Log in

View Full Version : Newbie looking help on how to change/add strings in ollydbg

Westernsys
May 21st, 2010, 14:56
Hello,
Just a few days ago I started to look into RE, because of a software limitation. - Basically the app connects to third party rtmp server (to send a stream) with a username and password (both are generated in this application and can't be changed manually), but the account on the other server got suspended for me. So I made a new account on the "other server" and I would like to pass the new username and password to the first app.

At first I thought this would be easy. Then I read about code caves, loading external dll, memeory injections, hw breakpoints et cetera...
Well, I am really confused.

I have found the unicode string that connects to the other server (using ollydbg search for referenced text strings):
Code:
rtmp://blabla.com/username=%s/password=%s


So I went to that address, set breakpoint on the start of the function and pressed f8 until I noticed that EAX register had the username value inside it.

Now the real question - how would I change the EAX value? I've skimmed over at least 20-30 beginner tutorials but only few touch that topic and most of them are either too complicated or don't fully describe what to do.

I think I need to create a code cave, then assign a string to a memory block, but how do i know which address to use? Wouldn't I overwrite data and wouldn't that crash the app?

Thanks, I hope someone reads this and replies.
BoB
May 21st, 2010, 16:51
Hi Westernsys,

Sounds like you've come a long way in a few days
The answer to your questions depend on the app, but I'll assume it's unprotected and 'normal'

Generally there is space in the headers before the first section, or any area not already used such as the zero padding of each section. Also if the app has a relocations section, you can use that whole section for any strings or anything else.
If you have to use an area outside of the headers, then you must use the Rva of the containing section as offset.

So, basically follow these steps.
1. Use a hexeditor or OllyDbg to write your text somewhere in the App, like before first section. Note down the offset (in hex).
2. Load the App into OllyDbg, and trace again to the instruction where EAX is given the text you want to change, probably a LEA or MOV instruction.
3. Alter the address of the Username text to be Imagebase + offset, EG $004001F0 if in headers.

Of course, you never say if your new username is shorter. If so, you can probably just overwrite the original string using a hexeditor and pad it with zeroes

BoB
FrankRizzo
May 21st, 2010, 18:37
Westernsys, step 1 is to try to figure out where that data comes from. (The username, and password). It could be stored as plain text in an XML file or something similar, and you'd be using a sledge hammer to kill a fly. The first things I would do would be to download a few monitors, FileMon, and RegMon come to mind. Run those one at a time, and see if they're reading the data from disk. Since you have a breakpoint set on the send, you know that the app will stop running there, and you can easily trace backwards in the monitors for accesses to either the disk or the registry. I'd just about BET it's in one of those 2 places. If it turns out to NOT be, then I would look back from where eax is the value you seek, and see where it's coming from. See if it's being copied from inside the .exe or what. Then, you might just be able to modify it in the .exe (if that's where it is), or something similar, and leave all this advanced stuff for your next project. Oh yes, there WILL be a next project.
Westernsys
May 22nd, 2010, 04:35
Thank you for the advice.
Well I was able to use the codecave successfully, it was quite simple, but the application crashes after several calls.
Ollydbg status bar says "Access violation when writing to [00130000] and in the CPU window, a MSVCR71 module is open.
The crash happens at this address: "7C342EEE F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]"

btw, the string is derived from the username that I log in with to the main application. It becomes something like this: "blabla_username" and the password seems to be some sort of hash, 40 bytes long.

Anyway, here is what I was experimenting with...
Original code:
Code:
005D539C     8B45 AC        MOV EAX,DWORD PTR SS:[EBP-54]

005D539F     73 03          JNB SHORT blabla.005D53A4

005D53A1     8D45 AC        LEA EAX,DWORD PTR SS:[EBP-54]

005D53A4     57             PUSH EDI                                 ; /Arg5			//PASSWORD

005D53A5     51             PUSH ECX                                 ; |Arg4			//USERNAME

005D53A6     50             PUSH EAX                                 ; |Arg3			//USERNAME AGAIN

005D53A7     8D45 C4        LEA EAX,DWORD PTR SS:[EBP-3C]            ; | 			//SOME STRING, TO VERIFY STREAM SOURCE?

