Flag: Tornado!
Hurricane!
|
|
Topic created on: April 10, 2007 16:42 CDT by bepetemish  .
Im looking for a way to log function addresses from an application. Is there a olly plug-in for this kind of tasks? Or does someone knows a good solution?
By functions you are talking about API from the system? or the user defined function in application?
In the former case, use, APIMON, or do custom hooking, code injection to log etc etc.
For the later case, you can get the call garph through IDA.
I'm not aware of any plugin for this case.
--
neox
|
If you want a plugin for olly, you can use Universal Hooker from Core.
A good external solution (if you don't want to inject code using a dll/sys) is to use the HookContainer class for pydbg.
Cheers,
|
I think im talking about user defined function in application.
So i need to call garph through IDA, im going to search google, but if you can easely copy/paste something that might help me "be my guest". ;)
People that know how to do this give the results like this:
ZPostStageMap (0x00448140)
ZPostStageCreate (0x00447fd0)
ZPostWhisper (0x0042a660)
ZChat::CheckRepeatInput (0x00429ebe)
ZChat::Input (0x00429f10)
ZChatOutput (0x00429e40)
And they call it offsets. Am i searching for the wrong thing?
Grtz,
Bepetemish
|
|
Just a warning: I see C++ methods in your example call stack. IDA Pro, being a static disassembler, will not be able to trace calls through C++ virtual functions due to the mechanism involved (indirection through a vtable using the object pointer). Your example call stack is more likely to come from a debugger or other dynamic tool.
|
I also thought about a debugger. The one "they" probably used is olly so thats why i requested an plug-in for olly. But because i not exactly know what im searching for its hard for me to explain.
But in this forum i learned a couple of things about what im searching for:
- user defined function in application
- example:
in ZChatOutput (0x00429e40)
ZChatOutput = the user defined function
(0x00429e40) = the offset
- results shown in my post above are probably results from a debugger.
Another thing i think and not sure of is,,, Could it be that people attach the debugger to the applications process. Then type something in the message screen (in the application) and the debugger shows ZChat::Input on line 00429f10?
Does something like this sounds familiair?
ps. i want to thank everyone who's helping me out!!!
|
One obvious comment is that there must be symbols or an export table involved. If those "user defined functions" have names, the name is coming from somewhere. It would be odd, but not unheard of, for a production application to have debug symbols.
I haven't used OllyDbg enough to know whether it shows symbolic names in its call stack, so someone with more Olly experience will have to answer the rest. :(
|
Then lets hope someone with olly skills reads this post..
ps. Mr.Olly, this isn't solved yet. Tnx
|
how do you want to log it ?
log the address while you are breaking with a conditional break point ?
if thats the case then all you need is call DecodeAddress()
from your plugin for the ip
extc void _export cdecl ODBG_Pluginaction(int origin,int action,void *item)
{
t_dump *cpudasm;
ULONG ip;
CHAR buffername[TEXTLEN];
CHAR symb[300];
int nsymb=250;
if (origin==PM_MAIN)
{
switch (action)
{
case 0:
cpudasm = (t_dump *)Plugingetvalue(VAL_CPUDASM);
ip = cpudasm->sel0;
Decodeaddress(ip,0,ADC_SYMBOL,symb,nsymb,buffername);
Addtolist(0,1,buffername);
Addtolist(0,1,symb);
break;
default: break;
};
};
};
the above code when called from plugin menu will of the address to ollydbgs logwindow
01011A0F <CALC.babababa> CALL NEAR DWORD PTR DS:[<&MSVCRT.__se>; MSVCRT.__set_app_type
01011A15 ADD ESP, 4
01011A18 MOV DWORD PTR DS:[1013F78], -1
01011A22 <CALC.foo> MOV DWORD PTR DS:[1013F7C], -1
01011A2C <CALC.foo2> CALL NEAR DWORD PTR DS:[<&MSVCRT.__p_>; MSVCRT.__p__fmode
01011A32 MOV ECX, DWORD PTR DS:[1013F74]
01011A38 <CALC.wahooo> MOV DWORD PTR DS:[EAX], ECX
01011A3A CALL NEAR DWORD PTR DS:[<&MSVCRT.__p_>; MSVCRT.__p__commode
01011A40 MOV EDX, DWORD PTR DS:[1013F70]
01011A46 <CALC.whatchadoinglogginme> MOV DWORD PTR DS:[EAX], EDX
i named a few lines with arbitrary names and and clicked the menu in my plugin
Log data
File 'C:\WINDOWS\CALC.EXE'
New process with ID FFF656EB created
010119E0 Main thread with ID FFF5875B created
01000000 Module C:\WINDOWS\CALC.EXE
70BD0000 Module C:\WINDOWS\SYSTEM\SHLWAPI.DLL
78000000 Module C:\WINDOWS\SYSTEM\MSVCRT.DLL
7FCB0000 Module C:\WINDOWS\SYSTEM\SHELL32.DLL
BFB70000 Module C:\WINDOWS\SYSTEM\COMCTL32.DLL
BFE80000 Module C:\WINDOWS\SYSTEM\ADVAPI32.DLL
BFF20000 Module C:\WINDOWS\SYSTEM\GDI32.DLL
BFF50000 Module C:\WINDOWS\SYSTEM\USER32.DLL
BFF70000 Module C:\WINDOWS\SYSTEM\KERNEL32.DLL
010119E0 Program entry point
<CALC.babababa>
<CALC.foo>
<CALC.foo2>
<CALC.wahooo>
<CALC.whatchadoinglogginme>
|
Ok, let me study this. Back in half a year..
cheers
|
|
Is the goal to simply generate a log of all function call addresses at run-time? If so the MSR technique with the simple addition of pydasm to check if a branch was due to a CALL instruction would suffice yes?
|
|
Don't know.. Still searching for what you mean with MSR technique
|
hmmm, this is the .exe file im trying to find the functions from:
http://www.megaupload.com/?d=78KJP1YL
The problem is that this version is encrypted.
Someone sended me a very old version + a document with all functions listed including the offsets. He said, i need to compare the old version with the new one to find the new offsets. I know what he means but i can't do it because its encrypted.
Now you people are experts so what will be easier to do? Encrypt this version and which tools do you recommend? or using a debugger/dll to log the api functions?
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}