002829
    01002842                            JB calc.01002DAB
    0100284B                            JA calc.01002DAB
    01002857                            JE SHORT calc.01002875
    0100285C                            JNZ SHORT calc.01002875
    0100287D                            JL SHORT calc.0100288F
    01002882                            JG SHORT calc.0100288F
    01002895                            JE calc.01002C19
    010028A6                            JE SHORT calc.010028BA
    010028AB                            JGE SHORT calc.010028BA
    010028B8                            JNZ SHORT calc.010028A8
    010028C6                            JGE SHORT calc.010028D5
    010028D3                            JNZ SHORT calc.010028C3
    010028D8                            JNZ SHORT calc.010028DC
    010028DF                            JNZ SHORT calc.010028E3
    010028F1                            JBE SHORT calc.010028FF
    010028F9                            JE calc.01002AD5
    01002929                            JE calc.01002C0C
    01002936                            JE calc.01002C0C
    0100295D                            JE calc.01002A3D
    01002ADD                            JGE calc.01002BF3
    01002C12                            JNZ SHORT calc.01002C19
    01002DAE                            JB calc.01002F37
    01002DB7                            JA calc.01002F37
    01002DC5                            JL calc.01002E93
    01002DCE                            JG calc.01002E93
    01002EB3                            JNZ calc.010042EB
    01002EC4                            JE SHORT calc.01002F04
    01002EC9                            JE SHORT calc.01002EF3
    01002ECE                            JE SHORT calc.01002EF3
    01002ED3                            JE SHORT calc.01002EF3
    01002ED8                            JE SHORT calc.01002EF3
    01002EDD                            JE SHORT calc.01002EF3
    01002EE2                            JE SHORT calc.01002EF3
    01002EE7                            JE SHORT calc.01002EF3
    01002EEC                            JE SHORT calc.01002EF3
    01002EF1                            JNZ SHORT calc.01002F04
    01002F0A                            JE SHORT calc.01002F2C
    01002F0F                            JE SHORT calc.01002F1B
    01002F14                            JE SHORT calc.01002F1B
    01002F19                            JNZ SHORT calc.01002F2C
    01002F3D                            JB SHORT calc.01002F60
    01002F45                            JA SHORT calc.01002F60
    01002F4E                            JNZ SHORT calc.01002F55
    01002F6A                            JA calc.01003A98
    01002F70                            JE calc.010039D7
    01002F79                            JA calc.0100323E
    01002F7F                            JE calc.01003216
    01002F88                            JE calc.010031F5
    01002F8F                            JE SHORT calc.01002FEA
    01002F92                            JE calc.010030F0
    01002F99                            JE SHORT calc.01002FC3
    01002F9C                            JNZ calc.010042E5
    01002FA9                            JE SHORT calc.01002FB7
    01002FC9                            JE calc.01003232
    01002FD7                            JNZ SHORT calc.01002FE0
    010031B2                            JNZ SHORT calc.010031D6
    010031FB                            JE SHORT calc.01003208
    0100321C                            JE SHORT calc.01003232
    01003225                            JNZ SHORT calc.01003232
    01003241                            JE calc.010039C2
    01003248                            JE calc.01003844
    0100324F                            JE calc.01003348
    01003256                            JNZ calc.010042E5
    0100332A                            JE SHORT calc.01003331
    01003350                            JL calc.0100341B
    01003359                            JG calc.0100341B
    01003421                            JE calc.01003671
    0100342D                            JE calc.010034CE
    01003662                            JNZ SHORT calc.01003669
    01003677                            JNZ SHORT calc.0100367E
    01003685                            JE calc.01004061
    01003692                            JE calc.01004061
    010036B9                            JE calc.01003773
    01003839                            JGE calc.01003348
    0100384B                            JNZ calc.01003232
    0100385D                            JE calc.010038FB
    01003A9F                            JA calc.01004166
    01003AA5                            JE calc.0100414B
    01003AAE                            JE calc.010040AD
    01003AB7                            JE calc.01004098
    01003AC0                            JE calc.0100406C
    01003AC9                            JBE calc.010042E5
    01003AD2                            JA calc.010042E5
    01003ADE                            JNZ SHORT calc.01003AE7
    01003AEF                            JL SHORT calc.01003AFA
    01003AF4                            JNZ calc.01003232
    01003AFC                            JNZ SHORT calc.01003B07
    01003B01                            JE calc.01003232
    01003B10                            JL SHORT calc.01003B1F
    01003B19                            JNZ calc.01003232
    01003B22                            JE calc.01003E95
    01003D25                            JE calc.01003DDF
    01003ECD                            JNZ calc.01003D1F
    01003FFE                            JNZ SHORT calc.01004005
    0100401D                            JNZ calc.010042E5
    01004026                            JE calc.01002FE0
    01004036                            JLE SHORT calc.0100404D
    01004072                            JE calc.01003232
    0100407F                            JNZ calc.01003232
    0100408D                            JE calc.01003232
    0100416C                            JE calc.010042CA
    01004178                            JBE calc.010042E5
    01004184                            JBE SHORT calc.010041A6
    0100418C                            JBE calc.010042E5
    01004198                            JBE SHORT calc.010041B1
    010041A0                            JNZ calc.010042E5
    010041B8                            JNZ SHORT calc.0100420C
    010041C0                            JB calc.01002FE0
    01004212                            JB SHORT calc.01004217
    0100421D                            JE SHORT calc.01004230
    0100423D                            JE SHORT calc.0100426C
    01004240                            JE SHORT calc.01004260
    01004243                            JE SHORT calc.01004254
    01004246                            JNZ SHORT calc.01004276
    01004314                            JE SHORT calc.0100431D
    01004334                            JE SHORT calc.0100433D
    010043CC                            JE SHORT calc.010043E5
    010043CF                            JE SHORT calc.010043D5
    01004464                            JNZ SHORT calc.0100446A
    01004473                            JE SHORT calc.010044AB
    01004487                            JBE SHORT calc.01004497
    0100448C                            JNB SHORT calc.01004497
    0100449C                            JE SHORT calc.010044A3
    010044A9                            JNZ SHORT calc.01004475
    010044C0                            JE calc.010045B3
    010044CB                            JE calc.010045B3
    010044E8                            JE SHORT calc.010044F4
    010044F2                            JNZ SHORT calc.010044E5
    01004517                            JBE SHORT calc.01004528
    0100451F                            JE SHORT calc.0100452A
    0100452C                            JG SHORT calc.01004515
    01004551                            JLE SHORT calc.01004595
    01004569                            JNZ SHORT calc.0100458B
    0100456E                            JLE SHORT calc.0100458B
    01004580                            JE SHORT calc.0100458B
    01004593                            JG SHORT calc.01004553
    01004599                            JE SHORT calc.010045A7
    010045DD                            JNZ calc.01004673
    010045EA                            JE calc.01004673
    010045FE                            JE SHORT calc.01004673
    0100460B                            JNZ SHORT calc.01004673
    01004618                            JNZ SHORT calc.01004673
    01004626                            JNZ SHORT calc.01004673
    01004634                            JNZ SHORT calc.01004673
    01004642                            JNZ SHORT calc.01004673
    01004650                            JNZ SHORT calc.01004673
    01004660                            JNZ SHORT calc.01004673
    0100466D                            JE calc.0100490D
    0100467A                            JE calc.0100473E
    0100479E                            JE SHORT calc.010047B5
    010047B8                            JNZ SHORT calc.010047D1
    010047EF                            JE SHORT calc.0100480C
    01004842                            JS SHORT calc.0100485C
    01004857                            JNZ SHORT calc.01004862
    01004869                            JNZ SHORT calc.01004880
    01004887                            JE SHORT calc.010048D7
    0100488C                            JE SHORT calc.010048CA
    01004890                            JE SHORT calc.010048A7
    01004895                            JE SHORT calc.010048D7
    0100491D                            JNZ SHORT calc.0100499A
    0100493E                            JNZ SHORT calc.01004997
    0100495C                            JNZ SHORT calc.01004984
    01004961                            JE SHORT calc.01004984
    01004966                            JE SHORT calc.01004984
    01004971                            JBE SHORT calc.01004975
    01004980                            JE SHORT calc.01004948
    01004995                            JE SHORT calc.0100492D
    010049B4                            JNZ SHORT calc.010049C1
    010049C7                            JNZ SHORT calc.010049D5
    010049DB                            JNZ SHORT calc.010049F5
    010049FE                            JE SHORT calc.01004A1A
    01004A27                            JE SHORT calc.01004A38
    01004A3E                            JE SHORT calc.01004A47
    01004A99                            JA SHORT calc.01004AB2
    01004AAB                            JE SHORT calc.01004AC3
    01004BB7                            JE SHORT calc.01004BC4
    01004BC7                            JE SHORT calc.01004BD4
    01004BEE                            JNZ calc.01004E95
    01004BFA                            JE SHORT calc.01004C24
    01004C02                            JE SHORT calc.01004C11
    01004C2D                            JE SHORT calc.01004C39
    01004C4A                            JNZ calc.01004E95
    01004C56                            JE SHORT calc.01004C80
    01004C5E                            JE SHORT calc.01004C6D
    01004C89                            JE SHORT calc.01004C95
    01004CA6                            JNZ calc.01004E95
    01004CB2                            JE SHORT calc.01004CDC
    01004CBA                            JE SHORT calc.01004CC9
    01004CE5                            JE SHORT calc.01004CF1
    01004D0E                            JNZ SHORT calc.01004D27
    01004D16                            JNZ SHORT calc.01004D27
    01004D40                            JE calc.01004E3B
    01004E1A                            JE SHORT calc.01004E28
    01004E4B                            JE SHORT calc.01004E66
    01004E50                            JNZ SHORT calc.01004E5C
    01004E69                            JNZ SHORT calc.01004E75
    01004E93                            JE SHORT calc.01004EA1
    010050AB                            JE SHORT calc.010050B8
    010050BB                            JE SHORT calc.010050C8
    010050CB                            JE SHORT calc.010050D8
    01005137                            JL SHORT calc.01005148
    01005141                            JG SHORT calc.01005148
    01005154                            JNZ SHORT calc.01005182
    01005162                            JE SHORT calc.01005182
    0100516B                            JE SHORT calc.01005179
    01005170                            JNZ SHORT calc.01005179
    01005199                            JE SHORT calc.010051A7
    010051AE                            JG SHORT calc.01005203
    010051B0                            JE SHORT calc.010051FF
    010051B7                            JG SHORT calc.010051E5
    010051B9                            JE SHORT calc.010051E1
    010051C1                            JE SHORT calc.010051DD
    010051C4                            JE SHORT calc.010051D9
    010051CC                            JE SHORT calc.010051D5
    010051CF                            JNZ SHORT calc.0100521F
    010051EB                            JE SHORT calc.010051FB