005D53AA  |. 68 F0936700    PUSH blabla.006793F0                      ; |Arg2 = 006793F0	//UNICODE STRING - RTMP://blabla.com/username=%s/password=%s

005D53AF  |. 50             PUSH EAX                                 ; |Arg1			//

005D53B0  |. E8 23440200    CALL blabla.005F97D8                      ; \blabla.005F97D8	//FUNCTION


Changed it to this:
Code:
005D539C     E9 6C540800    JMP blabla.0065A80D

005D53A1     90             NOP

005D53A2     90             NOP

005D53A3     90             NOP

005D53A4     57             PUSH EDI                                 ; /Arg5

005D53A5     51             PUSH ECX                                 ; |Arg4

005D53A6     50             PUSH EAX                                 ; |Arg3

005D53A7     8D45 C4        LEA EAX,DWORD PTR SS:[EBP-3C]            ; |

005D53AA  |. 68 F0936700    PUSH blabla.006793F0                      ; |Arg2 = 006793F0

005D53AF  |. 50             PUSH EAX                                 ; |Arg1

005D53B0  |. E8 23440200    CALL blabla.005F97D8                      ; \blabla.005F97D8


CodeCave:
Code:
0065A80D     8B45 AC        MOV EAX,DWORD PTR SS:[EBP-54]

0065A810     73 03          JNB SHORT blabla.0065A815

0065A812     8D45 AC        LEA EAX,DWORD PTR SS:[EBP-54]

0065A815     51             PUSH ECX

0065A816     B9 C0023400    MOV ECX,3402C0                           ;  UNICODE "test"

0065A81B    ^E9 84ABF7FF    JMP blabla.005D53A4


Please excuse me if I've made some stupid mistakes, I'm still very new to this.
Darkelf
May 22nd, 2010, 08:23
Hi,

in your codecave you're pushing ECX before you overwrite it with your own string.

Code:


0065A815     51             PUSH ECX

0065A816     B9 C0023400    MOV ECX,3402C0                           ;  UNICODE "test"


Why? See, when you jump back to the original code, ECX is pushed again -> your stack is in a mess!

Then, there is this:

Code:


005D53A6     50             PUSH EAX                                 ; |Arg3			//USERNAME AGAIN


Well, if EAX holds the username just like ECX and it's pushed on the stack, then why you didn't overwrite it as well? If you leave EAX untouched, you have two different usernames on the stack. This can lead to quite funny incidences.
After all you did not bad, regarding you are very new to this stuff. Just think, what the commands do and what YOU want to do. Maybe compare the stack before the call at 005D53B0 is made in the original program, with the stack before the call in your patched one.

Good luck.

Best regards
darkelf

edit: Ah, one more thing: make sure, this call is only used in this place. Because if it is called from somewhere else, you may need to patch the other location also or find some better place for your patch. You can do this in Olly by right-clicking on the call find references to -> selected command.
Westernsys
May 22nd, 2010, 11:29
Thank you, when I removed the push from codecave, it worked splendidly!

It is now using the customized user and password, everything works as expected, but there is a small issue.

The program I am using, has a main "blabla.exe" & "blabla_64.exe", which it uses to hook its interface on direct3d overlay. On 32bit, the hook worked nicely (everything was, like in original exe, except i had streaming capabilities again), however on 64bit the hook didn't work at all.

I did all the reversing in 32bit VM. I then compared blabla.exe from 32bit with 64bit in hexeditor and saw that there were many inconsistencies between the two.

So I opened the original blabla.exe in 64bit os, edited PE_header in hex editor, attached ollydbg to the process and assembled code caves. Then the hook worked, but the damn thing didn't update my profile status anymore, it just flashed for a second and changed back when direct3d app was detected. So as I "fixed" one bug, another surfaced.

Could these abnormalities be because I attached ollydbg to the process, instead of opening file? I couldn't open the file directly, it threw unhandled exception.

Dammit, I think that the text I just wrote is very confusing to read.

Maybe I should try and change the code directly in hex workshop? I noticed that the ollydbg offset and HW didn't match. How do I calculate the correct address?


EDIT: After 3rd time trying to place codecave in different addresses and changing string offset in pe_header, I got it to work. Everything works just like it did on my 32bit machine. Weird.
Now I need to find out where does that damn thing pass width/height options, my rtmp stream looks awful
disavowed
May 22nd, 2010, 14:40
For what it's worth, an easier approach might be to use a proxy (like Fiddler) to intercept the outgoing URIs and replace the strings on-the-fly.
Westernsys
May 22nd, 2010, 15:47
Quote:
[Originally Posted by disavowed;86621]For what it's worth, an easier approach might be to use a proxy (like Fiddler) to intercept the outgoing URIs and replace the strings on-the-fly.


Interesting, I will try using the proxy method as well. Looking at the packets in wireshark, i noticed that the handshake sends username password and even some of the variables for stream quality!

Thanks for the tip!