Hello folks,

at the moment I'm a little bit disappointed about ollydbg since for the third time I lost almost all comments.

I'm working on a self-extracting application which need to be started (F9) within Ollydbg to extract all the interesting routines into memory. I then interrupt the programm execution (F12) to do my analyses.

All comments I made to the extracting routines (directly loaded by Ollydbg) are present. All comments regarding the extracted routines (which appear during run-time) are gone.
Trying to attach the udd-file manually (executable modules -> update .udd-file now) failed, since the extracted code isn't listed as a executable module.

I then tried a plugin named Labelmaster which, unfortunately, saves 0-Byte files now and then. No backup-files being generated, my comments are gone once again.

Is somebody familar with this problem and can give some hint?

Thank you all for your help,

JSch

if the routines are in runtime memory allocations (memory allocated by VirtualAlloc and their friends)
ollydbg does not save those comments (for ollydbg to save labels and comments it needs analysed module)

also there is a possibilty that the runtime memory is different every time
so the address doesnt match so ollydbg may be unable to name them back

if this memory is same every time then you can try Analyze this plugin by joestewert and ask it to analyze the memory space

and then try commenting out (ollydbg saves unknown memory maps udd with a mainmodule_1.udd etc )

and then reload

if that application is shareable (non commercial or your own or malware or crackme ) get me a link so that i can see if i can do some thing about saving the comments

Hallo blabberer,

thank you for your quick reply. In the meantime I tried the AnalyzeThis-plugin as you suggestet. Unfortunately it doesn't work even though the programm code resides at the same memory address every time.

By chance I came across a plugin called LCB which is supposed to be outranging Labelmaster. As not to be expected different it doesn't work so well: When trying to save some comments an error popped up:

Die Anweisung in "0x02d2831e" verweist auf Speicher in "0x00000000" ...
"unknown software exception" (0xc0000027) ist an der Stelle 0x7c80e0b9 aufgetreten...
(sorry just german; I don't know what the english version would say...)

Anybody familar with this?

Thank you very much,

JSch

oops i missed your reply it seems

anyway LCB still uses plugingetvalue(VAL_CPUDASM)
and FindModule();

which wont reliably get the comments of places that arent in the module

analysethis didnt work means it erred with a message box saying the address is not in any known module ??

or it analysed properly but the udd didnt contain your comments ??

can you make ollydbg display a list of comments you added by doing

right click -> search for user defined comment ?

if yes then you can right click and save that comments to some txt file and
run a simple restorer

insertname (address,NM_COMMENT);

Are there better functions to extract comments? Maybe on a rainy sunday I'll try to add a backup function to the plugin...


"Adress 0x...... does not have any modul associated with it".



Nice hint. I've already seen the 'search comment' command but didn't catch the 'save to clipboard' option. Thank you.

well ollydbg api agnostic ways can get proper results

in your case to use VirtualQuery() _MEMORY_BASIC_INFORMATION
use the page's limit to walk the NAMES with olldybg's Findname() FindNnextname() (you would need to provide a wrapper to limit the search's address space) this ollydbg api searches global address space

kinda tedious if you have say more than 10 20 pages of non module address space

also if you search the board you can find a post by me which enumerates how to leech off comment in non module space and make a map
and use MAPconvertor plugin to replace labels
to read about linker map files format look for matt-pietreks article on msdn under the hood

or look for pistis debug something helper