Flag: Tornado!
Hurricane!
|
|
Topic created on: January 4, 2009 08:53 CST by blackd0t  .
Howdy!
I was wondering lately if there is a plugin for Olly that would monitor registry values while the application is running. For example let's imagine the scenario when we want to break whenever any register points to memory location which contains 'topsecret' string data. If it can be achieved with OllyScript I'd gladly hear how. I couldn't find any information about that topic on google.
Regards,
Black Dot
> blackd0t: > I was wondering lately if there is a plugin for Olly that would monitor registry values while the application is running.
you can use run trace and set condition to do that
ctrl+ t -> tick the condition is true checkbox and for condition use this
STRING [R32] == "yyyyyyyy" || unicode[R32] == "ssssssss"
substitute "your super duper secret text instead of yyyyyy or ssssss
and use your preferred register (eax,ebx etc) instead of R32
if your string is unicode use unicode keyword instead of string keyword
hit ctrl+ f11 (trace in)
ollydbg will stop on all such occurances as long as you trace in
a sample code
and its output
#include <stdio.h>
int main (void)
{
char asciistr[0x100];
wchar_t unicodestr[0x100];
int i,j = 'a';
wchar_t k = 'a';
register void *ascii , *unicode;
while(j<='z' && k <= 'z')
{
for(i =0; i<10; i++)
{
asciistr[i] = j;
asciistr[i+1] = 0;
unicodestr[i] = k;
unicodestr[i+1]=0;
}
ascii = asciistr;
unicode = unicodestr;
printf("%s\t\t%ls\n",ascii,unicode);
j++;
k++;
}
return 0;
}
multistr>multistr.exe
aaaaaaaaaa aaaaaaaaaa
bbbbbbbbbb bbbbbbbbbb
**********************************
**********************************
yyyyyyyyyy yyyyyyyyyy
zzzzzzzzzz zzzzzzzzzz
multistr>
Log data
Address Message
00401000 Program entry point
Analysing multistr
361 fuzzy procedures
165 calls to known, 197 calls to guessed functions
110 loops, 17 switches or cascaded if's
00401150 Breakpoint at multistr.main
00401197 Conditional pause: STRING [eax] == "yyyyyyyy" || unicode[edx] == "ssssssss"
[edx] = 730073
unicode[edx] = ssssssssss
00401198 Conditional pause: STRING [eax] == "yyyyyyyy" || unicode[edx] == "ssssssss"
00401199 Conditional pause: STRING [eax] == "yyyyyyyy" || unicode[edx] == "ssssssss"
0040119E Conditional pause: STRING [eax] == "yyyyyyyy" || unicode[edx] == "ssssssss"
00401191 Conditional pause: STRING [eax] == "yyyyyyyy" || unicode[edx] == "ssssssss"
string[eax] = yyyyyyyyyy
[eax] = 79797979
00401197 Conditional pause: STRING [eax] == "yyyyyyyy" || unicode[edx] == "ssssssss"
00401198 Conditional pause: STRING [eax] == "yyyyyyyy" || unicode[edx] == "ssssssss"
00401199 Conditional pause: STRING [eax] == "yyyyyyyy" || unicode[edx] == "ssssssss"
0040119E Conditional pause: STRING [eax] == "yyyyyyyy" || unicode[edx] == "ssssssss"
004011B3 Breakpoint at multistr.004011B3
Process terminated, exit code 0
|
Wow, Anonymouse, thank you for this amazing response!
I really appreciate how much work you put in answering my question. I've been using Olly for a long time, but I've never even wondered what 'run trace' feature does.
Thanks a lot again!
P.S. And sorry as I've made a mistake and posted this topic in the wrong section.
|
> anonymouse: > blackd0t: > I was wondering lately if there is a plugin for Olly that would monitor registry values while the application is running.