    010051EE                            JE SHORT calc.010051F7
    010051F1                            JNZ SHORT calc.0100521F
    01005209                            JE SHORT calc.01005247
    0100520C                            JE SHORT calc.01005243
    0100520F                            JE SHORT calc.0100523C
    01005212                            JE SHORT calc.01005235
    01005217                            JE SHORT calc.0100522E
    0100521A                            JE SHORT calc.01005227
    0100521D                            JE SHORT calc.01005223
    0100525B                            JE SHORT calc.01005255
    0100525F                            JE SHORT calc.01005267
    01005264                            JNZ SHORT calc.01005261
    01005272                            JNZ SHORT calc.0100527B
    0100529E                            JNZ SHORT calc.010052A9
    0100541F                            JNZ SHORT calc.01005441
    01005557                            JE SHORT calc.01005571
    01005562                            JE SHORT calc.0100556E
    0100566F                            JE calc.010059D5
    0100567A                            JE calc.010057CB
    01005685                            JE calc.01005792
    01005692                            JE calc.01005726
    01005698                            JBE calc.01005A73
    010056A3                            JBE SHORT calc.010056CB
    010056AA                            JNZ calc.01005A73
    010056D7                            JE calc.01005A73
    01005704                            JE SHORT calc.01005714
    0100570C                            JNZ SHORT calc.01005714
    01005756                            JE SHORT calc.0100576A
    01005775                            JNZ SHORT calc.0100577C
    010057BB                            JNZ calc.01005A73
    010057DE                            JNZ SHORT calc.010057FF
    0100580E                            JE calc.010059CA
    0100581F                            JE calc.010059CA
    0100583A                            JNZ calc.010059C1
    0100584A                            JNB calc.010059C1
    01005862                            JE calc.010059B5
    0100586E                            JE calc.010059B5
    01005878                            JE calc.010059B5
    01005885                            JE calc.010059B5
    0100588E                            JE calc.010059C1
    0100589B                            JNZ SHORT calc.010058A8
    010058AC                            JNZ SHORT calc.010058C0
    010058B2                            JNZ SHORT calc.010058C0
    010058CB                            JE SHORT calc.010058D3
    010058D1                            JNZ SHORT calc.010058DE
    010058D5                            JNZ SHORT calc.010058DE
    010058E2                            JNZ SHORT calc.01005905
    010058E8                            JNZ SHORT calc.010058F2
    010058EC                            JE calc.010059B5
    010058F8                            JNZ SHORT calc.01005913
    010058FC                            JNZ SHORT calc.01005913
    0100590A                            JNZ SHORT calc.01005913
    0100591C                            JE calc.010059B5
    01005937                            JE SHORT calc.0100594D
    0100593C                            JGE SHORT calc.0100594B
    01005946                            JNZ SHORT calc.01005939
    0100594B                            JE SHORT calc.010059C1
    0100595E                            JE SHORT calc.01005977
    01005968                            JL SHORT calc.01005977
    0100596F                            JG SHORT calc.01005977
    01005997                            JE SHORT calc.010059B5
    0100599D                            JE SHORT calc.010059B5
    010059BB                            JE calc.01005842
    010059DD                            JE SHORT calc.010059F4
    01005A0D                            JE SHORT calc.01005A18
    01005A16                            JNZ SHORT calc.01005A3B
    01005A36                            JNZ SHORT calc.01005A3B
    01005A9B                            JG calc.01005D7C
    01005AA1                            JE calc.01005F05
    01005AAA                            JE calc.01005C40
    01005AB3                            JE calc.01005C33
    01005ABA                            JE calc.01005C26
    01005AC1                            JE calc.01005C0A
    01005AC8                            JNZ calc.01006049
    01005D7F                            JE calc.0100608E
    01005D86                            JE calc.0100607E
    01005D8D                            JE calc.01006067
    01005D94                            JE calc.01005F05
    01005D9B                            JNZ calc.01006049
    01005ED7                            JE SHORT calc.01005EF7
    0100603B                            JNZ SHORT calc.01006044
    0100604D                            JE calc.01005C15
    010060A2                            JE SHORT calc.010060B3
    010060D2                            JE SHORT calc.01006112
    01006127                            JA calc.010063CD
    0100612D                            JE calc.01006336
    01006136                            JE calc.0100628D
    0100613F                            JE calc.0100623F
    01006148                            JE calc.01006207
    01006151                            JE SHORT calc.01006177
    01006156                            JNZ calc.010063EB
    01006181                            JNZ calc.01006521
    0100618F                            JE calc.01006521
    0100619B                            JNZ SHORT calc.010061A1
    010061A4                            JNZ calc.01006521
    010061C7                            JE SHORT calc.010061D3
    0100620C                            JE SHORT calc.01006234
    01006220                            JE SHORT calc.01006234
    0100622E                            JNZ calc.01006521
    01006248                            JE SHORT calc.0100625B
    01006296                            JNZ SHORT calc.0100629A
    010062A1                            JE SHORT calc.010062B6
    010062A7                            JE SHORT calc.010062AE
    010062AC                            JNZ SHORT calc.010062B6
    010062CB                            JE calc.010063EB
    010062FA                            JE calc.010063EB
    01006346                            JNZ SHORT calc.0100638B
    01006377                            JE SHORT calc.010063C5
    0100637F                            JE SHORT calc.010063C5
