Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

OllyStepNSearch_V0_6_1

Plugin related discussions.

For plugins, tools and tutorials see <a href="/collaborative/tools/index.php/Category:OllyDbg_Extensions">OllyStuph</a>
Locked
JMI
Senior Member
Posts: 5329
Joined: Wed Apr 25, 2001 2:00 pm

OllyStepNSearch_V0_6_1

Post by JMI »

Another Olly Plugin from Exetool member taos.

This plugin allows you to search for a given text when automatically
stepping through the debugged program.

When the plugin is enabled, it will step automatically through the debugged
program once a step command (like Step Into) is issued.
Enabling the plugin is done with the “Options” menu command.

After enabling, press F7 to start.

After each step, the plugin will check which registers have changed.
If a changed register points to an ASCII string, it is logged.
If a search string has been defined and it is contained in the ASCII string
pointed to by the register or the Information pane, the stepping is paused.
Comparison is case sensitive.

A search string is defined by entering it with the “Options” menu command.
It is remembered in the OllyDbg INI file.
Entering an empty string disables the break on string command.
OllyStepNSearch can search in strings pointed to by registers (search in registers toggle)
and it can search in the Information pane of the CPU window (search in information toggle).
Read the “Information window” help section of the OllyDbg v1.10 help file if you’re not familiar
with the Information pane.

If the search string is not found, debugging is resumed. If the current address
is lower than the limit address (by default 0×10000000) a step into command is
issued. A step over command is issued if the current address is higher than the
limit address, or if the current command is a call/jump to an address higher
than the limit address.
The limit address can be changed in the Options dialog.

The plugin can be disabled automatically when the search string is found (Disable after break toggle).
I added this option because I usually want to single step after finding the search string,
but often forgot to disable the plugin before single stepping.

Restarting the debugged program disables the plugin.

Debugging example:

Start OllyDbg and load the ftp.exe program (in system32 directory)
Start the OllyStepNSearch plugin “Options” menu command
Enter “google” as Search string (without the double quotes, of course)
Enable StepNSearch
Click OK
Press F7 to start debugging
Go to the FTP window and type “open google.com” and press enter
The StepNSearch plugin will stop debugging when a register points to a string containing google. On my Windows XP SP2, this happens when EAX points to “open google.com”.
You can continue with F7 and see how ftp.exe parses the “open google.com” command

Regards,
Attachments
OllyStepNSearch_V0_6_1.zip
(37.78 KiB) Downloaded 388 times
JMI
User avatar
dELTA
Posts: 4209
Joined: Mon Oct 30, 2000 7:00 am
Location: Ring -1

Post by dELTA »

Yes, I've used this plugin at some occasions, and it is indeed a very good option when you cannot seem to find any good "direct" way to pinpoint the code you're interested in. :yay:
"Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."
LLXX
Senior Member
Posts: 981
Joined: Wed Aug 17, 2005 8:37 pm

Post by LLXX »

Doesn't OllyDbg already have this conditional breakpoint functionality for inspecting memory pointers in registers?
[ ~Litana L.X. Xahanien~ ]
User avatar
dELTA
Posts: 4209
Joined: Mon Oct 30, 2000 7:00 am
Location: Ring -1

Post by dELTA »

This plugin traces every instruction, so it also helps you find the good spots to breakpoint.

It also inspects all registers and stack automatically, searching for the string you specify, without any unnecessary configuration effort.
"Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."
FaTaL_PrIdE

Post by FaTaL_PrIdE »

For reference I thought I'd add the author's homepage - http://blog.didierstevens.com/

Although there haven't been any updates recently he does post the latest version of his tools to his blog. If anyone wishes to keep up to date with the plugin, this is where to do it.
Locked