View Full Version : Conditional Branch Logger
REAP
June 30th, 2013, 17:24
Hello
I am trying to load this plugin with Olly 1.1 on XP (in a VM).
I receive the error
Code:
cbl_gui.dll failed to load correctly
I have the cbl_gui.dll (and Conditional_Branch_Logger.dll) in the plugin folder.
Would appreciate suggestions on what could be the issue.
Thanks
REAP
June 30th, 2013, 18:46
I've worked it out, it is a conflict with another plug-in.
REAP
July 1st, 2013, 00:51
Hello,
Unfortunately the cbl_gui.dll does not load correctly in all instances.
When I posted above that I had it working, I had removed all other plugins and was testing with notepad.
CBL is still the only plugin that is in the plugin directory, but when I try to configure CBL with the application that I want to trace (a service), I am getting the same error as before.
So am again after advice either on how to resolve or alternatives (for instance is there an OllyScript that does something similar?)
Thanks
Kayaker
July 1st, 2013, 13:13
I can't really understand where there would be a problem. CBL loads with Olly, even before you open a target, so if all is good you should see the message in the log window
"cbl_gui.dll loaded and all addresses are retrieved"
It should work irrespective of whether you open notepad, a service, or attach to a running process.
Conditional_Branch_Logger.dll is the plugin loaded by Olly. If the plugin can't load cbl_gui.dll you will get an error message in the Olly log window. The fact that you did get that error message seems to indicate the plugin probably loaded OK, but couldn't find the second dll. If for some reason it loaded but couldn't resolve the dll exports you'd get an additional message
"cbl_gui.dll loaded but addresses not retrieved"
All I can suggest at the moment is to delete ollydbg.ini and refresh to create a new one, and remove any udd files and try again. Out of curiosity, do you know which plugin it may have had a conflict with?
You could also do a full run trace, but for the same code execution path there would be a lot more instructions to sift through in the log file over using the plugin.
REAP
July 2nd, 2013, 05:49
Hello Kayaker,
Thanks for responding.
I've done some more testing.
I've removed all the UDD's. And now when I open Olly cbl_gui.dll loads as you describe. I have re-added the plugins and there is no change, so the other plugins were not the issue. Notepad continues to work, and I've tried a couple of other applications and they work too.
Unfortunately CBL still doesn't work with the service.
The process for loading Olly works differently with the service, unlike the other applications, where I use Olly to load the applications. By configuring some registry entries (which I can detail if that helps) when the service is started, Olly is started as the debugger. So in this instance I can't load Olly and check that cbl_gui.dll is loaded OK before starting the service (actually I tried doing that - but it made no difference to the instance of Olly that was loaded when the service started).
Any idea what the problem could be?
Kayaker
July 2nd, 2013, 16:14
Interesting. Are you using the gflags/Image File Execution method to attach Olly to the service on startup?
It sounds like something is preventing that secondary dll loaded by the plugin to load properly. I read about adding a delay to the service startup to give time for the debugger to attach. Perhaps that would give the necessary time for cbl_gui.dll to load.
http://support.microsoft.com/kb/824344
I guess the logical step to see if CBL itself is the culprit, or whether this is an inherent problem with that kind of service-startup/debugging setup, would be to create a dummy Olly plugin which loads a dummy second dll and see if it also fails to load.
I can't think offhand of other plugins which use 2 dlls which might also fail this way. Ollybone with its loaded sys driver is the only one that comes to mind.
I haven't got time to test right now, but it's an interesting question nonetheless.
REAP
July 3rd, 2013, 00:28
Hi,
I have been using the registry method.
I'm aware of the setting for preventing the service from timing out, but I can't see anything about delaying the service startup.
Kayaker
July 3rd, 2013, 01:05
My mistake really. I wasn't quite sure if increasing the timeout period might help for this situation. Does the service load OK into Olly otherwise, plugin failure aside?
Is this an automatic (boot) service, or a delayed service, or one you can start manually and have Olly kick in? Maybe not pertinent, but I'm curious to see if I can duplicate the problem.
REAP
July 3rd, 2013, 01:29
Quote:
[Originally Posted by Kayaker;94983]My mistake really. I wasn't quite sure if increasing the timeout period might help for this situation. Does the service load OK into Olly otherwise, plugin failure aside?