    01006387                            JE SHORT calc.010063C5
    010063A1                            JE calc.01006521
    010063D4                            JE calc.010064A4
    010063DB                            JE calc.0100647D
    010063E4                            JE SHORT calc.01006450
    010063E9                            JE SHORT calc.01006400
    0100640E                            JNZ SHORT calc.01006443
    0100648A                            JNZ SHORT calc.01006494
    010064B3                            JNZ SHORT calc.010064C5
    010064BC                            JNZ SHORT calc.010064C5
    010064C9                            JNZ SHORT calc.01006503
    0100650A                            JE SHORT calc.01006521
    01006510                            JE SHORT calc.01006521
    01006516                            JE SHORT calc.01006521
    01006534                            JB SHORT calc.01006543
    0100653D                            JA SHORT calc.01006543
    01006575                            JE calc.01006602
    01006598                            JE SHORT calc.0100659E
    0100659C                            JE SHORT calc.010065BA
    010065B8                            JBE SHORT calc.010065A0
    010065C3                            JLE SHORT calc.010065E4
    010065DD                            JL SHORT calc.010065C5
    010065E2                            JGE SHORT calc.010065FE
    010065FC                            JL SHORT calc.010065E7
    01006639                            JNZ SHORT calc.01006682
    01006650                            JE SHORT calc.0100665F
    01006693                            JE SHORT calc.010066A2
    0100670A                            JLE SHORT calc.010066E2
    01006731                            JE SHORT calc.01006737
    01006752                            JLE SHORT calc.0100671B
    01006775                            JE SHORT calc.010067AF
    0100677A                            JE SHORT calc.010067A8
    0100677F                            JE SHORT calc.010067B1
    01006784                            JE SHORT calc.010067A4
    0100678C                            JBE SHORT calc.010067B1
    01006790                            JA SHORT calc.010067B1
    01006815                            JNZ SHORT calc.0100683D
    0100689B                            JE SHORT calc.01006904
    010068D1                            JNZ SHORT calc.010068F4
    0100690B                            JE SHORT calc.01006971
    0100692D                            JLE SHORT calc.0100694D
    0100694B                            JL SHORT calc.0100692F
    01006996                            JB SHORT calc.01006973
    010069A8                            JE calc.01006E5F
    010069B1                            JE calc.01006E58
    010069BA                            JE calc.01006E33
    010069C3                            JE calc.01006E21
    010069CE                            JE calc.01006E0C
    010069D5                            JNZ calc.01006E08
    010069E5                            JE calc.01006CBE
    010069F1                            JE calc.01006CBE
    01006A06                            JE SHORT calc.01006A29
    01006A09                            JE calc.01006BC3
    01006A12                            JNZ calc.01006E08
    01006A42                            JE calc.01006CB2
    01006A53                            JG calc.01006CB2
    01006A5B                            JE calc.01006CB2
    01006A79                            JE calc.01006BC5
    01006A87                            JL SHORT calc.01006A8D
    01006A8B                            JNZ SHORT calc.01006A90
    01006AC2                            JGE calc.01006C46
    01006BFD                            JLE SHORT calc.01006C1D
    01006C1B                            JL SHORT calc.01006BFF
    01006C83                            JNZ calc.01006E66
    01006CA2                            JE calc.01006E66
    01006CEF                            JLE calc.01006DE0
    01006CF8                            JE calc.01006DE0
    01006E7F                            JB calc.01007A57
    01006E88                            JBE calc.010077AD
    01006E91                            JE calc.010070A7
    01006E9A                            JNZ calc.01007A57
    01006EB7                            JNZ SHORT calc.01006EF0
    01006ED1                            JE SHORT calc.01006EE6
    01006EE0                            JNZ calc.0100709D
    01006F12                            JE SHORT calc.01006F19
    01006F17                            JNZ SHORT calc.01006F35
    01006F26                            JE calc.0100709D
    01006F2F                            JE calc.0100709D
    010070B9                            JG calc.01007180
    010072FD                            JLE calc.0100748D
    01007487                            JL calc.01007305
    01007605                            JE calc.010076A9
    010076AF                            JNZ SHORT calc.010076C0
    0100788B                            JLE calc.01007A1B
    0100793D                            JE calc.010079FD
    01007A15                            JL calc.01007893
    01007A1F                            JNZ SHORT calc.01007A4F
    01007A26                            JNZ SHORT calc.01007A30
    01007A8B                            JNZ SHORT calc.01007A74
    01007AA2                            JNB SHORT calc.01007A93
    01007AD3                            JNZ SHORT calc.01007B07
    01007AF5                            JNZ SHORT calc.01007AFA
    01007B20                            JNZ SHORT calc.01007B6B
    01007B28                            JNZ SHORT calc.01007B6B
    01007B3E                            JE SHORT calc.01007B4E
    01007B56                            JNZ SHORT calc.01007B6B
    01007B69                            JE SHORT calc.01007B86
    01007B72                            JNZ SHORT calc.01007B94
    01007B84                            JNZ SHORT calc.01007B94
    01007BC6                            JE SHORT calc.01007BCE
    01007BD8                            JE SHORT calc.01007BF7
    01007C14                            JNZ SHORT calc.01007C20
    01007C35                            JNZ SHORT calc.01007C41
    01007C67                            JGE SHORT calc.01007C70
    01007C86                            JNZ SHORT calc.01007C76
    01007CA2                            JLE SHORT calc.01007CBD
    01007CAA                            JLE SHORT calc.01007CBC
    01007CBA                            JG SHORT calc.01007CA8
    01007CBF                            JLE SHORT calc.01007CC9
