PDA

View Full Version : ApiBreak - New Ollydbg Plugin


Nonameo
April 30th, 2005, 10:44
Hey guys, i was debugging the other day and had an idea that i think would make it just a little bit easier for me.

So i decided to make the idea into a plugin

Its almost complete, it will probably be finished later today, but then i'll have to do some final testing.

The plugin:
My plugin lists some commonly used api calls, sorted into 6 groups. The user can quickly and easily put a breakpoint on the entrypoint to one or more of these functions.

For example:
User wants to trap all calls to RegQueryValueA, this can be done very easily without having to seach for this in "Intermodular Calls"

The 6 groups are:
Registry
Time
Dialog
Memory
Strings
Point H

Time will have things like "GetLocalTime"
Dialog will have things like "SendDlgItemMessage"
Memory will have things like "VirtualProtect"
Strings will have things like "lstrcmp"

Any suggestions would be appreciated

Thanks

-Nonameo-

Nonameo
May 1st, 2005, 05:57
Well here it is.

Includes the plugin and help file

Enjoy

-Nonameo-

http://nikt.zog.net.au/ApiBreak.rar ("http://nikt.zog.net.au/ApiBreak.rar")

1bitshort
May 1st, 2005, 06:54
i hate to sound like a party pooper but i dont see how a plugin can simplify something that is already so simple!
To breakpoint on an API function its easy enough just to hit Ctrl+G (Goto Address), then type in the API name like VirtualProtect and Olly will take you there. F2 to set the breakpoint. Couldnt get much easier than that!
Anyway good work and i hope i havent discouraged you from making other plugins, im sure some will find your plugin helpful

Nonameo
May 1st, 2005, 09:25
yea, well if anything, this was a major learning experience as far as MASM goes. even if no one uses it, i've got my foot in the door to make more stuff.

Thanks

-Nonameo-

1bitshort
May 1st, 2005, 21:39
Then it was well worthwhile Now that youve made one plugin hopefully the floodgates will open!

Grumper
May 2nd, 2005, 17:10
Hi, a very good plugin and usefull.
It helps a lot, not to set the bp by hand


But just one thing:

Is it possible to set Bp on more than one group, without "Start" the
plugin again.
Because whenever i set a bp on a group the plugin closes.


Oh and you should read the posts on exetools forum (Software)
I like the idea with the ini ( if it is possible)

haggar
May 3rd, 2005, 15:57
It's not some big thing, but it's good thing for lazy peoples like me who don't want to open modules window every time when wanting to place toggle bp.

Add CreateFileA and couple more,.

Grumper
May 3rd, 2005, 17:57
Just: One more thing ( if it is possible)


Some protectors emulate the first Commands of evey APi, so whenever

they use the API they jump directly to the "middle" of every APi and not to the EP.

So of course our BP won`t work, even if the app uses the API

So if it is possible, it will be a good idea to have the possibility not to set the BP on the EP of the APi but some bytes after it.

Regards

1bitshort
May 4th, 2005, 04:49
> So if it is possible, it will be a good idea to
> have the possibility not to set the BP on the
> EP of the APi but some bytes after it.

Two problems with attempting to automate that process ...

1) It would only be possible if the plugin used a disassembler (or instruction length disassembler like LDE32), because the plugin would need to know that the byte "in the middle of the API function" that it's breaking on is the start of an instruction - you can't set a breakpoint in the middle of an instruction, that just corrupts the code.

2) Some functions are very short. Consider GetCommandLineA for example:
7C812C8D A1 F435887C mov eax,[7C8835F4]
7C812C92 C3 retn
So in this case it would also need to disassemble and analyse the code (like Ollydbg does) to recognise where the function physically ends. The alternative to that is to assume that API functions are at least 2 instructions long and always set a breakpoint on the 2nd instruction, but if protectors "emulate the first few instructions of API functions" then that defeats that also.

In other words - don't even bother.

Fumio
May 12th, 2005, 22:00
I believe your plugin will be useful, however It will not appear in my plugin menu. Yes I have placed Apibreak.dll in olly file.
Any suggestions on what I could be doing wrong?
Regards Fumio

Nonameo
May 14th, 2005, 12:12
thats weird, i havent had anyone else having this problem..

are you using an old version of olly ?

it needs to be 1.08 or higher

hope this helps

-Nonameo-

Fumio
May 16th, 2005, 20:56
Hi Nonameo,
Thanks for the reply. I had been using Olly 1.10 (step 2) and have now downloaded latest version and APIBreak initializes. Thanks for your help.
Fumio

pedram
May 16th, 2005, 23:46
Nonameo,

Interesting plug-in concept. Definetely useful. This functionality can also be achieved by creating the relevant breakpoint sets for OllyDbg Breakpoint Manager available from the stuph page.

-pedram

HAANDI
October 13th, 2005, 14:26
Hi, that one is a really nice Plugin but doesnt cantain some functions I often need.
The SendMessageA and SendDlgItemMessageA have to have a Contidion MSG==WM_GETTEXT, because so they break to often.
THen there has to be a CallWindowProcA MSG==WM_GETTEXT.
For strings in vb a also need __vbaStrCmp.

Epsylon3
November 2nd, 2005, 06:12
with OllyScript :

// === break on load module ===
var handle
// trouve l'adresse de la fonction
gpa "LoadLibraryA","kernel32"
// stocke l'adresse de la fonction
mov handle,$RESULT
// pose un breakpoint
bp handle //or bphws handle,"x" (hardware bp)

So you can do that easily, for groups, you can also use several subscripts with #INC group_script.txt