PDA

View Full Version : Following stackpointer addresses in hex dump


RCER
March 18th, 2008, 12:15
Hi,

Can anybody tell me if it is possible to setup ollydbg in such a way that I can follow ESP, ESP+4, ESP+8 in hex dump automatically, while stepping into a function.
The only way I know at present to trace these memory addresses is to right click on the ESP (or ESP+4 , ESP+8 ) and choose "follow in dump", which will show the relevant memory address in dump, but only for this particular line of code. If I continue stepping into the function, I will need to repeat this for every step I do, which is very cumbersome


Thanks for any advice

Regards
RCER

naides
March 18th, 2008, 13:46
Uhhm. What is wrong with Follow in the stack?
Right click ESP and choose follow in the stack
If you click the column with Stack addresses You can change it to stack notation
Code:
$-C > 00010000 UNICODE "=::=::\"
$-8 > 01001230 calc.01001230
$-4 > 01001234 calc.01001234
$ ==> > 7C910738 ntdll.7C910738
$+4 > FFFFFFFF
$+8 > 7FFDD000


You can also "lock" the stack in place by right click on the stack data.

Now, keep in mind that the ESP changes dynamically during the execution of a function, every time you push pop or call, so keeping track of whatever ESP points to is intrinsically dynamic.
Locking into EBP may work better provided the code uses conventional stack frame management (Not the rule with newer compilers).

blabberer
March 18th, 2008, 13:56
edit ,

hah naides is faster

your wish does not make sense esp may contian 0 or oxffffffff which may not be followable
so getting a dump window for every pointer to esp is not feasible

if you are persistant you may try setting up a few dump windows and tiling them with windows -> tile vertially to observe the contents

view -> memroy map -> dump -> go to --> use the address like 12ffc4 --> open a up a few of them -> then windows -> tile windows vertically , horozontally

and at the most this is a kludge that might satisify your ego other wise the wish itself isnt feasible in the practical sense

RCER
March 20th, 2008, 12:05
Quote:
[Originally Posted by naides;73449]Uhhm. What is wrong with Follow in the stack?
Right click ESP and choose follow in the stack
If you click the column with Stack addresses You can change it to stack notation
Code:
$-C > 00010000 UNICODE "=::=::\"
$-8 > 01001230 calc.01001230
$-4 > 01001234 calc.01001234
$ ==> > 7C910738 ntdll.7C910738
$+4 > FFFFFFFF
$+8 > 7FFDD000


You can also "lock" the stack in place by right click on the stack data.

Now, keep in mind that the ESP changes dynamically during the execution of a function, every time you push pop or call, so keeping track of whatever ESP points to is intrinsically dynamic.
Locking into EBP may work better provided the code uses conventional stack frame management (Not the rule with newer compilers).


Hi naides and blabberer,

Thanks for your reply,

I was only looking for an easier way to track what is happening to the job and vendor structures, in particular while stepping into functions, such as _l_sg. At this moment the only way I know, is by breaking on _l_sg, then change the stack notation to ESP--> and after each step (F7) right click on ESP and ESP+8 to find the hex dump in memory.

By the way what purpose does locking the stack serve for?


Regards



RCER

blabberer
March 20th, 2008, 12:49
By the way what purpose does locking the stack serve for?

well lock the stack what else

silly jokes apart ollydbg stack window is dynamic so when some one pushes
say push 1 stack points to the current esp with 1 on top of the stack visible

now add esp,100 or sub esp 200 will again make the address scroll up or down
but some time you would want to look at one specific address only (vulnerabilty buffer overflow thingies might come to the mind when this need is required)

so you lock and ollydbg keeps that address locked and always visible so when the esp keeps scrolling up or down a black marker bar dances around the address showing you where the current esp is and what your preferred address is holding at every execution

RCER
March 20th, 2008, 12:59
Hi blabberer,

O.K. and thanks for the explanation


Regards
RCER