Ollydbg and OutputDebugString() [Archive] - RCE Messageboard's Regroupment

View Full Version : Ollydbg and OutputDebugString()

Aelorean

May 10th, 2006, 13:38

I just started using ollydbg for particular tasks and noticed that it treats OutputDebugString() differently than windbg. Is there an option in ollydbg somewhere that I'm missing? I would prefer that it not automatically add a carriage return at the end of every OutputDebugString() call.

Otherwise, I have to do something like this...which is a major pain:

Code:



   #ifdef OLLYDBG

   sprintf(buf,"%s %s",DebugHeader,szOutput);

   #else

   sprintf(buf,"%s %s\n",DebugHeader,szOutput);

   #endif

   OutputDebugString(buf);

Kayaker

May 10th, 2006, 21:43

Hi

It looks like you're stuck, unless you want to do some creative reversing. Notice that Olly concatenates your string with "Debug string:" and outputs it to the log window and status bar. You can find the routine that handles this, part of a switch statement for DEBUG_EVENT (OUTPUT_DEBUG_STRING_EVENT):

:0042F49D Case_OUTPUT_DEBUG_STRING_EVENT: ; CODE XREF: sub_42D174+36
:0042F49D push offset aDebugString ; case 0x8 "Debug string:"
:0042F4A2 lea edx, [ebp+var_25C]
...

I set a breakpoint on this in Softice (try VA 43127D) and traced it to see what was going on when an OutputDebugString was encountered. As you can tell, Olly uses a wrapper routine and concatenates your string with its own, rather than just passing it to OutputDebugString. I think it would be kind of difficult to rewrite this code so the extra string and line break was eliminated so it would look like Windbg output.

Maybe you could turn your #ifdef statements into a macro to simplify the coding down to a single line anyway, that should pretty much solve the 'major pain' problem.

Cheers,
Kayaker

Aelorean

May 10th, 2006, 22:47

The major pain is just having to remember whether to set the preprocessor on my application to be set for debugging with windbg or ollydbg.

I just can't think of any other way to do it other than patching ollydbg itself...

I wish there was still an ollydbg forum to make that request of the author

Kayaker

May 11th, 2006, 00:15

I'm a bit confused actually. Your #ifdef statements indicate you *want* a line break for Windbg, but not for Olly. The thing is, Olly ignores any extra linebreaks you add, in fact it parses your string and null terminates it before any "\n" you might have added. Instead it effectively adds its own somewhere later, and only once.

Code:



 :0042F5A2                 cmp     edx, 0Ah       // Olly looks for "\n"

 :0042F5A5                 jz      short loc_42F589

 :0042F5A7                 mov     eax, [ebp+var_C]

 :0042F5AA                 lea     ecx, [ebp+var_25C]

 :0042F5B0                 test    edi, edi

 :0042F5B2                 mov     byte ptr [ebp+eax+var_25C], 0 

 // null terminate the true string, overwriting the first "\n" encountered

So essentially that seems to come to the same thing, I don't see that you'd need different OutputDebugString statements for each debugger. Just add a single "\n" for the Windbg instance and with Olly you should get the exact same output. It won't add "extra" linebreaks just because you specified them inline as "\n".

If you don't want the "Debug string:" suffix you can patch the first character of that ascii string
.data:004AE3CC aDebugString db 'Debug string: ',0
with 00h and it won't be shown. I did this within Softice and the output became identical to Windbg.

Aelorean

May 11th, 2006, 11:27

Well, I made some adjustements to my code to involve less 'sprintf'ing (gotta love that word) per debugspew, and things work as they're supposed to (ie, the /n is getting stripped properly).

Thanks, and I'm sorry for wasting everyone's time!

blabberer

May 12th, 2006, 12:24

well when i read this post and saw ollydbg needs to patched i didnot understand what is the problem so i thought let me code a outputdebugstring program and check it out

Code:



#include <stdio.h>

#include <windows.h>



char buf[500];

int main()

{

	printf("hello Debug String\n";

	sprintf(buf,"%s","hohaaa";

	OutputDebugString(buf);

	printf("blah\n";

	sprintf(buf,"%s","second hohaaa";

	OutputDebugString(buf);

	printf("second blah\n";

	return 1;

}

Code:





D:\borland\Bin>bcc32 d:\borland\opdbg.c

Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland

d:\borland\opdbg.c:

Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland



D:\borland\Bin>opdbg

hello Debug String

blah

second blah



D:\borland\Bin>d:\borland\odbg\ollydbg.exe opdbg.exe



D:\borland\Bin>

Code:



Log data

Address    Message

           OllyDbg v1.10

           Command line: opdbg.exe



           Console file 'D:\borland\Bin\opdbg.exe'

           Command line plugin v1.10

             Written by Oleh Yuschuk

           Bookmarks sample plugin v1.06 (plugin demo)

             Copyright (C) 2001, 2002 Oleh Yuschuk

           Strings plugin v1.10

               authored by blabberer

           New process with ID FFF34713 created

00401000   Main thread with ID FFF52F73 created

00400000   Module D:\BORLAND\BIN\OPDBG.EXE

BFE80000   Module C:\WINDOWS\SYSTEM\ADVAPI32.DLL

BFF20000   Module C:\WINDOWS\SYSTEM\GDI32.DLL

BFF50000   Module C:\WINDOWS\SYSTEM\USER32.DLL

BFF70000   Module C:\WINDOWS\SYSTEM\KERNEL32.DLL

00401000   Program entry point

0040117F   Debug string: hohaaa

004011A8   Debug string: second hohaaa

           Process terminated, exit code 1

any way it seems you solved your problem