Results 1 to 3 of 3

Thread: Findreferences OllyDbg plugin API documentation

  1. #1
    BuschnicK
    Guest

    Findreferences OllyDbg plugin API documentation

    Hey,

    I'm using OllyDbg 1.1 and am writing a plugin. I'd like to get all references (calls in particular) of a specified function. I can do this in the Olly GUI, but there is no documentation for the corresponding API function:

    extc int cdecl Findreferences(ulong base,ulong size,ulong addr0,ulong addr1, ulong origin,int recurseonjump,char *title);

    Could anyone please shed some light on what the correct values are if I want to retrieve alls calls to a function entry point?

    Thanks,

    BuschnicK
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Example:
    Code:
    004010B8   33C0             XOR EAX,EAX
    004010BA   90               NOP
    004010BB   83C0 01          ADD EAX,1
    004010BE   40               INC EAX
    004010BF   0000             ADD BYTE PTR DS:[EAX],AL
    004010C1   E8 F2FFFFFF      CALL Copia_di.004010B8
    004010C6   90               NOP
    004010C7   68 B8104000      PUSH Copia_di.004010B8
    004010CC   0000             ADD BYTE PTR DS:[EAX],AL
    004010CE   E8 E7FFFFFF      CALL Copia_di.004010BA
    004010D3   90               NOP
    If you want to find all the references to 0x4010B8 you have to call FindReferences using this form:
    Code:
    Findreferences(0x401000, 0x2000, 0x4010B8,0x4010B9,0x4010B8,0,"Test references");
    Ollydbg looks for references inside range 401000/401000+2000. It's pretty easy to understand how Findreferences works, you have only to play with the parameters.
    The function returns two entries: 4010C1 and 4010C7 and Ollydbg shows the result on a new window. If you want to use the entries in your plugin (i.e. filtering call instructions only...) you have to retrieve them using the function PlugingetValue:
    Code:
    t_table *tTable;
    ...
    tTable = (t_table *)Plugingetvalue(VAL_REFERENCES);
    Message(NULL, "Address: %X",((t_sortheader*)tTable->data.data)->addr);
    Plugingetvalue in combination with VAL_REFERENCES is used to get the table with found references. Once you have it you can start with your own operation. I simply print the first reference.

    I'm not an Olly guru but that's a way...
    Last edited by ZaiRoN; February 1st, 2007 at 10:50.

  3. #3
    BuschnicK
    Guest
    Thank you very much for the quick reply - this looks exactly like the info I was looking. Will try it out.

    regards,

    BuschnicK
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. New plugin for OllyDbg
    By Aster!x in forum Plugins (General)
    Replies: 32
    Last Post: August 2nd, 2011, 04:14
  2. OllyDbg 1.03b released - plugin support
    By TBD in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: September 9th, 2010, 06:55
  3. How to add new plugin in OllyDbg
    By nidostyle in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 27th, 2007, 03:27
  4. sentinel sdk documentation
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: June 21st, 2006, 05:07
  5. OllyDbg scripting plugin
    By crassy in forum OllyScript Plugin
    Replies: 42
    Last Post: May 7th, 2004, 09:11

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •