PDA

View Full Version : Read Breakpoint Logging?? Possible?

stormphaze
June 6th, 2008, 09:34
Im new to olly so please forgive me if this has been answered before, i couldnt find anything on the forum.

I was wondering if there is a plugin or a feature for olly that is similar to the one used in CHEAT ENGINE..

it takes a memory read breakpoint and logs all access to it, IGNORING!! multiples of the same address, this in affect gives a list of all addresses accessing this location without multiples of the same address.

Once this is complete you can look at the list then alter the state of the program and easily see any NEW access points this helps narrow down code sections.

if anyone can help please reply.. tnx.
JMI
June 6th, 2008, 11:34
stormphaze:

I've lightly edited the title to your Thread. Please avoid use of all capital letters. It's really not necessary.

Regards,
stormphaze
June 6th, 2008, 11:40
ah damn.. im really sorry about that..

force of habbit writing entitled reports all day, i did actually think the titles were formatted automatically thats no excuse though

tnx for editing it.. much appreciated..
JMI
June 6th, 2008, 12:44
No big deal at all. Has happened before and will happen again. It's like attempting to get people not to use the "Quote" button, when they really do not need to quote the previous post. That's why there is the button which looks like a page with a down arrow on the far right, which opens the Quick Reply and does not quote what does not need to be quoted.
This is, again, just a general comment for the wider reading audience!

Regards,
dELTA
June 6th, 2008, 14:57
If you don't find any ready-made plugin for this exact purpose, the source code of the "Conditional Branch Logger" Olly plugin (http://www.woodmann.com/collaborative/tools/Conditional_Branch_Logger) would probably be of much help in creating your own.
stormphaze
June 6th, 2008, 16:02
thanks delta,

olly plugins is not an area im familiar with at all, though i am proficient in all forms of c and asm so hopefully if nothing comes up ill be able to fasion something together, much appreciate the nudge in the right direction.
blabberer
June 7th, 2008, 07:07
ollydbg already logs memory breakpoints
you can ask ollydbg to log it to a file directly

after that ripping off multiple entries from that log is just a bit of awk sed perl
or for miss joe secretary excel -> import data -> apply autofilter

Code:


#include <stdio.h>

#include <windows.h>



DWORD access0,access1,access2;

WORD  access3,access4;

char  access5;





int main (void)

{

printf("accessing access0 with write access\n";

access0 = 0xdeadbeef;

printf("accessing access0 with read access %08x\n",access0);



access1 = 0xbabed011;

access2 = 0xb15b00b5;

access3 = 0xb00b;

access4 = 0xbabe;

access5 = 0x0;

return 0;

}


Code:


00401000  Program entry point

0040115E  Memory breakpoint when writing to [0040C4A4]   0040115E   MOV     DWORD PTR DS:[40C4A4], DEADBEEF

00401168  Memory breakpoint when reading [0040C4A4]      00401168   PUSH    DWORD PTR DS:[40C4A4]  ; /Arg2 = DEADBEEF

0040117B  Memory breakpoint when writing to [0040C4A8]   0040117B   MOV     DWORD PTR DS:[40C4A8], BABED011

00401185  Memory breakpoint when writing to [0040C4AC]  00401185   MOV     DWORD PTR DS:[40C4AC], B15B00B5

0040118F  Memory breakpoint when writing to [0040C4B0]  0040118F   MOV     WORD PTR DS:[40C4B0], 0B00B

00401198  Memory breakpoint when writing to [0040C4B2]  00401198   MOV     WORD PTR DS:[40C4B2], 0BABE

004011A1  Memory breakpoint when writing to [0040C4B4]  004011A1   MOV     BYTE PTR DS:[40C4B4], 0

004025BB  Memory breakpoint when reading [0040C4D8]

004025BB  Memory breakpoint when reading [0040C4DC] > some access on same page by Exit function 

004025BB  Memory breakpoint when reading [0040C4E0]   memoryac.__init_exit_proc+0A4

004025BB  Memory breakpoint when reading [0040C4E4]

004025BB  Memory breakpoint when reading [0040C4E8]

004025BB  Memory breakpoint when reading [0040C4EC]

004025BB  Memory breakpoint when reading [0040C4F0]

004025BB  Memory breakpoint when reading [0040C4F4]

004025BB  Memory breakpoint when reading [0040C4F8]

004025BB  Memory breakpoint when reading [0040C4FC]

004025BB  Memory breakpoint when reading [0040C500]

004025BB  Memory breakpoint when reading [0040C504]

004025BB  Memory breakpoint when reading [0040C508]

004025BB  Memory breakpoint when reading [0040C50C]

004025BB  Memory breakpoint when reading [0040C510]


the above executable's .data section is accessed 11674 times
Code:


11674 7C919A2D	Memory breakpoint when reading [0040BA50]

	Process terminated, exit code 0

	Log file closed







if you check sfx automatic unpacking feature ollydbg automatically ignores read and write memory breakpoints and only stops during execute access to land on oep

also joe stewart had a driver plugin that does kinda same
ignoring multiple read and writes and stopping only on execute access

if im not wrong ricardo narvaja has a thread where he talks about a plugin or ollyscript that ignores access and utilises memory breakpoints

so the basic functionality is there

you will have to suit yourself
play with plugin sdk and write one that does what you want

here is a joe secs sorted and filtered log of mem bps
stormphaze
June 7th, 2008, 16:01
Thats brilliant, thanks very much for all the information. I'm in your debt my friend. tnx again.
Kayaker
June 8th, 2008, 00:26
It's guaranteed that blabberer will almost always have a solution to an Ollydbg problem.
I don't know how he does it...