Log in

View Full Version : User-defined labels

Wilmar
July 25th, 2005, 03:42
Hi, how can I assign a label in a stack memory address?
The label option (and many other options too) disappear when I go to stack addresses from the Dump window, [shift] + : doesn't work either
blabberer
July 25th, 2005, 09:46
stack is dynamic whats the use of labelling there ??

anyway look in register window find esp or ebp register right click follow in dump
and use shift + : key to label


ESP ==> 0012FFC4 <whattheheck> 7C59893D =‰Y| RETURN to KERNEL32.7C59893D
ESP+4 0012FFC8 <eee> 00000000 ....
ESP+8 0012FFCC <ttt> 00000000 ....
ESP+C 0012FFD0 <ggggg> 7FFDF000 .ðý
ESP+10 0012FFD4 <ggggggg> 00000000 ....
ESP+14 0012FFD8 <wilmar> 0012FFC8 Èÿ. <eee>
ESP+18 0012FFDC <wilmar> 00000000 ....



or use commandline plugin and type

L esp+20 "iam the wilmar guy who wanna label stack variable "

and olly will label it for you
ESP+20 0012FFE4 <"iam the wilmar guy who wanna label stack variable "> 7C5C1F44 D&#92;| SE handler
Wilmar
July 25th, 2005, 12:05
IMHO labelling stack is much useful, especially when you have many variables the code becomes much more readable if you have a name instead of [LOCAL.1] [LOCAL.2] [ebp-20] etc...

However what you said makes the label appear only in the register window, what i want is to see the label in the cpu to make the code more readable.
Do you think a plugin can do that? I haven't written any plugin so far don't know either how to write one but i can try if it's feasible.

Anyway thanks for the tip, did you see the help because i searched and found nothing
blabberer
July 25th, 2005, 13:59
if you prefer to have args decoded may be try using analysis
assume argument options and force ollydbg to analyse

for example if you have a dialog proc
on the push ebp if you ask ollyto asseme it as winproc

it will decode the arguments accordingly

like this

[I]
EB> 77D48709 /CALL to Assumed WinProc from user32.77D48706
EB> 003B00B0 |hWnd = 003B00B0 ()
EB> 00000080 |Message = WM_SETICON
EB> 00000001 |wParam = 1
EB> 01320079 &#92;lParam = 1320079

[/CODE]

if you want to change local.1 to another name i dont think its feasible
but never tried it i like it [ebp+20]
could you post a snippet where you like to have it labelled ??
may be label it the way you want manually and then post it
so that i can check if its feasible
if you are posting snippet
post the original as well as your modified both so that i can try experimenting
Wilmar
July 25th, 2005, 14:19
well it doesn't matter if args are decoded automatically, take the following code for example:

Code:


PUSH EBP

MOV EBP, ESP

SUB ESP, 40

LEA EDX,DWORD PTR SS:[EBP-20]

PUSH EDX

MOV WORD PTR SS:[EBP-20],0F

CMP DWORD [EBP-40], EAX

...

...


Could it be possible to change [EBP-20] to whatever label so that i don't have to remember -20 -40 -50, etc....?
If i recall correct IDA has such feature, i'm not sure since i don't use it anymore
blabberer
July 26th, 2005, 06:25
well labelling vftable entries is not feasible in ollydbg

only thing that comes close to it is you can change [ebp-20] to local.some thing if you use
options -->analysis1 show args and locals

like this

00401031 WIN.>PUSH EBP
00401032 MOV EBP, ESP
00401034 ADD ESP, -50
00401037 MOV [LOCAL.12], 30
0040103E MOV [LOCAL.11], 3
00401045 MOV [LOCAL.10], WIN.WndProc
0040104C MOV [LOCAL.9], 0
00401053 MOV [LOCAL.8], 0
0040105A PUSH DWORD PTR DS:[hInstance]
00401060 POP [LOCAL.7] ; KERNEL32.7C59893D
00401063 MOV [LOCAL.4], 6
0040106A MOV [LOCAL.3], 0
00401071 MOV [LOCAL.2], OFFSET WIN.ClassName ; ASCII "SimpleWinClass"

WIN.Wndproc is from objscan of the objfile for which i have source
if you dont have objfile then olly will show only 401000some thing which you have to name your self
blabberer
July 27th, 2005, 10:51
well i was pokingaround what the 2 3 4 5 6 7 etc mean

well if you have the source and compile it with debuginfo

and check mark options --> stack show names of local variables

then ollydbg names all the local variables in stack and shows thier names

like this


00401055 win.Wi>PUSH EBP
00401056 MOV EBP, ESP
00401058 ADD ESP, -50
0040105B MOV [LOCAL.wc], 30
00401062 MOV [LOCAL.wc+4], 3
00401069 MOV [LOCAL.wc+8], win.0040100A
00401070 MOV [LOCAL.wc+C], 0
00401077 MOV [LOCAL.wc+10], 0
0040107E PUSH DWORD PTR DS:[hInstance] ; win.00400000
00401084 POP [LOCAL.wc+14]
00401087 MOV [LOCAL.wc+20], 6
0040108E MOV [LOCAL.wc+24], 0
00401095 MOV [LOCAL.wc+28], OFFSET win.ClassN>; ASCII "SimpleWinClass"
0040109C PUSH 7F00 ; /RsrcName = IDI_APPLICATION
004010A1 PUSH 0 ; |hInst = NULL
004010A3 CALL win.LoadIconA ; &#92;LoadIconA
004010A8 MOV [LOCAL.wc+18], EAX
004010AB MOV [LOCAL.wc+2C], EAX
004010AE PUSH 7F00 ; /RsrcName = IDC_ARROW
004010B3 PUSH 0 ; |hInst = NULL
004010B5 CALL win.LoadCursorA ; &#92;LoadCursorA
004010BA MOV [LOCAL.wc+1C], EAX
004010BD LEA EAX, [LOCAL.wc]
004010C0 PUSH EAX ; /pWndClassEx = 00141EE0
004010C1 CALL win.RegisterClassExA ; &#92;RegisterClassExA
004010C6 PUSH 0 ; /lParam = NULL
004010C8 PUSH [ARG.hInst] ; |hInst = 00400000
004010CB PUSH 0 ; |hMenu = NULL
004010CD PUSH 0 ; |hParent = NULL
004010CF PUSH 80000000 ; |Height = 80000000 (-2147483648.)
004010D4 PUSH 80000000 ; |Width = 80000000 (-2147483648.)
004010D9 PUSH 80000000 ; |Y = 80000000 (-2147483648.)
004010DE PUSH 80000000 ; |X = 80000000 (-2147483648.)
004010E3 PUSH 0CF0000 ; |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_MAXIMIZEBOX|WS_SYSMENU|WS_THICKFRAME|W S_CAPTION
004010E8 PUSH OFFSET win.AppName ; |WindowName = "Our First Window"
004010ED PUSH OFFSET win.ClassName ; |Class = "SimpleWinClass"
004010F2 PUSH 0 ; |ExtStyle = 0
004010F4 CALL win.CreateWindowExA ; &#92;CreateWindowExA
004010F9 MOV [LOCAL.hwnd], EAX
004010FC PUSH 1 ; /ShowState = SW_SHOWNORMAL
004010FE PUSH [LOCAL.hwnd] ; |hWnd = FF71CFC4
00401101 CALL win.ShowWindow ; &#92;ShowWindow
00401106 PUSH [LOCAL.hwnd] ; /hWnd = FF71CFC4
00401109 CALL win.UpdateWindow ; &#92;UpdateWindow
0040110E win.C0>/PUSH 0 ; /MsgFilterMax = 0
00401110 |PUSH 0 ; |MsgFilterMin = 0
00401112 |PUSH 0 ; |hWnd = NULL
00401114 |LEA EAX, [LOCAL.msg] ; |
00401117 |PUSH EAX ; |pMsg = 00141EE0
00401118 |CALL win.GetMessageA ; &#92;GetMessageA
0040111D |OR EAX, EAX
0040111F |JE SHORT win.C0002
00401121 |LEA EAX, [LOCAL.msg]
00401124 |PUSH EAX ; /pMsg = MSG(6C726F62) hw = 5C3A4422 wParam = 5C646E61 lParam = 6D73616D
00401125 |CALL win.TranslateMessage ; &#92;TranslateMessage
0040112A |LEA EAX, [LOCAL.msg]
0040112D |PUSH EAX ; /pMsg = MSG(6C726F62) hw = 5C3A4422 wParam = 5C646E61 lParam = 6D73616D
0040112E |CALL win.DispatchMessageA ; &#92;DispatchMessageA
00401133 &#92;JMP SHORT win.C0001
00401135 win.C0>MOV EAX, [LOCAL.msg+8]
00401138 LEAVE
00401139 RETN 10




0012FF5C hwnd FF71CFC4
0012FF60 msg F3AC4C4C
0012FF64 msg+4 805050ED
0012FF68 msg+8 FF71CE90
0012FF6C msg+C 8054B2AF
0012FF70 msg+10 00000000
0012FF74 msg+14 E3AFA008
0012FF78 msg+18 00000000
0012FF7C wc FCF66FE0
0012FF80 wc+4 00001FE0
0012FF84 wc+8 FF71CE00
0012FF88 wc+C E3AFA408
0012FF8C wc+10 00000001
0012FF90 wc+14 00000000
0012FF94 wc+18 00000408
0012FF98 wc+1C 00000000
0012FF9C wc+20 00000001
0012FFA0 wc+24 00000006
0012FFA4 wc+28 F3AC4D04
0012FFA8 wc+2C 8058A6A9
0012FFAC 0012FFF0
0012FFB0 0040104F RETURN to win._start+2B from win.WinMain
0012FFB4 hInst 00400000 win.00400000
0012FFB8 hPrevInst 00000000
0012FFBC CmdLine 00141EE0 ASCII ""D:&#92;borland&#92;masm32&#92;icztutes&#92;TUTE03&#92;win&#92;win.exe""
0012FFC0 CmdShow 0000000A



so probably you could make a plugin that emulates this behaviour
and make it dispaly WNDCLASSEX.cbstyle instead of wc+28
blah blah

dunno but if there is a basis then could poke around and modify it to suit ones wishes

may be if you are intending to write one and want some input on internals i could provide some pointers