View Full Version : Value Process
Jo_ti
August 20th, 2009, 11:48
Is there any process to pause olly when the registers EAX, EDX, ECX etc contain a string.
Like,
EAX 0012346 "Tiger"
So basically i want to pause my olly when the eax value contain Tiger string. Is there any plugin or any way to do this

squidge
August 21st, 2009, 02:02
I don't think that is possible so easily without massive processor utilisation.
Best thing is to find text in memory and set BP on first byte.
Jo_ti
August 21st, 2009, 02:27
Problem is this, the string is generating while the application is running. The application is allocating a specific part of memory to right that string. I can see that string in eax but the value is like
EAX 00112345 UNICODE "TIGER"
So when i am loading target in olly and trying to get to the va 00112345, not able to do so. Only while running i have acess to taht section.
I tried to put bp on writing first byte but then again its not breaking but the memory value changed to
EAX 00112536 UNICODE "TIGER"
I also tried to search in memory and ascii strings but the string is not appearing because its generating only while the application is in running mode.
So the way which i found just break when the eax get that value and make the patches there. But how to break at that point any one knows please let me know

)
squidge
August 21st, 2009, 03:24
What is your overall aim? Ie, what are you trying to do with this?
Why is that value written to that location?
Maybe someone can suggest an alternative means.
Jo_ti
August 21st, 2009, 04:19
basically want to patch verification url of an application and want to redirect it to my custom url.
But continuous switching going on in memory adderss so its becoming headache. So the only way which i got is this that just make a right patch when the register value show that url. Just want to get the the location where first time the value show in eax. Because that value just go ahead and become complex. Just trying to get the first location of url generation.
squidge
August 21st, 2009, 06:15
If the app is connecting to a server itself to do the verification (rather than spawning a web browser process) then wouldn't setting a breakpoint on something like gethostbyname be easier? You can then divert program flow away from the function, change the name, or even just return a result pointing to your own PC.
Or, if the name is static and you want it for personal use only, just change the hosts file to point that name to your own PC and let the OS do it.
If you want the full url rather than just address, you'll probably find it much easier after the return from gethostbyname or similar.
Jo_ti
August 21st, 2009, 10:51
The main problem is this that program is not breaking at this api, this is the only api which is very common in this process, Apart from that if there is any other api which is related to this please do post. i will try all of them, i hope it will break at any api. So that i can add my custom url

SiGiNT
August 22nd, 2009, 01:58
While the process is running set hardware BP on that memory section on access, this can be very simple or long and tortuous - reload - each time it breaks do a search of that section for "Tiger" if found either bp on memory access or HW bp on access.
SiGiNT
dELTA
August 30th, 2009, 18:22
Here is exactly what you are looking for:
http://www.woodmann.com/collaborative/tools/OllyStepNSearch
All your base are belong to CRCETL.

SiGiNT
September 3rd, 2009, 18:55
dELTA,
The older version of S&S which I use frequently, because it seems to work better than the newer versions much to my consternation, does NOT log strings in EAX, (but most times the string passes thru at least 2 registers), it's been a while since I've tried a newer version so maybe this has been fixed, I'm still using 0.5.0 plugin 1.10 - I tried the latest 6 months to a year ago and the log was almost empty, and I'm not usually looking for a specific string - If our friend believes that your name appearing in EAX is the beginning of the encryption/decryption process, he's got some learning to do, usually your serial shows up after many, many passes later.
It's also possible on slower machines to watch EAX and click in the register window to pause it.
SiGiNT
Jo_ti
September 3rd, 2009, 22:47
i tried this one, i spent all my day but did not get anything useful with this plugin. I hope so it work for someone.
Jo_ti
September 4th, 2009, 08:07
i have very small question, so i dont think so opening a new topic should be good for this so i am just asking here.
Today while editind i noted small thing which i think i need to learn. While editing strings in olly dbg, i found that if i am writing.
"My name is jo_ti"
I used Space bar button after each word and that thing write 20 in hex window
That means the hex value of Space is 20?
What if i want it should write 00. Means which key i should press.
naides
September 4th, 2009, 08:36
The ASCII value of "space" is indeed 0x20. To write a true 00 byte, the best option is to edit in hexadecimal, where you write each byte with digits from 0 to F.
Jo_ti
September 4th, 2009, 10:04
Ya you are write naide, i know about that but i want to know any quick key like Spacebar which just do my job. Because if the string is long or if there are lots of string to patch then it will take time
naides
September 4th, 2009, 14:41
Things are a little more complicated than that. If you write a true 00 byte in a string, it will be interpeted as "end of the string", by most text handling functions, effectively discarding the rest of the string away.
If the string is written in Unicode, the Olly editor automagically inserts the 00 in the right places, so you neewd not worry about placing the 00 yourself.
You can insert any ASCII char using the keypad of the keyboard like this : push [alt], rapidly key in the three decimal digits of the ascii char you want, in this case, 000. hardly a quick solution. Last resort, install a macro generator in your system and program some key combination, such as [alt]0 to generate the 00 byte.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.