Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Conditional Branch Logger

Questions concerning tools (other than OllyDbg) - IDA Pro, SoftIce, member contributions, etc.
<b>NOTE:</b> You must <b>always</b> make sure you cannot find what you are looking for in our <a href="/collaborative/tools">Collaborative RCE Tool Library</a> before asking for <b>any</b> tools that can do this or that though!
Locked
REAP
Junior Member
Posts: 11
Joined: Sat Jun 30, 2012 10:03 pm

Conditional Branch Logger

Post by REAP »

Hello

I am trying to load this plugin with Olly 1.1 on XP (in a VM).

I receive the error

Code: Select all

cbl_gui.dll failed to load correctly
I have the cbl_gui.dll (and Conditional_Branch_Logger.dll) in the plugin folder.

Would appreciate suggestions on what could be the issue.

Thanks
REAP
Junior Member
Posts: 11
Joined: Sat Jun 30, 2012 10:03 pm

Post by REAP »

I've worked it out, it is a conflict with another plug-in.
REAP
Junior Member
Posts: 11
Joined: Sat Jun 30, 2012 10:03 pm

Post by REAP »

Hello,

Unfortunately the cbl_gui.dll does not load correctly in all instances.

When I posted above that I had it working, I had removed all other plugins and was testing with notepad.

CBL is still the only plugin that is in the plugin directory, but when I try to configure CBL with the application that I want to trace (a service), I am getting the same error as before.

So am again after advice either on how to resolve or alternatives (for instance is there an OllyScript that does something similar?)

Thanks
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

I can't really understand where there would be a problem. CBL loads with Olly, even before you open a target, so if all is good you should see the message in the log window
"cbl_gui.dll loaded and all addresses are retrieved"
It should work irrespective of whether you open notepad, a service, or attach to a running process.

Conditional_Branch_Logger.dll is the plugin loaded by Olly. If the plugin can't load cbl_gui.dll you will get an error message in the Olly log window. The fact that you did get that error message seems to indicate the plugin probably loaded OK, but couldn't find the second dll. If for some reason it loaded but couldn't resolve the dll exports you'd get an additional message
"cbl_gui.dll loaded but addresses not retrieved"

All I can suggest at the moment is to delete ollydbg.ini and refresh to create a new one, and remove any udd files and try again. Out of curiosity, do you know which plugin it may have had a conflict with?

You could also do a full run trace, but for the same code execution path there would be a lot more instructions to sift through in the log file over using the plugin.
REAP
Junior Member
Posts: 11
Joined: Sat Jun 30, 2012 10:03 pm

Post by REAP »

Hello Kayaker,

Thanks for responding.

I've done some more testing.

I've removed all the UDD's. And now when I open Olly cbl_gui.dll loads as you describe. I have re-added the plugins and there is no change, so the other plugins were not the issue. Notepad continues to work, and I've tried a couple of other applications and they work too.

Unfortunately CBL still doesn't work with the service.

The process for loading Olly works differently with the service, unlike the other applications, where I use Olly to load the applications. By configuring some registry entries (which I can detail if that helps) when the service is started, Olly is started as the debugger. So in this instance I can't load Olly and check that cbl_gui.dll is loaded OK before starting the service (actually I tried doing that - but it made no difference to the instance of Olly that was loaded when the service started).

Any idea what the problem could be?
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Interesting. Are you using the gflags/Image File Execution method to attach Olly to the service on startup?

It sounds like something is preventing that secondary dll loaded by the plugin to load properly. I read about adding a delay to the service startup to give time for the debugger to attach. Perhaps that would give the necessary time for cbl_gui.dll to load.

http://support.microsoft.com/kb/824344

I guess the logical step to see if CBL itself is the culprit, or whether this is an inherent problem with that kind of service-startup/debugging setup, would be to create a dummy Olly plugin which loads a dummy second dll and see if it also fails to load.

I can't think offhand of other plugins which use 2 dlls which might also fail this way. Ollybone with its loaded sys driver is the only one that comes to mind.

I haven't got time to test right now, but it's an interesting question nonetheless.
REAP
Junior Member
Posts: 11
Joined: Sat Jun 30, 2012 10:03 pm

Post by REAP »

Hi,

I have been using the registry method.

I'm aware of the setting for preventing the service from timing out, but I can't see anything about delaying the service startup.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

My mistake really. I wasn't quite sure if increasing the timeout period might help for this situation. Does the service load OK into Olly otherwise, plugin failure aside?

Is this an automatic (boot) service, or a delayed service, or one you can start manually and have Olly kick in? Maybe not pertinent, but I'm curious to see if I can duplicate the problem.
REAP
Junior Member
Posts: 11
Joined: Sat Jun 30, 2012 10:03 pm

Post by REAP »

Kayaker wrote:My mistake really. I wasn't quite sure if increasing the timeout period might help for this situation. Does the service load OK into Olly otherwise, plugin failure aside?

Is this an automatic (boot) service, or a delayed service, or one you can start manually and have Olly kick in? Maybe not pertinent, but I'm curious to see if I can duplicate the problem.
Yes the service loads fine.

By default the service is automatic, but for the purposes of troubleshooting it is more convenient to set it to manual and start as needed, which works fine.

Occasionally I have found that when you start the service Olly doesn't load (looks like a bug) and I have found that opening an Olly instance beforehand gets around that issue. So I was hoping that I could do that to resolve the CBL dll error but unfortunately having an instance of Olly open doesn't make any difference to the state of the dll in the Olly instance which is started to debug the service.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

can you follow the flow and adapt it to the application you are debugging
prima facie i dont face any problems with debugging a service appliaction along with conditional branch logging plugin

have you made your service made interactive ? (should work upto winxp sp3 )
for vista and above service interaction is disallowed due to session zero isolation
you would need to muck with windbg remote debugging

Code: Select all

C:\>md testcblservice

C:\>cd testcblservice

C:\testcblservice>copy f:\utilities\odbg\odbg110.zip .
        1 file(s) copied.

C:\testcblservice>copy f:\utilities\plugins\Bin_Conditional_Branch_Logger_2007-10-23_21.4_Conditional_Branch_Logger_v1.0.zip .
        1 file(s) copied.

C:\testcblservice>"c:\Program Files\7-Zip\7z.exe" x -y *

7-Zip 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18

Processing archive: Bin_Conditional_Branch_Logger_2007-10-23_21.4_Conditional_Branch_Logger_v1.0.zip

Extracting  Conditional_Branch_Logger.dll
Extracting  src.zip
Extracting  readme.txt
Extracting  cbl_gui.dll

Everything is Ok

Processing archive: odbg110.zip

Extracting  BOOKMARK.DLL
Extracting  Cmdline.dll
Extracting  dbghelp.dll
Extracting  license.txt
Extracting  OLLYDBG.EXE
Extracting  OLLYDBG.HLP
Extracting  PSAPI.DLL
Extracting  readme.txt
Extracting  register.txt

Everything is Ok

Archives: 2
Files: 13
Size:       3141618
Compressed: 1820976

C:\testcblservice>del *.txt & del *.hlp & del PSAPI.DLL & del *.zip & dir /b
BOOKMARK.DLL
cbl_gui.dll
Cmdline.dll
Conditional_Branch_Logger.dll
dbghelp.dll
OLLYDBG.EXE

C:\testcblservice>OLLYDBG.EXE  //close it just checking if ollydbg works

C:\testcblservice>copy c:\WINDOWS\system32\calc.exe .
        1 file(s) copied.

C:\testcblservice>ren calc.exe testcblservice.exe

C:\testcblservice>sc create testcblservice binPath= "c:\testcblservice\testcblservice.exe" type= own type= interact
[SC] CreateService SUCCESS

C:\testcblservice>reg add "hklm\software\microsoft\windows nt\currentversion\image file execution options\testcblservice" /v Debugger /t REG_SZ /d "c:\testcblservice\ollydbg.exe"

The operation completed successfully

C:\testcblservice>testcblservice.exe   \\open in debugger and keeps working

C:\testcblservice>net start testcblservice  \\will open in debugger but will be terminated by service control manager after default timeout 30 seconds
The service is not responding to the control function. <------------------------ default closure  solution is to increase default timeout value 
refer http://support.microsoft.com/kb/824344 and reboot

More help is available by typing NET HELPMSG 2186.


C:\testcblservice>
REAP
Junior Member
Posts: 11
Joined: Sat Jun 30, 2012 10:03 pm

Post by REAP »

@blabberer

Yes, the service is set to interactive.

I created a fresh Olly config as per your instructions and am able to load the target service successfully :)

Thanks very much to both yourself and Kayaker for all of your help, I doubt that I would have tried this approach by myself
REAP
Junior Member
Posts: 11
Joined: Sat Jun 30, 2012 10:03 pm

Post by REAP »

Hi,

More questions I'm afraid.

The reason I wanted to use CBL was so that I could compare application behaviour packed versus un-packed. At the moment un-packed is not running how I would like and I thought this might be an easy way of isolating the issue.

I can now run CBL on the un-packed service and get the log.

In relation to packed, when I start at the packed EP I configure CBL not to log. I then get to OEP, configure CBL to log (I also need to change the address range) at this point when I save the settings in CBL, Olly restarts. :boo:

Am I stuffed in terms of this approach, or might there be a work-around?
Locked