PDA

View Full Version : Using Olly

SteM
September 7th, 2008, 12:41
Hi there,
i'm a very new user of OllyDbg.

In this moment i'm trying to use a DLL without source and documentation of it.
So, i'm interested about two features:
1. is it possible to mark in any way the DLL entry points and log them?
2. is it possible to enter the entry call I discover so Olly can remark the code I see in the disasm window?

Any link?
thanks a lot !!

---
SteM
blabberer
September 7th, 2008, 13:25
ollydbg can load the dll directly and it will stop on DllEntry

Quote:

Log data, item 0
Address=1001B337
Message=Entry point of debugged DLL
SteM
September 10th, 2008, 15:04
Yes, i know.
But I'd like to have a report with the sequence of the calls done by the original program and realtive parameters.

About the second question: (maybe it was not clear ..):
Some known API calls are commented on the asm view.
My DLL calls are not commented and I'd like to add some notes on the parameters passed on the stack before the call.
How can i do it?

Thanks
SteM
September 11th, 2008, 06:29
Any tutorial to suggest?
In particular handling DLL ..

Thanks
blabberer
September 11th, 2008, 07:19
Quote:

But I'd like to have a report with the sequence of the calls done by the original program and realtive parameters.


thats still confusing
a dll when loaded by an exe can either be loaded via import table entries or by Dynamically Loading it with LoadLibrary

an in both cases DllEntry is called by Ldrp Functions and it always takes three Paramenters only

Code:


BOOL WINAPI DllMain(

    HINSTANCE hinstDLL,  // handle to DLL module

    DWORD fdwReason,     // reason for calling function

    LPVOID lpReserved )  // reserved


sequence of calls are standard check kernel32.dll and study LoadLibrary Function
LoadLibraryA -> LoadLibraryExA -> LoadLibraryExW -> ldrLoadDll -> LdrpLoadDll-> ldrPMapDll -> ldrpRunInitializers and back
when in LdrpRunInitializers the import table of the loaded dlls are checked and additional dlls that are linked in the loading dll
are loaded and thier initialisers are run as well

yes if you ahve analysed your dll all your comments will be visible the next time

if you want to add custom function descriptions refer help file or find the posts by me in this forum that states how to do it with #####.arg files
SteM
September 12th, 2008, 15:29
Thanks,
but, i'm sorry, there is a misunderstanding.

I know the entry point of DLLs, i developed them. I try to explain by other words ....
My idea is to understand how to use the functions contained into a DLL I own.
With 'depends' tools i had all the function names and, since i guess the DLL was developed by C++, I translated all the function names from their decorated name into a complete C-prototype syntax.
Then, i'm writing a program that can call the DLL.
Now I need to discover how the original program uses that functions (for example, first the 'open', then the 'connect', then 'download', then 'close') and also some useful set of parameters.
Then I guess it should be useful to have a tool that hooks each function to create a log to study the sequence of the calls.

I hope to be clear for what i'd like to obtain ...

Thanks for the hint for the custom function descriptions ... i start the search ...

Thanks!
evaluator
September 13th, 2008, 15:57
disassemble DLL, debbug DLL..
is there other ways???
dELTA
September 19th, 2008, 17:07
Happy birthday...

http://www.woodmann.com/collaborative/tools/Category:API_Monitoring_Tools
countryman
October 3rd, 2008, 19:15
for your help, more greatest today!!!
thanx again...