Is this an automatic (boot) service, or a delayed service, or one you can start manually and have Olly kick in? Maybe not pertinent, but I'm curious to see if I can duplicate the problem. |
Yes the service loads fine.
By default the service is automatic, but for the purposes of troubleshooting it is more convenient to set it to manual and start as needed, which works fine.
Occasionally I have found that when you start the service Olly doesn't load (looks like a bug) and I have found that opening an Olly instance beforehand gets around that issue. So I was hoping that I could do that to resolve the CBL dll error but unfortunately having an instance of Olly open doesn't make any difference to the state of the dll in the Olly instance which is started to debug the service.
blabberer
July 3rd, 2013, 05:23
can you follow the flow and adapt it to the application you are debugging
prima facie i dont face any problems with debugging a service appliaction along with conditional branch logging plugin
have you made your service made interactive ? (should work upto winxp sp3 )
for vista and above service interaction is disallowed due to session zero isolation
you would need to muck with windbg remote debugging
Code:
C:\>md testcblservice
C:\>cd testcblservice
C:\testcblservice>copy f:\utilities\odbg\odbg110.zip .
1 file(s) copied.
C:\testcblservice>copy f:\utilities\plugins\Bin_Conditional_Branch_Logger_2007-10-23_21.4_Conditional_Branch_Logger_v1.0.zip .
1 file(s) copied.
C:\testcblservice>"c:\Program Files\7-Zip\7z.exe" x -y *
7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
Processing archive: Bin_Conditional_Branch_Logger_2007-10-23_21.4_Conditional_Branch_Logger_v1.0.zip
Extracting Conditional_Branch_Logger.dll
Extracting src.zip
Extracting readme.txt
Extracting cbl_gui.dll
Everything is Ok
Processing archive: odbg110.zip
Extracting BOOKMARK.DLL
Extracting Cmdline.dll
Extracting dbghelp.dll
Extracting license.txt
Extracting OLLYDBG.EXE
Extracting OLLYDBG.HLP
Extracting PSAPI.DLL
Extracting readme.txt
Extracting register.txt
Everything is Ok
Archives: 2
Files: 13
Size: 3141618
Compressed: 1820976
C:\testcblservice>del *.txt & del *.hlp & del PSAPI.DLL & del *.zip & dir /b
BOOKMARK.DLL
cbl_gui.dll
Cmdline.dll
Conditional_Branch_Logger.dll
dbghelp.dll
OLLYDBG.EXE
C:\testcblservice>OLLYDBG.EXE //close it just checking if ollydbg works
C:\testcblservice>copy c:\WINDOWS\system32\calc.exe .
1 file(s) copied.
C:\testcblservice>ren calc.exe testcblservice.exe
C:\testcblservice>sc create testcblservice binPath= "c:\testcblservice\testcblservice.exe" type= own type= interact
[SC] CreateService SUCCESS
C:\testcblservice>reg add "hklm\software\microsoft\windows nt\currentversion\image file execution options\testcblservice" /v Debugger /t REG_SZ /d "c:\testcblservice\ollydbg.exe"
The operation completed successfully
C:\testcblservice>testcblservice.exe \\open in debugger and keeps working
C:\testcblservice>net start testcblservice \\will open in debugger but will be terminated by service control manager after default timeout 30 seconds
The service is not responding to the control function. <------------------------ default closure solution is to increase default timeout value
refer http://support.microsoft.com/kb/824344 and reboot
More help is available by typing NET HELPMSG 2186.
C:\testcblservice>
REAP
July 4th, 2013, 18:57
@blabberer
Yes, the service is set to interactive.
I created a fresh Olly config as per your instructions and am able to load the target service successfully
Thanks very much to both yourself and Kayaker for all of your help, I doubt that I would have tried this approach by myself
REAP
July 5th, 2013, 01:56
Hi,
More questions I'm afraid.
The reason I wanted to use CBL was so that I could compare application behaviour packed versus un-packed. At the moment un-packed is not running how I would like and I thought this might be an easy way of isolating the issue.
I can now run CBL on the un-packed service and get the log.
In relation to packed, when I start at the packed EP I configure CBL not to log. I then get to OEP, configure CBL to log (I also need to change the address range) at this point when I save the settings in CBL, Olly restarts.
Am I stuffed in terms of this approach, or might there be a work-around?
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.