When you use

log eax

and eax point to one string, in the log you can view this string perfect, but when you or log [esp] if olly show a string in the stack, in the log only appear the hex value but not the string, this is very important, the possibility of show in the log the strings of the stacks (or the strings of certain memory address)

Ricardo

Will fix asap.

comparison to -1 ;"FFFFFFFF", doesn't yield correct result.

Regards.

Will check that also.

Ricardo:
Seems to work? check this:

// When you break on a breakpoint on a call to MessageBoxA
// this script logs the value of messagebox message
var x
mov x, esp
add x, 4
log [x]
ret


britedream:
Can you please paste me the scriptline you execute when you get bad results?

i try but this script show in the log the string of messageboxa?
Not the value the string


Ricardo

if eax=432000 and in 432000 there are a string this appear in olly and in the log, but in the stack if [esp] or any value of the stack point to a string, in olly in the stack you can view the string but in the log ollyscript only show the hex value not the string.

Ricardo

well, thats what i tried to illustrate with the script....
when you break on the call to messageboxa then [esp+4]
= the string that appear in the msgbox. ollydbg also shows this string in the stack window and ollyscript logs it to the log window.
or doesnt it work that way for you?

Ricardo: I just read a tut of yours that said:

Se me ocurren algunas ideas pero la almohada puede que me ayude a ordenarlas y quizás el susodicho OLLYSCRIPT ayude un poco también, aunque mis primeros intentos de hacer un script que me ayude dieron con un bug del mismo OLLYSCRIPT que acabo de reportar al autor veamos si para la parte 2 de este tute ya lo arreglo y nos puede ayudar.

What is this bug you mention? Is it the stack string logging problem?

my scipt is this and is not the original, but with the trouble of no logging the scripts of the stack, i was changing and trying but i can not log the strings of the stacks in the log
---------------------------------------------------------------------- ----------------
var a
var b
var c
var d
var e
var f
var g



eob FILE
run

FILE:
log "PARO EN TU API"
log "VALORES ANTES DE LA API"
log eax
log ebx
log ecx
log edx
log esi
log edi
mov a,[esp]
log a
mov b, [a]
log b
add a, 4
log a
mov b, [a]
log b
log a
mov b, [a]
log b
add a, 4
log a
mov b, [a]
log b
add a, 4
log a
mov b, [a]
log b
add a, 4
log a
mov b, [a]
log b
add a, 4
log a
mov b, [a]
log b
add a, 4
rtu
log "VALORES DESPUES DE LA API"
log eax
log ebx
log ecx
log edx
log esi
log edi
run
jmp FILE

---------------------------------------------------------------------- ------------
is for any api you put a BP or HE and you look in the log strings compared, strings of messages, values before and after the api, and strings of the stack, but only in olly when stop in the stack i see the strings in the log only view hexa values.

Ricardo

hey Ricardo!

Here you go, a working script to log API parameters at calls:

/*
* API logger v1.0
* This script logs API call parameters and registers to LOG window
* By SHaG
*/

var stackpointer
var pointed_to
var counter

eob FILE
run

FILE:
log "Register values before call:"
log eax
log ebx
log ecx
log edx
log esi
log edi
log esp

log "Stack parameters"
mov stackpointer, esp
mov pointed_to, [stackpointer]

mov counter, 4 // number of API parameters to log

apiloop:
log stackpointer
log pointed_to
add stackpointer, 4
mov pointed_to, [stackpointer]
sub counter, 1
cmp counter, 0
jne apiloop

rtu
log "Register values after call:"
log eax
log ebx
log ecx
log edx
log esi
log edi
log esp

is the same better organized and show you the string of the stack?
I try in the new olly , i'm using 1.10b for the bugs of 1.10c.

Ricardo

Yeah, it shows me the strings in the stack... OD v1.10C, OSC v0.8 ...
Should also work with OD v1.10B and OSC v0.7

Your script was a bit wrong, you incremented the value pointed to by ESP by 4. The right thing is to increment the value OF ESP by 4 =)

have you tried my script?

the string of mine was right a 3 days ago but i was changing and toching for look the strings and i corrupt jeje, in the first moment work right but i don't store, for not look the strings.
I try your script

yeah, try it and tell me if it works please!

yes the strings are in the log but the script stop after one api, the goal is the program log all the calls to an api and continue running, logging the values and the strings, this only log and pause one only call to an api.

Ricardo

OllyScript v0.81 now available!

Main change in v0.81:
OLLYSCRIPT v0.81 NOW WORKS WITH OLLYDBG v1.10b.
I reverted to the old code because of the bugs in OllyDbg v1.10c.
Some minor bugfixes were also made

Ricardo:

This script should do what you want:
/*
* API logger v1.1
* This script logs API call parameters and registers to LOG window
* By SHaG
*/

var stackpointer
var pointed_to
var counter
var apiaddr

eob API

// Get API addr and set BP
gpa "CreateFileA", "kernel32"
mov apiaddr, $RESULT
bp apiaddr
run

API:
log "Register values before call:"
log eax
log ebx
log ecx
log edx
log esi
log edi
log esp

log "Stack parameters"
mov stackpointer, esp
add stackpointer, 4
mov pointed_to, [stackpointer]

mov counter, 4 // number of API parameters to log

apiloop:
log stackpointer
log pointed_to
add stackpointer, 4
mov pointed_to, [stackpointer]
sub counter, 1
cmp counter, 0
jne apiloop
rtu

log "Register values after call:"
log eax
log ebx
log ecx
log edx
log esi
log edi
log esp
run

By the way there is a nice tool called Auto Debug for Windows v2.3.1.60 Professional
for this.

yes there are tools but this plugin maybe useful not only for apis when you can view access to certain address logged, well has the problem of RETURN TO USER CODE but is very easy of repair.

For example you can view acess to 401500, put a BPM ON ACCESS in this adress on HBPM ON ACESS and the program will be logging the values, strings etc when a program try to acess certain location.

Is very useful and there are no tools for this.

Ricardo

britedream

hi britedream,

could you send me your stolen bytes tuts?

e-mail: leesj85@empal.com