    01007CC7                            JNZ SHORT calc.01007CC1
    01007CE8                            JLE SHORT calc.01007CF5
    01007CF7                            JLE SHORT calc.01007D1C
    01007CFC                            JNZ SHORT calc.01007D09
    01007D07                            JG SHORT calc.01007CF9
    01007D0B                            JE SHORT calc.01007D1C
    01007D41                            JLE SHORT calc.01007DAC
    01007D47                            JE SHORT calc.01007D57
    01007D69                            JNZ SHORT calc.01007DA5
    01007D81                            JLE SHORT calc.01007DA5
    01007DA9                            JG SHORT calc.01007D44
    01007DF9                            JBE SHORT calc.01007DFD
    01007E1A                            JBE SHORT calc.01007E54
    01007E23                            JNZ SHORT calc.01007E54
    01007E40                            JE SHORT calc.01007E49
    01007E4C                            JNZ SHORT calc.01007E2C
    01007E52                            JNZ SHORT calc.01007E1C
    01007EAC                            JLE SHORT calc.01007EEA
    01007EE8                            JL SHORT calc.01007EAE
    01007FA1                            JE calc.010080FB
    01007FAF                            JE calc.010080E5
    01007FBE                            JE SHORT calc.01007FFF
    01007FC9                            JNZ SHORT calc.01007FDB
    01007FD9                            JNZ SHORT calc.01007FC6
    01007FDD                            JE SHORT calc.01007FFF
    01007FEA                            JNZ SHORT calc.01007FF3
    01008004                            JE SHORT calc.01008051
    01008008                            JE SHORT calc.01008051
    0100800B                            JE SHORT calc.01008047
    0100800F                            JE SHORT calc.0100803D
    01008014                            JE SHORT calc.0100801B
    01008019                            JNZ SHORT calc.01008029
    0100801E                            JE SHORT calc.01008033
    01008027                            JE SHORT calc.01008033
    0100805C                            JG calc.01008133
    01008062                            JE calc.01008185
    0100806B                            JE calc.01008123
    01008074                            JE SHORT calc.01008083
    01008077                            JE SHORT calc.0100807E
    0100807A                            JE SHORT calc.01008086
    0100808F                            JG SHORT calc.0100809E
    01008094                            JLE SHORT calc.0100809E
    010080AA                            JE SHORT calc.010080CB
    010080B6                            JGE SHORT calc.010080CB
    010080DF                            JNZ calc.01007FAC
    010080E8                            JE calc.0100819A
    010080F1                            JE calc.0100819A
    010080FE                            JGE SHORT calc.01008112
    0100810A                            JL SHORT calc.01008106
    01008138                            JE SHORT calc.01008141
    0100813C                            JE SHORT calc.01008185
    0100813F                            JNZ SHORT calc.010080D8
    0100814A                            JG SHORT calc.01008159
    0100814F                            JLE SHORT calc.01008159
    01008165                            JE calc.010080D5
    010081AA                            JNZ SHORT calc.010081B4
    01008215                            JNZ calc.01008340
    01008229                            JNZ calc.01008340
    01008396                            JLE SHORT calc.010083A3
    0100839A                            JNZ SHORT calc.010083A3
    010083A5                            JLE SHORT calc.010083AA
    010083C4                            JNZ SHORT calc.010083D0
    010083E0                            JNZ SHORT calc.01008436
    010083E8                            JL SHORT calc.01008436
    0100843A                            JNZ SHORT calc.01008476
    01008446                            JG SHORT calc.0100846F
    0100844D                            JG SHORT calc.0100846F
    0100845B                            JGE SHORT calc.01008476
    01008462                            JE SHORT calc.010084C9
    0100847A                            JE SHORT calc.010084C9
    010084B6                            JE SHORT calc.010084D2
    010084E8                            JE SHORT calc.010084F9
    010084ED                            JE SHORT calc.010084F9
    01008500                            JE SHORT calc.01008523
    01008505                            JNZ SHORT calc.01008521
    01008516                            JNS SHORT calc.01008523
    01008526                            JNZ SHORT calc.01008539
    0100852C                            JLE SHORT calc.01008539
    0100853B                            JG SHORT calc.01008577
    01008541                            JNZ SHORT calc.01008555
    01008557                            JGE SHORT calc.01008577
    0100857C                            JLE SHORT calc.010085BE
    01008596                            JNZ SHORT calc.010085A4
    010085A5                            JNZ SHORT calc.01008581
    010085B1                            JNZ SHORT calc.010085BE
    010085C0                            JG SHORT calc.010085A9
    010085C6                            JE SHORT calc.01008634
    010085CF                            JNZ SHORT calc.010085D8
    0100861F                            JG SHORT calc.010085FB
    0100865E                            JGE SHORT calc.01008662
    01008664                            JGE SHORT calc.01008668
    010086D2                            JGE SHORT calc.010086F0
    01008706                            JE SHORT calc.01008725
    01008740                            JG SHORT calc.01008703
    01008798                            JGE SHORT calc.010087A1
    010087F6                            JE SHORT calc.01008827
    010087FB                            JE SHORT calc.01008827
    01008807                            JE calc.0100897E
    0100882C                            JE calc.010088C1
    01008835                            JE calc.010088C1
    01008968                            JE SHORT calc.0100899F
    0100896D                            JE SHORT calc.0100899F
    0100897C                            JNZ SHORT calc.01008985
    01008A21                            JE SHORT calc.01008A2F
    01008A32                            JLE SHORT calc.01008A3E
    01008A41                            JE SHORT calc.01008A4A
