OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: September 12, 2006 08:11 CDT by miptop .

Hey dudes,

I was searching for a way to freeze a value at a specific memory adress in Ollydbg. I pratically want the value at a given adress to not change anymore. Is there a command in Ollydbg I may have overseen or a plugin for this purpose? Any help is greatly appreciated.

Best regards

xz		September 13, 2006 04:32.56 CDT
With pydbg it's possible to add a memory breakpoint handler which resets the value when the address is accessed.

ryanlrussell		September 13, 2006 13:22.34 CDT
Well, I don't see any answers yet from someone who actually knows, so I'll take a shot. You can set a hardware breakpoint on memory write. So you would set one on the memory you want to keep constant. Then when it triggers, you just change it back. I know ollydbg has scripting capabilities, but I couldn't write you a script to do this, I have never written one.

anonymouse		September 14, 2006 13:47.09 CDT
freeze a value at specifice memory ? so it means you know and can point it with dword ptr ds:[########] how do you want to proceed is it ok if you can do run trace ? if yes then you can set a few pseudo conditions with ctrl+t in the if command is one of these boxes like mov dword ptr ds:[CONST],R32 add dword ptr ds:[########],CONST sub dword ptr ds:[########],const add blah,r32 sub blah,r32 pop dword ptr ds:[#####] dream up all variations that could probably access that memory location if you are likely to run blind then hit one of the runtrace options its better if you give olldybg as little as possible to parse by selecting and adding to runtrace or conversly skip from runtrace which you feel arent likely target places not that ollydbg will oblige if you ask it check each and every execution but you will get bored parsing its output as to setting the memory back to a constant value you can fallback to .set command like .set dword ptr ds:[#######] = 0xdeadbeef but at the moment there is no synchronisation between ctrl+t breaks and pass the following commands to plugin when break but itsnt hard to crank an ollydbg_pausedEx handler() i have a buggy implementation but thats far from finished an addition to default cmdline.dll hopefully since you ask for such functionality i might find time for it :) now that part of uncertainity over if you actually know which lines of codes access that memory while executing (EXECUTING not accessing) you can set conditional breakpoints with shift+f4 pause always pass to plugin following commands .set dword ptr ds:[your memory address here]= 0x your constant .your next command that you always want to do do like .si , .so , .ti , .to ,.run etc yeah i have a .continue (that does what you were doing earlier ) some times you need to run and not step but hardcoding a .si defeats that when you were in running mode earlier but like i said its still in pre alpha stage like ryan russel stated you can do a hardware break point on access,read,write (byte ,word ,dword) but then again passing a break to set a constant value somewhere is missing ( i mean automatic setting if you are not wanting to be automatically set and continue you can invoke cmdline plugin with alt+f1 and do .set manually everytime and go on doing business as usual ) also you can try setting memory break points on access,write but if you are sure thats going to be hit more than a few times its pretty boring doing alt+f1 .set dword ptr ds:[######] = 0xdeadbeef

Harding		September 17, 2006 15:43.41 CDT
I would like to take a wild guess here and say that you want to freeze a value in a game like Health or Mana? Well even if it's not, game cheating program can (they are more or less made for this) and one I can recommend is Cheat Engine which can be downloaded from: hxxp://wxw.cheatengine.org/index.php

squiffel		January 20, 2007 18:41.00 CST
or ArtMoney for Freezing memory addresses

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit