I'm reverse engineering a relatively small program so that I can reimplement it in java for my phone. I'm pretty sure that it's a fairly simple exercise, but I need to dump the function arguments for a set of key internal functions within the program. I took a look at dumbug which does exactly what I want, i.e. allow me to specify function prototypes and print them out as they are called. Unfortunately, it only works with exported symbols, which isn't sufficient.

I can use ollydbg's conditional log breakpoints to dump (it appears) a maximum of one argument per function call, and even then I can't get it to dump, say, an array of 32 bytes in hex.

Can someone tell me what's the best way to do this, or point me at an example? Do I need to write a plugin, is there one already, or could I do it with ollyScript?

one argument per function ? if ollydbg can recognize the function
viz as an example MessageBoxA
if you set a conditional break point (shift+f4)
condition == nothing
explanation = = nothing
pause program == never
log value of expression == never
log function arguments == always

then it would log all the function arguments to that call not one argument per call


Log data
Address Message
7F920000 Module C:\WINDOWS\SYSTEM\MSSHRUI.DLL
7FBF0000 Module C:\WINDOWS\SYSTEM\MPR.DLL
7F950000 Module C:\WINDOWS\SYSTEM\SVRAPI.DLL
7FB00000 Module C:\WINDOWS\SYSTEM\MSNET32.DLL
00477660 CALL to MessageBoxA
hOwner = 00000744 ('OllyDbg',class='OLLYDBG',wndproc=004323D4)
Text = "File 'C:\WINDOWS\Desktop\odbg110\register.txt' is probably not a 32-bit Portable Executable. Try to load it anyway?"
Title = "Not a valid PE file"
Style = MB_YESNO|MB_ICONQUESTION|MB_DEFBUTTON2|MB_TASKMODAL
004AF516 CALL to MessageBoxA from OLLYDBG.00477660
hOwner = 00000744 ('OllyDbg',class='OLLYDBG',wndproc=004323D4)
Text = "File 'C:\WINDOWS\Desktop\odbg110\register.txt' is probably not a 32-bit Portable Executable. Try to load it anyway?"
Title = "Not a valid PE file"
Style = MB_YESNO|MB_ICONQUESTION|MB_DEFBUTTON2|MB_TASKMODAL


like above

now if the call is not recognized by ollydbg as standard call
but some user coded proc you would need to do some spleunking to findout how many params are passed to that call

and then use analyze assume arguments stdcall

for example if you try to shift+f4 on this call you will see log function arguments is grayed up

if you goback you will see that it pops up 1c from stack == 7 arguments


0040BA38 |. E8 0BA50000 CALL OLLYDBG._Disasm ; \_Disasm
0040BA3D |. 83C4 1C ADD ESP,1C



so right click --> analysis -->assume arguments --> stdfunc7-->apply


00415F48>/&#036; 55 PUSH EBP ; Decoded as <StdFunc7>



now if you try shift+f4
you can seee the log function arguments enabled
if you ask ollydbg to log now
it will log all the arguments to that call


00415F48 CALL to Assumed StdFunc7 from OLLYDBG.00447302
Arg1 = 0078E775
Arg2 = 00000007
Arg3 = BFF76899
Arg4 = 00000000
Arg5 = 0078DE0C
Arg6 = 00000004
Arg7 = 00000000
00415F48 CALL to Assumed StdFunc7 from OLLYDBG.00447302
Arg1 = 0078E774
Arg2 = 00000008
Arg3 = BFF76898
Arg4 = 00000000
Arg5 = 0078DE0C
Arg6 = 00000004
Arg7 = 00000000
00415F48 CALL to Assumed StdFunc7 from OLLYDBG.00428D53
Arg1 = 0078ED68
Arg2 = 00000010
Arg3 = 00401000
Arg4 = 01998D5C
Arg5 = 004CE45C
Arg6 = 00000005
Arg7 = FFFC5AA7


hope thats what you were looking for

Excellent, that's a lot closer, thanks. That seems to allow me to log any integer function arguments, but if the argument is a pointer to a string, or a pointer to an array of bytes, there isn't a standard way of logging them? If it's a string, I suppose I could put a conditional log breakpoint at the call entry point to log [esp+4] as a string, and then one instruction later I could log [esp+8]?

Basically the program I'm looking at does some hashing and encryption and I want to log all the data being passed to the encryption and hashing functions.

well answering some thing generic is easy a specific question need some
examples or some snippet of code and some exact requirement

can you post the call the function the actuall passed string or whatever
so that i can answer ?

generic answer to log a lot of bytes would be to
set break on consequnt address and ask olly to log
[esp+4] on first line
[esp+0c] on second line 0c coz push ebp would alter esp and the next 4 bytes would be located 4 bytes down etc


but if you want to log lot of data it would be best to modify the commandline plugin to add a logging function and use it
with pass the following commands to plugin when paused option

i think some one added a logging plugin here in this forum
i did not test it but i think its named clb some thing check it out
i remember coz i answered one of the authours query
use google site search the forums search function is kinda screwd up

ok check this thread out i fetched it from google take a look at my additional code to commandline plugin exapmle
that should give you some insights
http://ollydbg.win32asmcommunity.net/?action=vthread&topic=14 93&forum=2&page=-1
("http://ollydbg.win32asmcommunity.net/?action=vthread&topic=1493&forum=2&page=-1
")

also this is the plugin that the guy released after that question
try it out
http://ollydbg.win32asmcommunity.net/?action=vthread&forum=2& topic=1501 ("http://ollydbg.win32asmcommunity.net/?action=vthread&forum=2&topic=1501")

Thanks, cblp seems to be something like what I need, but it doesn't seem to be doing anything. I'll investigate.

To be more specific, there are functions such as:
md5_update(md5_ctx *c, void *data, int len)
des_set_key(des_cblock *key, des_key_schedule *sched)

If the first function is called, I want to log len, data[0..len] (but a sufficient fixed number will do), and in the second I want to log the appropriate sizes of the data as hex in the two arguments. If a function takes a char *, then I'd probably want to log the argument as a string.

dumbug: http://www.phenoelit.de/dumbug/ ("http://www.phenoelit.de/dumbug/") allows you to specify function arguments like this:
int CreateProcessA(
[in] char * lpApplicationName,
[in] char * lpCommandLine,
[in] void * lpProcAttr,
[in] void * lpThreadAttr,
[in] int bInherit,
[in] int dwFlags,
[in] void * lpEnv,
[in] char * lpCurrentDir,
[in] void * lpStartup,
[out]void * lpProcInfo
);

but as I said earlier, it only works on exported functions.

well i found some md5.exe from net

hxxp://www.msoworld.com/programming/md5.zip

the code in c is as follows

static void MDString (string)
char *string;
{
MD_CTX context;
unsigned char digest[16];
unsigned int len = strlen (string);

MDInit (&context);
MDUpdate (&context, string, len);
MDFinal (digest, &context);

printf ("MD%d (&#92;"%s&#92;" = ", MD, string);
MDPrint (digest);
printf ("&#92;n";
}


now i added assume arguments to that md5update

004010F1 |. 57 PUSH EDI ; /Arg3
004010F2 |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20] ; |
004010F6 |. 56 PUSH ESI ; |Arg2
004010F7 |. 51 PUSH ECX ; |Arg1
004010F8 |. E8 53030000 CALL MD5.00401450 ; &#92;Assumed StdFunc3

00401450 /&#036; 53 PUSH EBX ; Decoded as <StdFunc3>



set these breaks
Breakpoints
Address Module Active Disassembly Comment
00401135 MD5 Always RETN
00401450 MD5 Log "md5&#036;string" PUSH EBX
00401451 MD5 Log "md5&context" PUSH EBP log [[esp+8]]
00401452 MD5 Log "md5&context" PUSH ESI log [[esp+0ch]+4]
00401453 MD5 Log "md5&context" MOV ESI,DWORD PTR SS:[ESP+10] log [[esp+10h]+8]
00401457 MD5 Log "md5&context" PUSH EDI log [[esp+10h]]+10h
[/I]

and recieved these dumped bytes of the context


Log data
Address Message
OllyDbg v1.10
Command line plugin v1.10
Written by Oleh Yuschuk
Bookmarks sample plugin v1.06 (plugin demo)
Copyright (C) 2001, 2002 Oleh Yuschuk

Console file 'C:&#92;WINDOWS&#92;Desktop&#92;md5&#92;md5.exe'
Arguments '-s"hello you xml this is how i would say you dump"'
New process with ID FFFCB789 created
004022FE Main thread with ID FFFAC035 created
00400000 Module C:&#92;WINDOWS&#92;DESKTOP&#92;MD5&#92;MD5.EXE
BFF70000 Module C:&#92;WINDOWS&#92;SYSTEM&#92;KERNEL32.DLL
004022FE Program entry point
00401450 COND: md5&#036;string = ???
00401450 CALL to Assumed StdFunc3 from MD5.004010F8
Arg1 = 0063FD8C
Arg2 = 00760DFD ASCII "hello you xml this is how i would say you dump"
Arg3 = 0000002E
00401451 COND: md5&context = 67452301
00401452 COND: md5&context = EFCDAB89
00401453 COND: md5&context = 98BADCFE
00401457 COND: md5&context = 67452311
00401450 COND: md5&#036;string = €
00401450 CALL to Assumed StdFunc3 from MD5.0040153C
Arg1 = 0063FD8C
Arg2 = 0040A200
Arg3 = 0000000A
00401451 COND: md5&context = 67452301
00401452 COND: md5&context = EFCDAB89
00401453 COND: md5&context = 98BADCFE
00401457 COND: md5&context = 67452311
00401450 COND: md5&#036;string = p

00401450 CALL to Assumed StdFunc3 from MD5.00401549
Arg1 = 0063FD8C
Arg2 = 0063FD50
Arg3 = 00000008
00401451 COND: md5&context = 67452301
00401452 COND: md5&context = EFCDAB89
00401453 COND: md5&context = 98BADCFE
00401457 COND: md5&context = 67452311
00401135 Breakpoint at MD5.00401135


now if you recompile the commandline plugin to addtolist() on function
Int Expression like i said in the link you can use
.? log [[esp+8]] etc to be logged

Thanks for all your help. I think you've given me enough info to be able to get what I want. Will give it a go for the next couple of days and see what I come up with. Incidentally cblp output the data in a log file (didn't read the documentation) and it looks like I could make a small mod to that to give me the data in the format I want too. Cheers.