    01008A6D                            JNZ calc.01008B86
    01008A85                            JNZ calc.01008B86
    01008D23                            JNZ SHORT calc.01008D35
    01008D31                            JE SHORT calc.01008D35
    01008E08                            JNZ SHORT calc.01008E1B
    01008E19                            JE SHORT calc.01008E1D
    01008EF0                            JNZ SHORT calc.01008F05
    01008EFF                            JE SHORT calc.01008F05
    01008FDB                            JNZ SHORT calc.01008FF1
    01008FEA                            JNZ SHORT calc.01008FF1
    0100919A                            JLE SHORT calc.010091A4
    010092B8                            JLE calc.01009392
    0100949F                            JE calc.01009536
    01009544                            JE calc.010095D9
    0100AB10                            JNZ calc.0100ABDA
    0100AB37                            JGE SHORT calc.0100AB3B
    0100AB4D                            JLE SHORT calc.0100ABC2
    0100AB56                            JG SHORT calc.0100AB5F
    0100AB8C                            JG SHORT calc.0100AB95
    0100ABCA                            JGE SHORT calc.0100ABCE
    0100AC09                            JBE SHORT calc.0100AC13
    0100AC11                            JB SHORT calc.0100AC0B
    0100AC6C                            JGE calc.0100B9EA
    0100BBA6                            JGE SHORT calc.0100BBB6
    0100BBC0                            JGE SHORT calc.0100BBD0
    0100BBE5                            JNZ SHORT calc.0100BC0A
    0100BC73                            JE SHORT calc.0100BCB1
    0100BD82                            JNZ SHORT calc.0100BDBD
    0100BDAA                            JE SHORT calc.0100BDB5
    0100BDC7                            JE SHORT calc.0100BDDE
    0100BF35                            JNZ calc.0100C035
    0100BF4B                            JE SHORT calc.0100BF62
    0100C057                            JNZ calc.0100C157
    0100C06D                            JE SHORT calc.0100C084
    0100C17F                            JG SHORT calc.0100C183
    0100C185                            JL SHORT calc.0100C189
    0100C19E                            JL SHORT calc.0100C1A2
    0100C1BF                            JLE SHORT calc.0100C23C
    0100C1C7                            JL SHORT calc.0100C1E7
    0100C1D7                            JLE SHORT calc.0100C1E7
    0100C1F1                            JL SHORT calc.0100C20E
    0100C201                            JLE SHORT calc.0100C20E
    0100C216                            JE SHORT calc.0100C228
    0100C219                            JE SHORT calc.0100C223
    0100C21C                            JNZ SHORT calc.0100C230
    0100C23A                            JG SHORT calc.0100C1C1
    0100C248                            JNZ SHORT calc.0100C253
    0100C251                            JG SHORT calc.0100C242
    0100C277                            JE SHORT calc.0100C28E
    0100C345                            JGE SHORT calc.0100C355
    0100C35F                            JGE SHORT calc.0100C36F
    0100CE25                            JE calc.0100D1B1
    0100CE31                            JNZ calc.0100D1B1
    0100CE53                            JNB SHORT calc.0100CE5B
    0100CE82                            JNB SHORT calc.0100CE8A
    0100D1AB                            JE calc.0100CE18
    0100D4CB                            JNZ SHORT calc.0100D4F3
    0100D4F1                            JG SHORT calc.0100D55F
    0100D502                            JNZ SHORT calc.0100D55F
    0100D520                            JNZ SHORT calc.0100D570
    0100D547                            JLE SHORT calc.0100D575
    0100D56E                            JNZ SHORT calc.0100D519
    0100D593                            JG calc.0100D660
    0100D647                            JNZ SHORT calc.0100D66E
    0100D66C                            JNZ SHORT calc.0100D640
    0100D67D                            JE SHORT calc.0100D69F
    0100D903                            JNB SHORT calc.0100D90B
    0100D942                            JNZ SHORT calc.0100D977
    0100D969                            JG SHORT calc.0100D977
    0100D971                            JE calc.0100D8EA
    0100D9D8                            JNZ calc.0100DC42
    0100D9ED                            JNZ calc.0100DC42
    0100DB66                            JE calc.0100DC18
    0100DB7B                            JE calc.0100DC18
    0100DEC8                            JNB SHORT calc.0100DED0
    0100DF06                            JNZ SHORT calc.0100DF6C
    0100DF24                            JLE SHORT calc.0100DF4C
    0100DF5B                            JGE SHORT calc.0100DF5F
    0100DF78                            JNZ SHORT calc.0100DFAE
    0100DF9F                            JG SHORT calc.0100DFAE
    0100DFA8                            JE calc.0100DEA7
    0100E010                            JE SHORT calc.0100E027
    0100E039                            JE SHORT calc.0100E049
    0100E062                            JLE calc.0100E0FF
    0100E090                            JNZ calc.0100E1A4
    0100E0B2                            JLE SHORT calc.0100E0DA
    0100E0E9                            JGE SHORT calc.0100E0ED
    0100E262                            JNZ SHORT calc.0100E290
    0100E28E                            JNZ SHORT calc.0100E25B
    0100E2C4                            JE SHORT calc.0100E2CC
    0100E32D                            JE calc.0100E400
    0100E343                            JNZ calc.0100E973
    0100E353                            JE calc.0100E9BB
    0100E4B9                            JE calc.0100E588
    0100E4CF                            JE calc.0100E588
    0100E4D9                            JNZ calc.0100E588
    0100E63A                            JE calc.0100E827
    0100E650                            JE calc.0100E827
    0100E7C7                            JNZ SHORT calc.0100E80A
    0100E7D9                            JNZ SHORT calc.0100E80A
    0100E7F4                            JNZ SHORT calc.0100E7FD
    0100E82B                            JNZ calc.0100E988
    0100E841                            JE calc.0100E967
    0100E857                            JE calc.0100E967
    0100E965                            JE SHORT calc.0100E98F
    0100EC3E                            JNB SHORT calc.0100EC46
    i had to edit the post coz board wasnt accepting my long garbage

