Results 1 to 6 of 6

Thread: Olly

  1. #1
    PedraSimon
    Guest

    Olly

    Hi, I am new to olly... and also this forum. Please help if u can.

    1. I saw in olly help file under (The last line under content/search/binary string) that there is :
    Another option (binary copy with masked fixups) replaces fixups with question marks, creating search patterns that are insensitive to the load address.
    I cant seem to find it in Olly. How do i use it?

    2. Lets say a particular line in my EXE is "mov eax,ebx". Is there a function in olly that would allow me to find out "backwards" the last instruction that accessed/modified ebx? (I cant trace/run the prog.. it is protected by gameguard)

    Thanx in advance.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    I don't know if this would work for your problem because most of the time I had used it for nags. Try pausing ollydbg, then press Alt+F9 that you usually takes you to the line of code were the object has been invoke, and you can do backward trace from there.

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    cant seem to find it in Olly. How do i use it?
    this has got nothing to do with tracing backwards

    to use it you simply hit ctrl+b

    type in a sequence lets say 66 ?? 3a

    and hit ok

    ollydbg will stop on first such found sequence

    use ctrl+l to get the same sequence

    a sample search on ollydbg itself for above sequence with masked ??

    Code:
    00401002      66            DB      66                               ;  CHAR 'f'
    00401003      62            DB      62                               ;  CHAR 'b'
    00401004      3A            DB      3A                               ;  CHAR ':'
    
    00446CF2  |.  66:833A 20    ||CMP     WORD PTR DS:[EDX], 20
    
    0040C18C  |.  66:833A 00    |CMP     WORD PTR DS:[EDX], 0
    
    00463001  |. /5F344600      DD      OLLYDBG.0046345F  <--- case insensitive
    00463005  |. |3A344600      DD      OLLYDBG.0046343A  see three consecutive bytes  46 00 3a  
    83 in top seuence the ?? is a mask and it will list all and any such combination
    
    00468DB5  |.  66:813A 4C01  CMP     WORD PTR DS:[EDX], 14C
    as to finding who initialised ebx from arbitrary position you have to analyse the disassembly and find out manually if you cannot use trace and log

    use call stack find who is in the first frame and analyse the disassembly
    you should spot some mov ebx,R32 or mov ebx,[CONST], or pop ebx, or many other infinite variations of getting a value into register

  4. #4
    PedraSimon
    Guest
    Thanx for the reply.

    1.
    I interpreted the help file sentence to mean there is an option within olly that will do the binary masking automatically. e.g. I binary copy a block of instructions, press some shortcut key.. or click some option. When I paste into binary search (Ctrl-B), the fixups (i.e. ???s) are already substituted for me. That would be a useful function for locating "block of codes" between different versions of a program.

    2.
    Is there anyway for me to search "EBX" in disassembler (like a text search on the disassembler) ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    That would be a useful function for locating "block of codes" between different versions of a program.
    well if you can use mnemonic instead of raw opcodes you can try find all sequences

    it accepts a pseudo "ANY #" in its search sequence

    for example you want to search for a pushad popad block that has 6 instructions in between

    you can ask ollydbg to search for
    pushad
    any 6
    popad

    the 6 instructions in between can be any junk
    if first and seventh instructions are pushad and popad respectively ollydbg will provide you those blocks in a seperate window

    a text search for string "ebx" no im not aware of any such capabilities
    may be you could look at the code highlighting dlaiogs and modify it to suit your needs it has highlighting options for general purpose register may be you could make a branch in it asking it to highlight user specified register

    the raw functionality for specific register highligting exists in trace log
    may be you reverse analyse study and combine both these options
    and make a plugin that does

  6. #6
    PedraSimon
    Guest
    tx for your response. I think i'll stick to manually masking the binary string. Its much more precise. I only post the question here bcos i thought olly can do the masking automatically (mis-interpretation of the help text).
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 3
    Last Post: March 29th, 2013, 12:18
  2. Replies: 2
    Last Post: February 15th, 2009, 21:52
  3. use of PhantOm Olly plugin no in Olly ?
    By LaBBa in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: November 8th, 2008, 22:19
  4. Another bug in Olly?
    By dELTA in forum Bugs
    Replies: 0
    Last Post: April 23rd, 2008, 03:39
  5. Olly and SMC
    By least in forum The Newbie Forum
    Replies: 1
    Last Post: May 31st, 2004, 12:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •