Findreferences OllyDbg plugin API documentation

    Findreferences OllyDbg plugin API documentation


    I'm using OllyDbg 1.1 and am writing a plugin. I'd like to get all references (calls in particular) of a specified function. I can do this in the Olly GUI, but there is no documentation for the corresponding API function:

    extc int cdecl Findreferences(ulong base,ulong size,ulong addr0,ulong addr1, ulong origin,int recurseonjump,char *title);

    Could anyone please shed some light on what the correct values are if I want to retrieve alls calls to a function entry point?


    004010B8   33C0             XOR EAX,EAX
    004010BA   90               NOP
    004010BB   83C0 01          ADD EAX,1
    004010BE   40               INC EAX
    004010BF   0000             ADD BYTE PTR DS:[EAX],AL
    004010C1   E8 F2FFFFFF      CALL Copia_di.004010B8
    004010C6   90               NOP
    004010C7   68 B8104000      PUSH Copia_di.004010B8
    004010CC   0000             ADD BYTE PTR DS:[EAX],AL
    004010CE   E8 E7FFFFFF      CALL Copia_di.004010BA
    004010D3   90               NOP
    If you want to find all the references to 0x4010B8 you have to call FindReferences using this form:
    Findreferences(0x401000, 0x2000, 0x4010B8,0x4010B9,0x4010B8,0,"Test references");
    Ollydbg looks for references inside range 401000/401000+2000. It's pretty easy to understand how Findreferences works, you have only to play with the parameters.
    The function returns two entries: 4010C1 and 4010C7 and Ollydbg shows the result on a new window. If you want to use the entries in your plugin (i.e. filtering call instructions only...) you have to retrieve them using the function PlugingetValue:
    t_table *tTable;
    tTable = (t_table *)Plugingetvalue(VAL_REFERENCES);
    Message(NULL, "Address: %X",((t_sortheader*)tTable->>addr);
    Plugingetvalue in combination with VAL_REFERENCES is used to get the table with found references. Once you have it you can start with your own operation. I simply print the first reference.

    I'm not an Olly guru but that's a way...
    Thank you very much for the quick reply - this looks exactly like the info I was looking. Will try it out.


