PDA

View Full Version : Ollydbg revers searching

Stevo
November 24th, 2006, 16:24
Hi guys,

let us assume my new programmed tool break throught the following
Error: EIP: 00310031 (Output from ollydbg) !

Now i want to know which function call invoke this error. Is there a possibility f.e. to log
every function call and the belonging registers. (or better to execute backward from this flaw to see which function invoke it) My problem is that this error happens
deep in the code whichs means i must quit long execute my code step by step to find the error.

How do you to when you have an error similar to this and you want to know what is executed before this error.

Thanks Stevo
fr33ke
November 24th, 2006, 17:33
Alt-K
blabberer
November 25th, 2006, 07:12
Quote:

thats the exact error thats being displayed ?


some kind of buffer overflow

assuming your program returns there and the eip isnt being modified by
SetThreadContext

you can ask ollydbg to stop before eip actually gets there

with a conditional trace

use ctrl+t

type in
dword ptr ss:[esp] == 401027 && byte ptr ds:[eip] == 0xc2

substitute 401027 with 00310031 0xc2 is the opcode for retn n bytes
if it returned with no nbytes opcode would be 0xc3

and use ctrl+f11 (trace in)

there could be many false positives and it could be slow
but this conditional trace should get you the point live


a sample pause tracing ollydbg itself is pasted below

Code:


Log data, item 0

 Address=7C80B549

 Message=Conditional pause: dword ptr ss:[esp] == 401027 && byte ptr ds:[eip] == 0xc2



stack



0012FFB8   00401027  RETURN to OLLYDBG.00401027 from <JMP.&KERNEL32.GetModuleHandleA>

0012FFBC   00000000

0012FFC0   7C90EB94  ntdll.KiFastSystemCallRet



eip when ollydbg paused

7C80B549



code snippet where i ran the trace



00401000 <ModuleEntryP> $ EB 10          JMP SHORT OLLYDBG.00401012

00401002                  66             DB 66                                    ;  CHAR 'f'

00401003                  62             DB 62                                    ;  CHAR 'b'

00401004                  3A             DB 3A                                    ;  CHAR ':'

00401005                  43             DB 43                                    ;  CHAR 'C'

00401006                  2B             DB 2B                                    ;  CHAR '+'

00401007                  2B             DB 2B                                    ;  CHAR '+'

00401008                  48             DB 48                                    ;  CHAR 'H'

00401009                  4F             DB 4F                                    ;  CHAR 'O'

0040100A                  4F             DB 4F                                    ;  CHAR 'O'

0040100B                  4B             DB 4B                                    ;  CHAR 'K'

0040100C                  90             NOP

0040100D                  E9             DB E9

0040100E                . 28014B00       DD OFFSET OLLYDBG.___CPPdebugHook

00401012                > A1 1B014B00    MOV EAX,DWORD PTR DS:[4B011B]

00401017                . C1E0 02        SHL EAX,2

0040101A                . A3 1F014B00    MOV DWORD PTR DS:[4B011F],EAX

0040101F                . 52             PUSH EDX

00401020                . 6A 00          PUSH 0                                   ; /pModule = NULL

00401022                . E8 4BE00A00    CALL <JMP.&KERNEL32.GetModuleHandleA>    ; \GetModuleHandleA

00401027                . 8BD0           MOV EDX,EAX





runtrace details



Address	Thread	Command	Registers and comments

    Flushing gathered information

0040101F	Main	PUSH EDX

00401020	Main	PUSH 0	pModule = NULL

00401022	Main	CALL <JMP.&KERNEL32.GetModuleHandleA>

004AF072	Main	JMP DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>]

GetModuleHandleA	Main	MOV EDI,EDI

7C80B52B	Main	PUSH EBP

7C80B52C	Main	MOV EBP,ESP	EBP=0012FFB4

7C80B52E	Main	CMP DWORD PTR SS:[EBP+8],0

7C80B532	Main	JE SHORT kernel32.7C80B54C

7C80B54C	Main	MOV EAX,DWORD PTR FS:[18]	EAX=7FFDF000

7C80B552	Main	MOV EAX,DWORD PTR DS:[EAX+30]	EAX=7FFDC000

7C80B555	Main	MOV EAX,DWORD PTR DS:[EAX+8]	EAX=00400000

7C80B558	Main	JMP SHORT kernel32.7C80B548

7C80B548	Main	POP EBP	EBP=0012FFF0

    End of gathered information, live log begins


alt +k will normally not yield any usefull information because stack trace wont be working without a valid eip