lg888
August 27th, 2003, 00:00
can i change EIP when debug?
View Full Version : can i change EIP when debug?
Teerayoot
August 27th, 2003, 00:52
Yes,you can ,just right click on target line then select New origin here !
jimeeg
November 7th, 2006, 15:43
never mind - i got it.
dELTA
November 8th, 2006, 16:46
Aw crap, I was just about to reply to that three year old post! 
(and yes, I do understand what really happened here, but this was funnier
)
(and yes, I do understand what really happened here, but this was funnier
)countryman
November 8th, 2006, 19:01
you can. thanx to all
neviens
August 22nd, 2007, 05:42
Well, but how to do it from Olly/OdbgScript?
As far as I understand, "go" command is supposed to do it?
And yes, it works but only once. Next "go" command in script releases
program execution, and 2nd "New origin here" location is never reached.
As far as I understand, "go" command is supposed to do it?
And yes, it works but only once. Next "go" command in script releases
program execution, and 2nd "New origin here" location is never reached.
Quote:
| //go script example #log var ptIAT mov ptIAT, 401010 go [ptIAT] log eip mov ptIAT, 401014 go [ptIAT] log eip ret |
Quote:
| Log data Address Message --> var ptIAT --> mov ptIAT, 401010 --> go [ptIAT] --> log eip eip: 0040102C | Entry address --> mov ptIAT, 401014 --> go [ptIAT] 00401025 INT3 command at gototest.00401025 Debugged program was unable to process exception --> log eip eip: 00401025 --> ret |
blabberer
August 22nd, 2007, 11:39
changing light bulbs after six months 
anyway you have got some syntax problem
are you sure you require the square brackets ?? this means you are asking the script to go to the pointer pointed by your var ptiat
let me show a log from what i tried superficially
so the script is waiting for the eip to become 8B006A53 in my case which can never happen and it happily finishes and gets terminated
ok here is a solution
log
anyway you have got some syntax problem
are you sure you require the square brackets ?? this means you are asking the script to go to the pointer pointed by your var ptiat
let me show a log from what i tried superficially
Code:
my script
go 401e67
log eip
go 401e6c
log eip
go 401e71
log eip
var ptIAT
mov ptIAT, 401e76
log [ptIAT]
go [ptIAT]
log eip
Code:
my log from above script
Log data
Address Message
eip = 00401E67
eip = 00401E6C
eip = 00401E71
[ptIAT] = 8B006A53
Process terminated, exit code 0
Code:
the code that was executed
00401E65 >/$ 6A 18 PUSH 18
00401E67 |. 68 30114000 PUSH 00401130
00401E6C |. E8 FF0C0000 CALL __SEH_prolog
00401E71 |. BB 94000000 MOV EBX, 94
00401E76 |. 53 PUSH EBX ; /HeapSize = 0
00401E77 |. 6A 00 PUSH 0 ; |Flags = 0
00401E79 |. 8B3D 34104000 MOV EDI, DWORD PTR DS:[<&KERNEL32.GetProcessHeap>] ; |kernel32.GetProcessHeap
so the script is waiting for the eip to become 8B006A53 in my case which can never happen and it happily finishes and gets terminated
ok here is a solution
Code:
script
var count
mov count ,0
log count
go 401e67
log eip
go 401e6c
log eip
go 401e71
log eip
mov eip,401e65
inc count
log count
go 401e67
log eip
go 401e6c
log eip
go 401e71
log eip
mov eip,401e65
inc count
log count
go 401e67
log eip
go 401e6c
log eip
go 401e71
log eip
mov eip,401e65
inc count
log count
go 401e67
log eip
go 401e6c
log eip
go 401e71
log eip
mov eip,401e65
inc count
log count
log
Code:
Log data
Address Message
count = 00000000
eip = 00401E67
eip = 00401E6C
eip = 00401E71
count = 00000001
eip = 00401E67
eip = 00401E6C
eip = 00401E71
count = 00000002
eip = 00401E67
eip = 00401E6C
eip = 00401E71
count = 00000003
eip = 00401E67
eip = 00401E6C
eip = 00401E71
count = 00000004
naides
August 22nd, 2007, 13:37
Hey Blabberer,
That is way too complicated!
Can you make it any easier?
That is way too complicated!
Can you make it any easier?
neviens
August 23rd, 2007, 02:22
Quote:
| [Originally Posted by blabberer;67942]changing light bulbs after six months anyway you have got some syntax problem are you sure you require the square brackets ?? this means you are asking the script to go to the pointer pointed by your var ptiat ... |
Yes, it's a pointer in "bare bones" code for problem isolation.
I reduced the code further, it doesn't work anyway.
Script:
Code:
#log
var ptIAT
mov ptIAT, 401010
go ptIAT
log eip
mov ptIAT, 401018
go ptIAT
log eip
ret
Log:
Code:
--> var ptIAT
--> mov ptIAT, 401010
--> go ptIAT
00401023 INT3 command at gototest.00401023
--> log eip
eip: 00401024
--> mov ptIAT, 401018
--> go ptIAT
Debugged program was unable to process exception
--> log eip
eip: 00401023
--> ret
Code under test:
Code:
00401010 . EB 00 JMP SHORT gototest.00401012
00401012 > B8 01000000 MOV EAX,1
00401017 . CC INT3
00401018 . EB 00 JMP SHORT gototest.0040101A
0040101A > B8 02000000 MOV EAX,2
0040101F . CC INT3
00401020 >/$ 90 NOP ;<<<Entry point
00401021 |. 90 NOP
00401022 |. 90 NOP
00401023 |. CC INT3
00401024 |. 50 PUSH EAX ; /ExitCode
00401025 \. E8 00000000 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
What I'm doing wrong? Why "go" command doesn't change the code
execution flow to addresses 401010, 401018?
blabberer
August 23rd, 2007, 09:29
Quote:
| [Originally Posted by naides;67945]Hey Blabberer, That is way to complicated! Can you make it any easier? |
naides
i am really sorry to put out these over convoluted and extremely complicated
ways as example
if a guru like you cant decipher them then mere mortals can never even understand the examples im really sorry
naides
August 23rd, 2007, 09:38
Maannn!
I was pointing, tongue in cheek, on the extra 10 miles you always take to make your posts clear and understandable, taking the time to compose an illustrted example of the right and the wrong way to solve the problem(s).
Even I could understand the details of your post!
I am no guru like you, indeed, are.
the smiley means tongue in cheek.
I was pointing, tongue in cheek, on the extra 10 miles you always take to make your posts clear and understandable, taking the time to compose an illustrted example of the right and the wrong way to solve the problem(s).
Even I could understand the details of your post!
I am no guru like you, indeed, are.
the
smiley means tongue in cheek.blabberer
August 23rd, 2007, 10:47
the reply was not pointing directly at you naides its called convoluted sarcasm appreciating your reply and deriding someone elses at the same time
the op didnt even try to understand the implications didnt try to read the script didnt try out the sample script and didnt try to build upon the sample and didnt think glanced at my post trashed it as bs and replies back wanting an answer for his go not going nowhere nothing else
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.