    The text that you have entered is too long (61194 characters). Please shorten it to 50000 characters long.

  4. #4
    Any way to log whether or not the jump was taken?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    P4 class processors can single-step every flow-control instruction(Jcc,ints etc) thus achieving what you asked. Integrating with olly should not be problematic for the simple fact it flows the same way of single-step (thus enabling tracing should do the job).

    Writing the r0 driver with a single service that does the job is not all that difficult:
    * Load IDT
    * save&change int1 address to your stub (oh, tell windows memory isnt swappable...)
    Int1 stub:
    * if (EFLAGS.TF=1) MSR_DEBUGCTLA ($1D9) or $1 (tell to step only on branch!)
    * jump to prior INT1 code
    * dont try to remove your driver from memory, and add a service that disable the stub actions (just check a flag for simply skipping to the old code)

    but be careful:
    1) it affects *all* your machine so you should enable/disable it on need. Background applications that uses TF tricks might not behave correctly (AKA BOOM!)
    2) the processor reset the flag everytime it triggers, that's why you need to set again the MSR BTF bit each time. The simplest way is to check if TF is set. If it's set, and your driver is set to step on jumps, just set MSR and go on.

    Take the old DDK or the new, monster WDK (2.5 gb, the hell?! what they DID put there????)

    maybe after I have ...installed... the WDK I can code it, but I'm a kinda lazy boy, and my times are behemoth-ly slow... but I'll do before or later, maybe I can even write a nice article on it. Boh!

    Last edited by Maximus; January 11th, 2007 at 09:13.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    ..."a shellcode is a command you do at the linux shell"...

  6. #6
    Thanks Maximus, but you lost me at "Writing the r0 driver". Looks like this is way too advanced for me at this time, but Im working on getting smarter

    For now I will have to hand step the code and comment the jumps.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    when you are paused on a conditional jump to find if a jump is taken or not
    you have to check the flags

    there are about 60 variations of conditional jumps

    many of those conditional jumps does not depend on only one flag but diverge with referance to one or more flags condtion

    so checking 60 variations for opcode and for flags oditspc
    is a kind of tedious job

    ollydbg provides one api to check this Checkcondition (int code,int flags)

    but in its plugincmd does not provide a way for accesing the t_reg structure

    also in its enum register struct it does not list the flags

    i tried taking the modified cmdline plugin and tried adding logging flags but since it turned out to be more of a reversing job then straight forward coding
    job i left the project in limbo

    if you are adventourous enough you may check out the plugin (available here for downlaod)

    i can provide a pseudo code

    int checkjump(1,2)
    find the first byte of opcode in present eip
    find the eflags register from t_reg (you have to hack your way in _plugincommad somehow)
    then send them both to Checkcondition();
    check the return
    and print out result like jump taken or not taken form checkconditions result

    if you are going to code i can provide further help if it is neceesary

  8. #8
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    ok i hacked the plugin source (hacked the complete source to add a t_reg param right from type def to every other function that accesses it ) i have attached a precompiled binary to this thread if you are still reading this thread try it out and tell me if this is what you were looking for (i mean the functionality and format) beware this is a pre pre pre alpha (i have tested this
    binary only once and only on one computer and with only one application viz calc.exe )

    do not abuse it trying to do something different and come back saying it crashed use it like i enumerate below and i hope it should work (cant give any guarentee warrenty whatsoever that it will work)

    1) copy paste this binary in place of original cmdline plugin (do not rename save the original to somplace and replace it with this binary)
    2)open you application
    3)right click --> search for all commands --> type in JCC CONST or JNZ CONST or JZ const or JB CONST or your favourite conditional jump )
    4)in the new window that pops up with all referances rightclick --> set log breakpoint on all commands
    5)in the dialog box that pops up select pause == always
    6)in the if plugin pauses pass to plugin edit box type
    .dt (NOTE DOT)
    .run(NOTE dot)

    click ok

    now in the disassembler window set an f2 break point on some known function that you know should break (like WinMain) this is to ensure that you break somewhere to check if all worked well if you dont have a f2 breakpoint
    it will not stop till the application is running and the log window may overflow and loose the logs

    and then run the application with F9 (note no animation no ctrl+f8 etc use F9 only and run the application)

    when ollydbg broke on your f2 breakpoint you can check the log window and see the results

    im pasting below the output of all conditional breaks that happen between
    MainCRTStartup() to Winmain in calc.exe on winxpsp2

    if you find this is working then post back i may then try to contact the original authour and forward my modification along with my modified source to him and if he finds it is worth implementing and doesnt break anything else
    in the process ill try to coax him to implement it

    if you find it is not working ill like a feedback aswell along with possibly reproduceble bug report if you can

    Log data
    Address    Message
    01012491   Breakpoint at calc.01012491
               Jump Not Taken
    0101249E   Breakpoint at calc.0101249E
               Jump Not Taken
    010124A9   Breakpoint at calc.010124A9
               Jump Taken
    010124CE   Breakpoint at calc.010124CE
               Jump Not Taken
    0101252B   Breakpoint at calc.0101252B
               Jump Taken
    01012539   Breakpoint at calc.01012539
    01012593   Breakpoint at calc.01012593
               Jump Not Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Taken
    0101259D   Breakpoint at calc.0101259D
               Jump Not Taken
    010125A1   Breakpoint at calc.010125A1
               Jump Not Taken
    010125A6   Breakpoint at calc.010125A6
               Jump Not Taken
    010125B0   Breakpoint at calc.010125B0
               Jump Taken
    010125C7   Breakpoint at calc.010125C7
               Jump Not Taken
    010125E4   Breakpoint at calc.010125E4
    Attached Files Attached Files

  9. #9
    Naides is Nobody
    Join Date
    Jan 2002
    Planet Earth
    Blab, YOU THA MAN!!!

  10. #10
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries

    do i take it as its working perfectly allright ?
    what possible usage do you envisage with this implementation
    is there anything else that could be added to make it more valuble than a dumb crap bruteforce logger ? (logging loop compares thats going to loop for as much as 2^32 iterations would just make the output crap who's going to parse "jump not taken strings" thats spat out innumerable times )

    apart from helping in some lame duck sessions do you see any real value addition on implementing this (i did this for altogether some other reasons i wanted access to t_reg structure which could help me add .print flags .print Zf .print Tf etc command which could be more generic like checking for certain flags in compares and bittests)

    any comments are welcome

    anyone else who has any views are also welcome to add thier opinions in this thread

  11. #11
    Naides is Nobody
    Join Date
    Jan 2002
    Planet Earth

    Yes, It is working in my system an I have done some -limited- testing in real life RCE.

    If you search back in the board, Kayaker was implementing a similar but different tool long time ago, at that time attached to Sice

    So If you have the ability to log the app running in:

    Demo vrs full

    Dongle attached vrs Dongle not there

    Before time is up vrs Time is up,

    Or any two instances in which the app behaves good boy vrs bad girl

    One could, very quickly ,pinpoint critical program decisions (conditional jumps) by comparing/looking the output of your script, under each instance

  12. #12
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    thanks for your insights and the link

    yeah it can pinpoint a specific diversion in an application that behaves differently under certain circumstances

    but then is the way its logged like now usefull if you want to script through possibly say a gigabyte of output ?

    i have to implement some additional commands like .continue that would do exactly what it was doing before it hit the break at present i just prototyped with .run

    now if you were single stepping with f7 this and you stepped on this command the application would start running (its blind it saw run and it will run)
    and you dont want such scenerios in malware tracing

    i specifically tend to avoid bruteforce tracing as much as its possible

    thats why i asked those questions

    if you think the implementation is fine as it is ill try polishing it a few notches and try to test it a little more (the source as it is is a big monkeyed around hack dont know how many bugs exploitable holes i introduced in the process)

    any other opinions are welcome too

  13. #13
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Ring -1
    Blog Entries
    Very nice blabberer! You asked for suggestions, and I have a suggestion that would probably be very useful and appreciated especially for purposes like the ones mentioned by naides (analyzing difference between unregistered/registered mode of a program, i.e. for pinpointing of critical jumps etx), and here it goes:

    During first run (let's say in the unregistered mode of the program) log everything just like you do now, but to a file you can specify (also possibly in a format much more compact than the current human-readable form).

    During the second run (let's say in the registered mode of the program) first let the olly user select a "reference log file", i.e. the log file created in the first step, and then run the program from the exact same point again. On the first difference in a taken/non-taken jump, break Olly and give the user back control, and/or log it.

    (some more feature suggestions after this would be to limit this funtionality to certain memory ranges of code, and possible selection of special jumps to ignore)

    This would actually be quite useful, I'd love to have such a plugin, and especially if done in a relatively quick/efficient way! (and of course best of all, in a separate plugin in the plugin menu, instead of a patched cmdline plugin ).

    What do you think, any thoughts?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  14. #14
    Here is some interesting infos on very efficient branch tracing

    Make sure to read Darawk's comment also on that page.

  15. #15
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries

    thanks for suggestions
    i dont know at the moment if i can get out of cmdline and to create some thing out of it (many of the functions and structures are undocumented like FindAllJumps etc )

    actually if you notice the name of the function as dt i was actually trying to implement a structure identifier akin to windbg dt nt!_nt_peb i shortcircuited the function to create this as it had some of the spade work

    i too dont like to have this kind of special logger type of functions inside a performance hitting loop

    break then parse break and then parse and do action return will take toomuch time

    actually i asking these questions for some clearing some nagging doubts

    suppose we have asked a gui application to log all conditional jumps (dumb brute force no prior knowledge no elimination of jumps etc)

    have any one of the testers checked it on a full blown gui
    does the app show up and can you click the register unregister whatever button that you are likely to hit ??

    doesnt it keep on breaking on wndclass dispatchmessage routines and prevent the application from getting focus ??

    as to logging it to notpad etc those all are possible and maybe wouldnt take much of work

    i am doubting about the performance of this implementation

Similar Threads

  1. PHPScriptExec & CloneDll script & TASM exports generator script
    By roxaz in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: July 18th, 2008, 17:36
  2. reals and jumps
    By thatsgreat2345 in forum OllyDbg Support Forums
    Replies: 6
    Last Post: August 25th, 2005, 14:58
  3. Acprotect help whit bad jumps.
    By nls in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: May 3rd, 2005, 16:48
  4. I get a red screen when softice jumps.
    By edge in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: January 13th, 2001, 19:39
  5. I get a red scren when softice jumps
    By edge in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: January 9th, 2001, 05:00


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts