PDA

View Full Version : Ollydbg revers searching


Stevo
November 24th, 2006, 16:24
Hi guys,

let us assume my new programmed tool break throught the following
Error: EIP: 00310031 (Output from ollydbg) !

Now i want to know which function call invoke this error. Is there a possibility f.e. to log
every function call and the belonging registers. (or better to execute backward from this flaw to see which function invoke it) My problem is that this error happens
deep in the code whichs means i must quit long execute my code step by step to find the error.

How do you to when you have an error similar to this and you want to know what is executed before this error.

Thanks Stevo

fr33ke
November 24th, 2006, 17:33
Alt-K

blabberer
November 25th, 2006, 07:12
Quote:

thats the exact error thats being displayed ?


some kind of buffer overflow

assuming your program returns there and the eip isnt being modified by
SetThreadContext

you can ask ollydbg to stop before eip actually gets there

with a conditional trace

use ctrl+t

type in
dword ptr ss:[esp] == 401027 && byte ptr ds:[eip] == 0xc2

substitute 401027 with 00310031 0xc2 is the opcode for retn n bytes
if it returned with no nbytes opcode would be 0xc3

and use ctrl+f11 (trace in)

there could be many false positives and it could be slow
but this conditional trace should get you the point live


a sample pause tracing ollydbg itself is pasted below

Code:

Log data, item 0
Address=7C80B549
Message=Conditional pause: dword ptr ss:[esp] == 401027 && byte ptr ds:[eip] == 0xc2

stack

0012FFB8 00401027 RETURN to OLLYDBG.00401027 from <JMP.&KERNEL32.GetModuleHandleA>
0012FFBC 00000000
0012FFC0 7C90EB94 ntdll.KiFastSystemCallRet

eip when ollydbg paused
7C80B549

code snippet where i ran the trace

00401000 <ModuleEntryP> $ EB 10 JMP SHORT OLLYDBG.00401012
00401002 66 DB 66 ; CHAR 'f'
00401003 62 DB 62 ; CHAR 'b'
00401004 3A DB 3A ; CHAR ':'
00401005 43 DB 43 ; CHAR 'C'
00401006 2B DB 2B ; CHAR '+'
00401007 2B DB 2B ; CHAR '+'
00401008 48 DB 48 ; CHAR 'H'
00401009 4F DB 4F ; CHAR 'O'
0040100A 4F DB 4F ; CHAR 'O'
0040100B 4B DB 4B ; CHAR 'K'
0040100C 90 NOP
0040100D E9 DB E9
0040100E . 28014B00 DD OFFSET OLLYDBG.___CPPdebugHook
00401012 > A1 1B014B00 MOV EAX,DWORD PTR DS:[4B011B]
00401017 . C1E0 02 SHL EAX,2
0040101A . A3 1F014B00 MOV DWORD PTR DS:[4B011F],EAX
0040101F . 52 PUSH EDX
00401020 . 6A 00 PUSH 0 ; /pModule = NULL
00401022 . E8 4BE00A00 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401027 . 8BD0 MOV EDX,EAX


runtrace details

Address Thread Command Registers and comments
Flushing gathered information
0040101F Main PUSH EDX
00401020 Main PUSH 0 pModule = NULL
00401022 Main CALL <JMP.&KERNEL32.GetModuleHandleA>
004AF072 Main JMP DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>]
GetModuleHandleA Main MOV EDI,EDI
7C80B52B Main PUSH EBP
7C80B52C Main MOV EBP,ESP EBP=0012FFB4
7C80B52E Main CMP DWORD PTR SS:[EBP+8],0
7C80B532 Main JE SHORT kernel32.7C80B54C
7C80B54C Main MOV EAX,DWORD PTR FS:[18] EAX=7FFDF000
7C80B552 Main MOV EAX,DWORD PTR DS:[EAX+30] EAX=7FFDC000
7C80B555 Main MOV EAX,DWORD PTR DS:[EAX+8] EAX=00400000
7C80B558 Main JMP SHORT kernel32.7C80B548
7C80B548 Main POP EBP EBP=0012FFF0
End of gathered information, live log begins


alt +k will normally not yield any usefull information because stack trace wont be working without a valid eip