>
> you can use run trace and set condition to do that
>
> ctrl+ t -> tick the condition is true checkbox and for condition use this
>
> STRING [R32] == \"yyyyyyyy\" || unicode[R32] == \"ssssssss\"
>
> substitute \"your super duper secret text instead of yyyyyy or ssssss
>
> and use your preferred register (eax,ebx etc) instead of R32
>
> if your string is unicode use unicode keyword instead of string keyword
>
> hit ctrl+ f11 (trace in)
>
> ollydbg will stop on all such occurances as long as you trace in
>
>
>
> a sample code
>
> and its output
>
>
>
> #include <stdio.h>
>
> int main (void)
>
> {
> char asciistr[0x100];
> wchar_t unicodestr[0x100];
> int i,j = \'a\';
> wchar_t k = \'a\';
> register void *ascii , *unicode;
> while(j<=\'z\' && k <= \'z\')
> {
> for(i =0; i<10; i++)
> {
> asciistr[i] = j;
> asciistr[i+1] = 0;
> unicodestr[i] = k;
> unicodestr[i+1]=0;
> }
> ascii = asciistr;
> unicode = unicodestr;
> printf(\"%s\\t\\t%ls\\n\",ascii,unicode);
> j++;
> k++;
> }
> return 0;
> }
>
>
>
> multistr>multistr.exe
> aaaaaaaaaa aaaaaaaaaa
> bbbbbbbbbb bbbbbbbbbb
> **********************************
>
> **********************************
> yyyyyyyyyy yyyyyyyyyy
> zzzzzzzzzz zzzzzzzzzz
>
> multistr>
>
> Log data
> Address Message
> 00401000 Program entry point
> Analysing multistr
> 361 fuzzy procedures
> 165 calls to known, 197 calls to guessed functions
> 110 loops, 17 switches or cascaded if\'s
> 00401150 Breakpoint at multistr.main
> 00401197 Conditional pause: STRING [eax] == \"yyyyyyyy\" || unicode[edx] == \"ssssssss\"
> [edx] = 730073
> unicode[edx] = ssssssssss
> 00401198 Conditional pause: STRING [eax] == \"yyyyyyyy\" || unicode[edx] == \"ssssssss\"
> 00401199 Conditional pause: STRING [eax] == \"yyyyyyyy\" || unicode[edx] == \"ssssssss\"
> 0040119E Conditional pause: STRING [eax] == \"yyyyyyyy\" || unicode[edx] == \"ssssssss\"
> 00401191 Conditional pause: STRING [eax] == \"yyyyyyyy\" || unicode[edx] == \"ssssssss\"
> string[eax] = yyyyyyyyyy
> [eax] = 79797979
> 00401197 Conditional pause: STRING [eax] == \"yyyyyyyy\" || unicode[edx] == \"ssssssss\"
> 00401198 Conditional pause: STRING [eax] == \"yyyyyyyy\" || unicode[edx] == \"ssssssss\"
> 00401199 Conditional pause: STRING [eax] == \"yyyyyyyy\" || unicode[edx] == \"ssssssss\"
> 0040119E Conditional pause: STRING [eax] == \"yyyyyyyy\" || unicode[edx] == \"ssssssss\"
> 004011B3 Breakpoint at multistr.004011B3
> Process terminated, exit code 0
|
hai,
The run trace in ollydbg 2.0 is cool and can set the condition. but my question is:
1. how to monitoring the value in memory value and ask the run trace pause the ollydbg running when the value in memory offset address 033EB45D=55, 033EB45E=8B, 033EB45F=EC, 033EB460=81.
i can set the condition 1 is true as below:
[BYTE 033EB45D]==55 (success)
but how to set in dword, is it i can set it like:
[DWORD 033EB45D]==558BEC81 (failed to pause the ollydbg)
|
> ictsecurity0: hai,
>
> The run trace in ollydbg 2.0 is cool and can set the condition. but my question is:
>
> 1. how to monitoring the value in memory value and ask the run trace pause the ollydbg running when the value in memory offset address 033EB45D=55, 033EB45E=8B, 033EB45F=EC, 033EB460=81.
>
> i can set the condition 1 is true as below:
> [BYTE 033EB45D]==55 (success)
>
> but how to set in dword, is it i can set it like:
> [DWORD 033EB45D]==558BEC81 (failed to pause the ollydbg)
stopping on a dword seems to work for me in v2 check out the following and try following it
F:\>prompt ictsecurity0
ictsecurity0 md %prompt% && cd %prompt% && copy con %prompt%.c
#include <stdio.h>
unsigned long ictsecurity0[] = {0},i;
int main (void)
{
printf("hello ictsecurity0\n");
for(i=0x1320;i<0x1340;i++)
{
ictsecurity0[0]=i;
printf("%p\n",ictsecurity0[0]);
}
return 1;
}^Z
1 file(s) copied.
ictsecurity0bcc32 %prompt%.c && %prompt%
Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland
ictsecurity0.c:
Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland
hello ictsecurity0
00001320
00001321
00001322
00001323
00001324
00001325
00001326
00001327
00001328
00001329
0000132A
0000132B
0000132C
0000132D
0000132E
0000132F
00001330
00001331
00001332
00001333
00001334
00001335
00001336
00001337
00001338
00001339
0000133A
0000133B
0000133C
0000133D
0000133E
0000133F
ictsecurity0copy f:\compressed\odbg2.rar .
1 file(s) copied.
ictsecurity0copy f:\compressed\UnRAR.exe .
1 file(s) copied.
ictsecurity0UnRAR.exe e odbg2.rar
UNRAR 3.91 freeware Copyright (c) 1993-2009 Alexander Roshal
Extracting from odbg2.rar
Extracting ollydbg.exe OK
All OK
ictsecurity0 copy con rtrace.txt
this is a test for ictsecurity query on runtrace condition dword blah
^Z
1 file(s) copied.
ictsecurity0copy con log.txt
another txt file where i can redirect ollydbg log details on runtrace condition
pause^Z
1 file(s) copied.
ictsecurity0ollydbg %prompt%
ictsecurity0type log.txt
00401176 Run trace: condition 1 met - dword [0x40a128] == 0x1337
Process terminated, exit code 1
-------- End of session
ictsecurity0type rtrace.txt
this is a test for ictsecurity query on runtrace condition dword blah
00000000 ???
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001321, ECX=0013FA34
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001322
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001323
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001324
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001325
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001326
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001327
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001328
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001329
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=0000132A
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=0000132B
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=0000132C
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=0000132D
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=0000132E
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=0000132F
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001330
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001331
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001332
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001333
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001334
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001335
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001336
main 00401174 MOV DWORD PTR DS:[ESI],EAX
main 00401176 PUSH DWORD PTR DS:[ESI] EAX=00001337
main 00401174 MOV DWORD PTR DS:[ESI],EAX
-------- End of session
ictsecurity0cd \
ictsecurity0rd /s /q %prompt%
ictsecurity0
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}