Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Plugin, Trick, Tool, Or something to let you search OllyDbg Analysis comments?

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
captcpsc
Junior Member
Posts: 18
Joined: Wed Feb 22, 2012 6:32 pm

Plugin, Trick, Tool, Or something to let you search OllyDbg Analysis comments?

Post by captcpsc »

I have to be using the wrong words, phrase or have settings messed up or not set correctly in OllyDbg. I am trying to search for a string that the analysis put in the CPU window. It seems that MOST of the analysis do appear in the find all string references but the one I am looking for is not! I am trying to find the analysis that says ASCII "ABCDEFGHJKLMNPRST..." Besides page-down through the entire code (in this case fairly long) is there some plugin, or setting or trick to finding those comments that do not list in the Text Strings Referenced.

p.s.
I honestly did read the FAQ I have googled, I have listened to lots of tutorials...
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

Well, you can try to search it directly in the dump-window via Ctrl-B (search for binary string) either ASCII or UNICODE.
It might be that the string you are searching isn't there at all, but is concatenated at runtime. In this case the chars can be apportioned around the code. Furthermore it's possible that the string is encrypted and will only become decrypted in a certain state of the program.
My advice is to set a BP at the place where you've found it in the CPU-window and look from there, where this string comes from (when you see it there it must somehow be referenced).

Hope that helps

Regards
darkelf
I flout Chuck Norris, Spongebob barbecues underwater!
captcpsc
Junior Member
Posts: 18
Joined: Wed Feb 22, 2012 6:32 pm

Post by captcpsc »

[quote="Darkelf"]Well, you can try to search it directly in the dump-window via Ctrl-B (search for binary string) either ASCII or UNICODE.
It might be that the string you are searching isn't there at all, but is concatenated at runtime.lf[/QUOTE]

I can find it by slowing page-downing through the document till I see it...but that is really slow.

To me pictures are worth a thousand words.... [ATTACH]2550[/ATTACH]

What I want to search for is the highlighted string ASCII "ABCDE..." I'm frustrated that it's a analysis comment AND appears on the screen yet you can't search for it? I mean from a application point of view that STRING is somewhere in OLLYDEBUG's memory and should be able to be searched for? Right?

p.s. I tried to redact anything revealing what I was working on as I did read that's against the policy of the site.
Attachments
SearchForASCII_String.jpg
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

What you see on the right of the mnemonics window is not really a comment (well it is, because comments are shown there), but something Olly finds on the related memory address at runtime. When you change what's at this address, Olly will change the string you see on the right in an instant. Unfortunately, the pic you've posted is pretty small, thus I'm unable to actually identify the memory address. Would you mind uploading this pic somewhere whith a bigger resolution? Or even better upload the .exe somewhere. I will help you to get used to Olly a bit more.

Regards
darkelf

P.S. Have you already done the lena-series of tuts?
I flout Chuck Norris, Spongebob barbecues underwater!
captcpsc
Junior Member
Posts: 18
Joined: Wed Feb 22, 2012 6:32 pm

Post by captcpsc »

[quote="Darkelf"]P.S. Have you already done the lena-series of tuts?[/QUOTE]

No, I've watched a few dozen youtube ones and read some, but I'm going to take the hint and download that series now. I'd really like to get better at this and it's sorta like a bucket list thing...I've done minor stuff on my own but I really want to be able to figure out some of the bigger stuff. I will go through this tutorial.

[quote="Darkelf"]What you see on the right of the mnemonics window is not really a comment (well it is, because comments are shown there), but something Olly finds on the related memory address at runtime. When you change what's at this address, Olly will change the string you see on the right in an instant.[/QUOTE]

YEP, I did figure out about your comments overriding the Ollydbg comments. ( I was kinda frustrated with that as well IN MY THOUGHTS it should OFFER up to you the Olly "comment" even better bring that up selected so as soon as you type a letter it goes away or you can hit say end and add your 2 cents.)

[quote="Darkelf"]Unfortunately, the pic you've posted is pretty small, thus I'm unable to actually identify the memory address. Would you mind uploading this pic somewhere with a bigger resolution?[/QUOTE]

Here is a larger picture of the piece in question...
[ATTACH]2552[/ATTACH]

[quote="Darkelf"]Or even better upload the .exe somewhere. I will help you to get used to Olly a bit more.[/QUOTE]
I will PM you about this.
Attachments
SearchForASCII_big.jpg
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

that is decoded on the fly

ie instantaneous and it is dependent on eax

so eax can take 0 to 0xffffffff so you are looking at a range of 2^32 PLACES

NOW since this is user mode you can chop off 50% or 25% of that ranve based on Maxuserspace global

and normally some where up or down the place you can get the real range for eax
if you are lucky and if it resolves to 0 based index

then ctrl+g and entering the constant 5******* and hittin yes should get you the ABCD******
captcpsc
Junior Member
Posts: 18
Joined: Wed Feb 22, 2012 6:32 pm

Post by captcpsc »

blabberer, Thank you for your response. I understand what you are saying and realize that EAX is determined at run time. But, the fact still remains that in that listbox (or some other windows gui component) that text is there. A SEARCH on those values would be totally possible. They appear right after analysis is complete, it's not like it appears ONLY when you get to that line of code.
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

I downloaded the program you provided and installed it but unfortunately it doesn't run.
But that doesn't matter - to help you the program is not needed to run.

OK, it's just as I said in my first reply, which you either haven't read carefully or you were not able to follow my advice because you didn't know what to do. The first case would be your fault, the second one mine.
Let's shed some light on this:

Have a look at the code 2 lines above the current line in Olly (463008 in the picture).
You'll see a "XOR EAX, EAX"
As we all know, these line resets EAX to 00000000
We can conclude from that, that at 463010 EAX will still be 00000000. So the command will actually be: "CMP BYTE PTR DS:[0+54FB80], CL".
This command will hence compare the value at 54FB80 with the value in CL.
Now that should ring a bell. A big one!
Actually all you need to do is right-clicking this line -> follow in dump -> memory address and you are right were you want to be.
But you also would have found it, if you'd done as I told you: clicking in the dump window (it's that window on bottom left with all these hex-numbers), ctrl-B (search for binary string), enter a part of the string there and hit "OK".

I don't know what to write more, because it's really, really easy. I strongly recommend doing lena's tuts (you can get the whole series at tuts4you) because it will make you become more familiar with Olly.

I you have any additional question just ask.

Best regards
darkelf
I flout Chuck Norris, Spongebob barbecues underwater!
captcpsc
Junior Member
Posts: 18
Joined: Wed Feb 22, 2012 6:32 pm

Post by captcpsc »

Thanks for your help Darkelf, I'm a lil weirded out that the program didn't run for you? I mean it does need to be installed first, and it's a CD Image so you need like Daemon Tools or some virtual drive to load it. But regardless you did help me. I also would like to say that I am up to part 5 of 40 of the Lena tools and am really enjoying the series. I wish I would have started here first. It makes a little more sense to me now as to how to accomplish what I wanted. Thank you again.
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

[quote="captcpsc"]I mean it does need to be installed first, and it's a CD Image so you need like Daemon Tools or some virtual drive to load it.[/QUOTE]

You don't want me to answer this, do you? :devil:

Nah, just joking. Of course I installed it (again something you would have known if you'd read my last post attentive), but as always when I install something to reverse that comes from an untrusted source, I did so in a VM and the program doesn't run there (graphics issue).

But as I said, it was not necessary in this case.

Ask as much questions as you like. I'll help wherever I can.

Have fun
darkelf
I flout Chuck Norris, Spongebob barbecues underwater!
captcpsc
Junior Member
Posts: 18
Joined: Wed Feb 22, 2012 6:32 pm

Post by captcpsc »

Well played, and a very good practice as well. I'll work through the lena tutorials and hopefully can have some BETTER questions in the future!
captcpsc
Junior Member
Posts: 18
Joined: Wed Feb 22, 2012 6:32 pm

Post by captcpsc »

Ok, I do have one question. So far I've done fine following along in the tutorials but tutorial 4 caused me some problem that you might have some help with. In this tutorial you go till a nag box pops up you then pause olly, but start execution again using alt-f9. Then when you hit ok, olly pauses again at the end up the nag. This doesn't seem to work for 2.01. Any ideas? It looks like ALT-F9 executes user code but it doesn't do anything (not even push the U button) in 2.01.
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

I'm sorry. I can't answer this question because I (as most other users of Olly) still use Olly 1.10. The reason why is simply that there is an uncountable number of plugins for 1.10 that doesn't exist for 2.xx. As far as I remember even Oleh says that 2.xx is far from being an adequate replacement for 1.10.
Do yourself a favor and use 1.10. You won't need to relearn a lot when v2 is matured, so don't worry.

darkelf
I flout Chuck Norris, Spongebob barbecues underwater!
captcpsc
Junior Member
Posts: 18
Joined: Wed Feb 22, 2012 6:32 pm

Post by captcpsc »

Sounds good to me. I'm totally fine with that. Thanks again Darkelf!
icegood
Junior Member
Posts: 3
Joined: Sat Mar 10, 2012 9:18 am

top rated

Post by icegood »

[quote="Darkelf"]I'm sorry. I can't answer this question because I (as most other users of Olly) still use Olly 1.10. The reason why is simply that there is an uncountable number of plugins for 1.10 that doesn't exist for 2.xx.
darkelf[/QUOTE]
This message should be top rated in google for now!!!
Locked