📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Howto trace only branching instructions in OllyDBG?

Topic created on: October 29, 2006 06:58 CST by ZeJibe .

I can't seem to find a way to trace (make a log of) all branching instructions only (call, jmp, jnz, ...). I would like to following the structure of a program and not necessarily every line of code it goes through (which very quickly overflows the log capacity of OllyDBG).

Could someone help me?

Thanks in advance,

ZeJibe

  anonymouse     October 30, 2006 04:55.35 CST
> ZeJibe: (which very quickly overflows the log capacity of OllyDBG).

you sure your trace over flows 64 megabytes or 4 mega bytes of records ??

if you are unsure whats your size
go to option --> debugging option --> trace --> and look in the pulldown box and select maximum possible size which is 64 m/ 4m

why dont you try tracing only whats relevent instead of bulldozing through gibberish

btw if you right click and log to file in run trace window there is no question of over flowing the buffer  
visually available buffer is a circular buffer
which means the oldest records are deleted and the newer ones are logged (that is what would be available only visually) but logging to say mydumblog.txt would get you logs that can cross the limit the newer records are simply appended to existing ones in the log

you can use ctrl+t and ask run trace to pause
when command is one of JCC CONST JCC == all jumps including plain jmp

CONST == any address

now this wont pause if its jump r32 where r32 means any register so develop appropriate pseudo stops (ollydbg has got an amazing array of pseudo matches combinable with logicl and AND logical or)

but this is kinda irritating if you are bulldozing through

so start coding a plugin that would handle PAUSEDEX
and simply issue a SendShortcut (vk_F11 or VK_F12) after you log what you require

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit