PDA

View Full Version : some question about one of the olly capability

saturn
September 4th, 2007, 13:40
hello , i have some question about one of the olly capability.
how it obtain each function arguments name and count?

for example , after loading calc.exe in olly it show :

010125BC . 50 PUSH EAX ; /pStartupinfo
010125BD . FF15 48100001 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA

how it obtain pStartupinfo for GetStartupInfoA ? is it hardcoded?

it also report :

01012467 |> 56 PUSH ESI ; /Arg2
01012468 |. 53 PUSH EBX ; |Arg1
01012469 |. E8 20FCFFFF CALL calc.0101208E ; \calc.0101208E

how it retrive number of arguments of calc.0101208E ?
is it number of push before a call?


it seems every windows api result (after return) stored in EAX.
- is it true ?
- if yes , is it always true ?
- do you know any other tip such that (any website or ...)?

thankyou for response .
naides
September 4th, 2007, 14:16
Partial answers:

calc.exe was linked with debug information, so some symbols such as pStartupinfo are still present in the target file. That is where Olly is reading them from.
The KERNEL32.GetStartup names are of course taken from in the import table.

01012467 |> 56 PUSH ESI ; /Arg2
01012468 |. 53 PUSH EBX ; |Arg1
01012469 |. E8 20FCFFFF CALL calc.0101208E ; \calc.0101208E

I am not completely sure about that, but I think Olly is doing a best guess labeling of the arguments assuming they follow standard stdCall C type calling convention.
Sometimes arguments are passed in registers (fastcall convention) I have not seen Olly specifically catching such events and correctly labeling the arguments accordingly.
IDA with FLIRT is much smarter accomplishing such function structure/recognition/labeling.

see http://en.wikipedia.org/wiki/Calling_convention

The result of an API is USUALLY returned in EAX, which is also part of the std C calling convention, but a convention is a convention:" something that you may choose follow or not, so I would not assume that EAX containing the result value always will be the case in every program. For instance when the result of an API is a float, it is returned at the top of the FPU stack.
saturn
September 4th, 2007, 17:10
naides , thankyou for response

putting debug information in a file is a great help for RE and putting it in calc,exe
is (maybe) a rational work from M$ !
but it is long time that i see this symbols in every file i loaded in olly .
regardless of debug information (and putting it in olly hardcoded), do you know any other method ?
any api , any report from symbol server or .... ?
LLXX
September 5th, 2007, 01:06
No, nothing about debug info, OllyDbg has an API reference built in.
saturn
September 5th, 2007, 03:35
thankyou LLXX ,

my initial assumption was hardcoded data .
as a simple work , i try load olly in olly and using 'All refrenced text strings' for catching some

signes , but nothing found.

when i load calc.exe in PE Explorer , in tools menu , 'remove debug info' is enabled .
but when i load ultraiso.exe , 'remove debug info' is disabled , may be debug info is stripped.
blow is some disassembly for ultraiso.exe

00401622 . 51 PUSH ECX ; /HeapSize => BC (188.)
00401623 . 6A 08 PUSH 8 ; |Flags = HEAP_ZERO_MEMORY
00401625 . E8 6EF01A00 CALL <JMP.&KERNEL32.GetProcessHeap> ; |[GetProcessHeap
0040162A . 50 PUSH EAX ; |hHeap
0040162B . E8 04F11A00 CALL <JMP.&KERNEL32.HeapAlloc> ; \HeapAlloc

olly know function name (HeapAlloc) , its arguments (i.e Flags) and even Flages name [enum]

(HEAP_ZERO_MEMORY).so built in API reference is good idea.

using msdn , i can catch every function arguments count and name , but this is time-consuming.

anyone know about any opensource header or library (or any part of a big open source project) for that ?
Knight
September 5th, 2007, 04:19
Why should searching some header be better than MSDN?
Anyways, there's file called 'common.arg' in olly's dir, you can add your own definitions for functions to extend number of functions whose arguments olly recognizes. Check olly documentation for info on syntax.

Regards,
Knight
saturn
September 5th, 2007, 07:38
thankyou Knight,

but i actually need definition of 1900 functions that there is in olly body.
putting extra info about a function address like HeapAlloc is part of my project in c.
i can take this info for every functions i encounter , but as i describe this is time-consuming.having definition of 1900 functions is a great help.
so i search for any file , header , lib or projects that contain api info.
Knight
September 5th, 2007, 09:15
Oh, then you probably should be looking for platform SDK.
blabberer
September 5th, 2007, 11:37
Quote:

how it obtain pStartupinfo for GetStartupInfoA ? is it hardcoded?


ollydbg has one big internal table describing most of the functions in its resources section
when an application is opened in ollydbg it loads the resources,locks it and then finds whats what from them based on resolved import address

suppose it sees an address 77f43216 in the resolved import table
it knows by its analysis that this call is GetModuleWhatever()

now GetModuleWhatever may be defined in defined in psdk as

typedef __stdcall PVOID GetModuleHandle ( int a, PUCHAR *somebuffer,handle modhand);

so ollydbg when it referances the resources will know

push 3 a int a
push 404000 as Pointer to UCHAR and it will also find out if any Ascii or unicode string is referancible
push 46 as handle
then call GetModuleHandle()

no debug information is needed for this it does its own analysis

Quote:
how does it know how many arguments to a non import call


it analysis the app and if it finds a closed call it analyes it further and then depending on
return 10h , push pops of registers decides that this call will take two arguments or ten arguments

and then labels them as argument numbers

no not every result is returned in eax (yes almost 95 % retun a result in eax)

int stdcall void foo(in char *blah out char *blahblah); will have rubbish in eax on return

the char * blahblah will have the result if the function operated on char *blah and copied it to char *blahblah


you can define your own function arguments and ollydbg will recognize the call if it was recognising them earlier

for example

ZwSystemDebugControl() will look like this without ntdll.arg file

Code:


020C25A5    6A 00           PUSH    0

020C25A7    6A 00           PUSH    0

020C25A9    6A 00           PUSH    0

020C25AB    6A 00           PUSH    0

020C25AD    6A 00           PUSH    0

020C25AF    6A 06           PUSH    6

020C25B1    FF15 D0EA3002   CALL    NEAR DWORD PTR DS:[230EAD0]      ; ntdll.ZwSystemDebugControl


after you define a proper function description it will look like this

Code:


020C25A5  |.  6A 00         PUSH    0                                ; /PULONG ReturnLength = NULL

020C25A7  |.  6A 00         PUSH    0                                ; |ULONG OutputBufferLength = 0

020C25A9  |.  6A 00         PUSH    0                                ; |PVOID OutputBuffer = NULL

020C25AB  |.  6A 00         PUSH    0                                ; |ULONG InputBufferLength = 0

020C25AD  |.  6A 00         PUSH    0                                ; |PVOID InputBuffer = NULL

020C25AF  |.  6A 06         PUSH    6                                ; |ControlCode = SysDbgDbgBreakPointWithStatus

020C25B1  |.  FF15 D0EA3002 CALL    NEAR DWORD PTR DS:[230EAD0]      ; \ZwSystemDebugControl


and the ntdll.arg file for this function is like

Code:


INFO Simple .ARG file that decodes ZwSystemDebugControl

TYPE SYSDBG_COMMAND

	IF 1 "SysDbgGetTraceInformation"

	IF 2 "SysDbgSetInternalBreakpoint"

	IF 3 "SysDbgSetSpecialCall"

	IF 4 "SysDbgClearSpecialCalls"

	IF 5 "SysDbgQuerySpecialCalls"

	IF 6 "SysDbgDbgBreakPointWithStatus"

	IF 7 "SysDbgSysGetVersion"

	IF 8 "SysDbgReadVirtualMemory"

	IF 9 "SysDbgWriteVirtualMemory"

	IF 10 "SysDbgReadVirtualMemory"

	IF 11 "SysDbgWriteVirtualMemory"

	IF 12 "SysDbgSysReadControlSpace"

	IF 13 "SysDbgSysWriteControlSpace"

	IF 14 "SysDbgSysReadIoSpace"

	IF 15 "SysDbgSysWriteIoSpace"

	IF 16 "SysDbgSysReadMsr"

	IF 17 "SysDbgSysWriteMsr"

	IF 18 "SysDbgSysReadBusData"

	IF 19 "SysDbgSysWriteBusData"

	IF 20 "SysDbgSysCheckLowMemory"

	IF 21 "SysDbgEnableDebugger"

	IF 22 "SysDbgDisableDebugger"

	IF 23 "SysDbgGetAutoEnableOnEvent"

	IF 24 "SysDbgSetAutoEnableOnEvent"

	IF 25 "SysDbgGetPitchDebugger"

	IF 26 "SysDbgSetDbgPrintBufferSize"

	IF 27 "SysDbgGetIgnoreUmExceptions"

	IF 28 "SysDbgSetIgnoreUmExceptions"

	ELSEINT

END



STDFUNC ZwSystemDebugControl

	"ControlCode" 			SYSDBG_COMMAND

	"PVOID InputBuffer" 		ADDR

	"ULONG InputBufferLength" 	HEX

	"PVOID OutputBuffer"		ADDR

	"ULONG OutputBufferLength"	HEX

	"PULONG ReturnLength"		ADDR

END


this is the standard way to do it if you are going to add your own descriptions

if not you can check out stolly plugin source code for understanding how ollydbg holds this standard format in a compact format with an ascii string null terminated with \n seperated values for every function description compressed with ollydbg PluginApi Compress()

like this

Code:


[_GDI_TEB_BATCH]

0=Offset,ULONG,4

1=HDC,ULONG,4

2=Buffer,ULONG[310],1240
LLXX
September 5th, 2007, 22:08
Quote:
[Originally Posted by Knight;68403]Why should searching some header be better than MSDN?
Anyways, there's file called 'common.arg' in olly's dir, you can add your own definitions for functions to extend number of functions whose arguments olly recognizes. Check olly documentation for info on syntax.

Regards,
Knight
What version of OllyDbg are you using? I have 1.10 and 1.09 and this file is not present in neither.
Knight
September 13th, 2007, 11:18
Sorry for a late reply.
I'm using 1.10. And i just checked original Olly's zip, and that file is not present there, so you have to create it by yourself. I did that long ago so have forgotten that it wasn't in the package. "Custom function descriptions" help index entry should give all the information you need.

Regards,
Knight