I need help making a memory searcher plugin.

Here is a description:

"I would really like a Memory Searcher!

You search for a value in memory, and then you can filter your search results by saying 'value has changed' or 'value has increased', and you will eventually get the location of your value. Then have another search that finds the pointer to the value you just found.

It's annoying to have to use an extra program to do this, that's why I think it would be great if it was integrated into Olly."

Once you find the location of your value in memory, I also want to be able to break on it, and land in it's code.


First of all, Can this be done?

If so, then how should I go about making it?

Thanks.

I cant answer your question in regards to plugins, but in case you didnt know OllyDbg already has an excellent memory search function. To use it, just press Alt+M (or select the View menu, then Memory). Then, press Alt+B (or right-click and select the Search popup menu). It allows you to search for ascii, unicode, and hex expressions, allows you to search just one section of memory or all sections, and supports optional case sensitivity, so Im not sure if theres really a need for a memory search plugin

I think he's talking more like set a bp. Indicate that EAX=0 run the program have it break again. Now indicate that EAX=1 and then his little prog will show you the location in the code where that takes place. Am I close?

Well say you search for a value of "2" in memory, you will get many many results. So the mem-searcher must have a filter feature, so you can play around in the process then go back to the searcher and say "value has changed" or "value has decreased", and so by continuing this process you eventually find the exact location of the value you want to manipulate.

Like what those 'game trainers' do? For example, your score might be 10000 so you do a mem search for all values that are 10000. Then you keep playing to raise your score, and then do another memory search with the new value. Eventually (usually after just two or three goes) you'll find just one or two locations where this value is constantly being stored. Is that what you meant?

I think that's exactly what he means. So for our purpose like if 30 days is it for a trial prog and then the next day its 29, it will take you to the location in the code that does that change?

Now THAT would be frik'n awsome!

VC++ debugger shows red for changed items, but only on items actually shown. It would be fantastic to step over a long winded routine and see the delta of what all it did.

I guess if the process space changes in size, say due to dynamic allocation, it would have to assume that new space as "changed", but that'd be ok.

That would be cool. I guess it'd be a memory pig, duplicating the selected process's memory space, but computers now days are big too.

I wonder if it could be detected? In other words, if a program wanted to know if this was happening to it, could it do a VirtualProtect and set a PAGE_GUARD on a piece of memory it KNEW should never be accessed, and then later make sure the PAGE_GUARD had never been triggered? The only way it would show triggered is if someone had accessed that memory. I guess if it was ever an issue, such a plug-in could remember to reset anything prior to returning control.

hmmmm.....

It's nothing revolutionary.

Have you ever used a memory searcher like Tsearch or Artmoney? I just want something like that, but to have it integrated with Olly.

There are some program when I push F9 to run a program, and it doesn't work. The program doesn't not run. And I see a message:
---------------------------------------------------------------------- ----
Access violation when writing to [00000000]- use Shift+F7/F8/F9 to pass
exception to program
---------------------------------------------------------------------- -----
What should I do now?Because I know that software unpacked by ASProtect and I want to find OEP. But when I can't run the software, I can't find OEP. Can somebody help me?

There are some program when I push F9 to run a program, and it doesn't work. The program doesn't not run. And I see a message:
---------------------------------------------------------------------- ----
Access violation when writing to [00000000]- use Shift+F7/F8/F9 to pass
exception to program
---------------------------------------------------------------------- -----
What should I do now?Because I know that software unpacked by ASProtect and I want to find OEP. But when I can't run the software, I can't find OEP. Can somebody help me?

Shouldn't this be an entirely new thread??? When you get that error.....do what it says. Press Shift+F9

There are some program when I push F9 to run a program, and it doesn't work. The program doesn't not run. And I see a message:
---------------------------------------------------------------------- ----
Access violation when writing to [00000000]- use Shift+F7/F8/F9 to pass
exception to program
---------------------------------------------------------------------- -----
What should I do now?Because I know that software unpacked by ASProtect and I want to find OEP. But when I can't run the software, I can't find OEP. Can somebody help me?

The exception needs to be passed to the application. It is going to zap your hardware break points.

To get back on topic, one "feature" that would be REALLY handy would be "cut-n-paste" hardware breakpoints. In otherwords, say have one or more "hardware breakpoint profiles" (one of which would be "empty" that you could choose from on the fly prior to stepping or continuing or running. I've never seen something like that in a debugger, but I can't imagine why it hasn't been done already. It would be quite useful.

So you'd have "Set 1" to get thru the first part of your program, "Set 2" to get thru the second, "Empty" to get around some checks, "Set 3" for the third part, etc. Sure beats doing it all by hand.

Doesn't that sound usefull? Or am I just not thinking clearly. I don't think it would be too much work...

Wow, this thread has been totally hijacked.

Is it that hard to start your own threads?

spongebob, please go on in your project. If you need help, insist in asking for it. There are so few plugin developers that anyone willing to make one must be encouraged.

Please spongebob repeat exactly, listing them, the requirements (or if you prefer the functionalities) you'd like to implement.

yaa

Ok.


Here are a few ideas I had for the searcher:

Types of values one can search for:

1 byte integer
2 byte integer
4 byte integer
8 byte integer
float (real4 and real8)
Other floats, and even 32 bit floats in IEEE hex format.

also:

double
byte string
word string
pointer
word
Dword
ALL

String searchers would be cool cause you could do stuff like change strings in live memory.


For the initial search:

Exact value
Range of values
Unknown value
sequence of values
coded value



Then for the actual filtering of search results:

Value has changed to: x

Value has changed

Value has not changed

Value has increased

Value has decreased

Range

Value has increased by: x

Value has decreased by: x

Value has changed by more than %: x

Value has increased by more than%: x

Value has decresed by more than%: x

Value has changed by less than %: x

Value has increased by less than%: x

Value has decresed by less than%: x


Then once you find the location of your value in memory, be able to BP on that address so that you can see the code.

From what you say it seems that you'd like to be able to:

1) search the memory allocated by a debugged application for values corresponding to higher level language types (1 byte, 2 bytes, 4 bytes, 8 bytes, unicode and ansi strings, etc)
2) identify changes to the "watched" memory locations corresponding to the said types (how about "watching" memory areas providing a start and end address???)
3) breakpoint placing on "watched" memory

To that I would add:
4) tracing of code statements "guilty" of memory modifies or allocations
5) logging to file or ollydbg window of changes to a memory area


yaa