blabberer
September 11th, 2008, 07:36
looking for STRING Mov is not a disassembly related query grepping for mov opcodes with binary mask is still not all encompassing result for any STRING MOV
you are looking for grepping use grepping tools not ollydbg or binary mask or any plugins
open your executable in ollydbg -> right click -> copy -> selectall -> right click -> to file -> "grepmovstr.txt"
start -> run -> cmd -> findstr /c:mov "grepmovstr.txt" > "greppedmovedstir.txt"
before grep
Code:
7C801625 kernel32.DeviceIoControl /$ 6A 14 PUSH 14
7C801627 |. 68 C80C817C PUSH kernel32.7C810CC8
7C80162C |. E8 9A0E0000 CALL kernel32._SEH_prolog
7C801631 |. 8B4D 0C MOV ECX, DWORD PTR SS:[EBP+C]
7C801634 |. 8BC1 MOV EAX, ECX
7C801636 |. 25 0000FFFF AND EAX, FFFF0000
7C80163B |. 3D 00000900 CMP EAX, 90000
7C801640 |. 0F95C0 SETNE AL
7C801643 |. 8B75 24 MOV ESI, DWORD PTR SS:[EBP+24]
7C801646 |. 33DB XOR EBX, EBX
7C801648 |. FF75 1C PUSH DWORD PTR SS:[EBP+1C]
7C80164B |. FF75 18 PUSH DWORD PTR SS:[EBP+18]
7C80164E |. FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C801651 |. FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C801654 |. 51 PUSH ECX
7C801655 |. 3BF3 CMP ESI, EBX
7C801657 |. 75 3E JNZ SHORT kernel32.7C801697
7C801659 |. 3AC3 CMP AL, BL
7C80165B |. 8D45 DC LEA EAX, DWORD PTR SS:[EBP-24]
7C80165E |. 50 PUSH EAX
7C80165F |. 53 PUSH EBX
7C801660 |. 53 PUSH EBX
7C801661 |. 53 PUSH EBX
7C801662 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801665 |. 0F84 D8000000 JE kernel32.7C801743
7C80166B |. FF15 3810807C CALL NEAR DWORD PTR DS:[<&ntdll.NtDeviceIoControlFile>] ; ntdll.ZwDeviceIoControlFile
7C801671 |> 3D 03010000 CMP EAX, 103
7C801676 |. 0F84 B0000000 JE kernel32.7C80172C
7C80167C |> 3BC3 CMP EAX, EBX
7C80167E |. 0F8C CA000000 JL kernel32.7C80174E
7C801684 |. 8B45 20 MOV EAX, DWORD PTR SS:[EBP+20]
7C801687 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20]
7C80168A |. 8908 MOV DWORD PTR DS:[EAX], ECX
after grep
Code:
7C801631 |. 8B4D 0C MOV ECX, DWORD PTR SS:[EBP+C]
7C801634 |. 8BC1 MOV EAX, ECX
7C801643 |. 8B75 24 MOV ESI, DWORD PTR SS:[EBP+24]
7C801684 |. 8B45 20 MOV EAX, DWORD PTR SS:[EBP+20]
7C801687 |. 8B4D E0 MOV ECX, DWORD PTR SS:[EBP-20]
7C80168A |. 8908 MOV DWORD PTR DS:[EAX], ECX
7C801697 |> C706 03010000 MOV DWORD PTR DS:[ESI], 103
7C8016A0 |. 8B46 10 MOV EAX, DWORD PTR DS:[ESI+10]
7C8016A3 |. 8BC8 MOV ECX, EAX
7C8016BE |> 8945 E4 MOV DWORD PTR SS:[EBP-1C], EAX
7C8016C1 |. B9 000000C0 MOV ECX, C0000000
7C8016CC |. 8B45 20 MOV EAX, DWORD PTR SS:[EBP+20]
7C8016D3 |. 895D FC MOV DWORD PTR SS:[EBP-4], EBX
7C8016D6 |. 8B4E 04 MOV ECX, DWORD PTR DS:[ESI+4]
7C8016D9 |. 8908 MOV DWORD PTR DS:[EAX], ECX
7C801720 /. 8B65 E8 MOV ESP, DWORD PTR SS:[EBP-18]
7C801725 |. 8B45 20 MOV EAX, DWORD PTR SS:[EBP+20]
7C801728 |. 8918 MOV DWORD PTR DS:[EAX], EBX
7C80173B |. 8B45 DC MOV EAX, DWORD PTR SS:[EBP-24]
7C80174E |> 8BD0 MOV EDX, EAX
7C801750 |. B9 000000C0 MOV ECX, C0000000
7C80175B |. 8B4D 20 MOV ECX, DWORD PTR SS:[EBP+20]
7C80175E |. 8B55 E0 MOV EDX, DWORD PTR SS:[EBP-20]
7C801761 |. 8911 MOV DWORD PTR DS:[ECX], EDX
7C80176B kernel32.GetSystemTime /$ 8BFF MOV EDI, EDI
7C80176E |. 8BEC MOV EBP, ESP
7C801773 |> A1 1800FE7F /MOV EAX, DWORD PTR DS:[7FFE0018]
7C801778 |. 8945 FC |MOV DWORD PTR SS:[EBP-4], EAX
7C80177B |. 8B0D 1400FE7F |MOV ECX, DWORD PTR DS:[7FFE0014]
7C801781 |. 894D F8 |MOV DWORD PTR SS:[EBP-8], ECX
7C80179A |. 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
7C80179D |. 66:8B4D E8 MOV CX, WORD PTR SS:[EBP-18]
