Results 1 to 7 of 7

Thread: OllyDbg API finding address of symbols

  1. #1
    BuschnicK
    Guest

    OllyDbg API finding address of symbols

    Olly replaces addresses of known functions by their names, so you'll see "<&ADVAPI32.RegSetValueExW>" instead of it's address. I'm writing a plugin for Olly and retrieve a t_disasm struct. Now I'd like to extract the address info for strings like the above. However, I can't figure out how to do this reliably. Sometimes the address is stored in addrconst, sometimes in opdata[0], sometimes in immconst.
    Question: how can I retrieve the correct function address from a t_disasm struct, if, and only if, the symbol actually is a function name?

    regards,

    Sören
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,511
    Blog Entries
    15
    you mean olly already has done the work and you simply want to leech its output

    have Your Tried playing with

    FindName(),
    FindDecode()
    DecodeName(),
    FindSymbolicName(),
    FindLabelByName(),
    FindImportByName(),
    FindDecode(),
    DecodeAddress()
    DecodeKnownArguments()
    DecodeFullVarName()

    does none of them provide you the results

    why should you parse t_disasm when you have easier and faster methods ?

  3. #3
    BuschnicK
    Guest
    Thank you, but as far as I can tell none of those functions does what I want. I essentially need the inverse of "Decodeaddress" or alternatively a way of reliably getting the address from t_disasm.

    Any other suggestions?

    regards,

    Sören
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,511
    Blog Entries
    15
    are you saying you want to know how to emulate the behaviour

    when you do option-> debugging options -->disasm--> show local module names

    and show symbolic address ?

    Code:
    00401022   .  E8 4BE00A00   CALL    <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
    
    00401022   .  E8 4BE00A00   CALL    004AF072                         ; \GetModuleHandleA
    like you want to retrieve the 0x4AF072 ?

  5. #5
    BuschnicK
    Guest
    Yes, that's pretty much what I want. Or rather - I want both infos, the name and the address. Not only for call instructions but for others as well, i.e. mov eax, <&somefunction>.

    Any tips?

    thanks,

    Sören
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    Are you looking for Decodename and/or Findname? Using those on adrconst, immconst, jmpaddr/jmpconst and opaddr[0..2] should give you the info you want.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  7. #7
    BuschnicK
    Guest
    Thank you. But how do I tell when to look in which of those variables? I tried switching on optype but did not get correct results as the DEC_* optype constants only seem to encode size info, not actual type.

    regards,

    Sören
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 6
    Last Post: May 24th, 2010, 04:07
  2. Replies: 31
    Last Post: January 23rd, 2008, 12:56
  3. Softice & IDA symbols
    By omega_red in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: May 20th, 2004, 19:19
  4. symbols or implib
    By idanski in forum OllyDbg Support Forums
    Replies: 2
    Last Post: December 27th, 2003, 03:09
  5. Problems with symbols in OllyDbg, please help
    By dELTA in forum OllyDbg Support Forums
    Replies: 4
    Last Post: December 19th, 2002, 04:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •