Findreferences OllyDbg plugin API documentation [Archive]

View Full Version : Findreferences OllyDbg plugin API documentation

BuschnicK

February 1st, 2007, 08:54

Hey,

I'm using OllyDbg 1.1 and am writing a plugin. I'd like to get all references (calls in particular) of a specified function. I can do this in the Olly GUI, but there is no documentation for the corresponding API function:

extc int cdecl Findreferences(ulong base,ulong size,ulong addr0,ulong addr1, ulong origin,int recurseonjump,char *title);

Could anyone please shed some light on what the correct values are if I want to retrieve alls calls to a function entry point?

Thanks,

BuschnicK

ZaiRoN

February 1st, 2007, 10:47

Example:

Code:

004010B8   33C0             XOR EAX,EAX

004010BA   90               NOP

004010BB   83C0 01          ADD EAX,1

004010BE   40               INC EAX

004010BF   0000             ADD BYTE PTR DS:[EAX],AL

004010C1   E8 F2FFFFFF      CALL Copia_di.004010B8

004010C6   90               NOP

004010C7   68 B8104000      PUSH Copia_di.004010B8

004010CC   0000             ADD BYTE PTR DS:[EAX],AL

004010CE   E8 E7FFFFFF      CALL Copia_di.004010BA

004010D3   90               NOP

If you want to find all the references to 0x4010B8 you have to call FindReferences using this form:

Code:

Findreferences(0x401000, 0x2000, 0x4010B8,0x4010B9,0x4010B8,0,"Test references";

Ollydbg looks for references inside range 401000/401000+2000. It's pretty easy to understand how Findreferences works, you have only to play with the parameters.
The function returns two entries: 4010C1 and 4010C7 and Ollydbg shows the result on a new window. If you want to use the entries in your plugin (i.e. filtering call instructions only...) you have to retrieve them using the function PlugingetValue:

Code:

t_table *tTable;

...

tTable = (t_table *)Plugingetvalue(VAL_REFERENCES);

Message(NULL, "Address: %X",((t_sortheader*)tTable->data.data)->addr);

Plugingetvalue in combination with VAL_REFERENCES is used to get the table with found references. Once you have it you can start with your own operation. I simply print the first reference.

I'm not an Olly guru but that's a way...

BuschnicK

February 1st, 2007, 11:21

Thank you very much for the quick reply - this looks exactly like the info I was looking. Will try it out.

regards,

BuschnicK