Hi, I am new to olly... and also this forum. Please help if u can.

1. I saw in olly help file under (The last line under content/search/binary string) that there is :

I cant seem to find it in Olly. How do i use it?

2. Lets say a particular line in my EXE is "mov eax,ebx". Is there a function in olly that would allow me to find out "backwards" the last instruction that accessed/modified ebx? (I cant trace/run the prog.. it is protected by gameguard)

Thanx in advance.

I don't know if this would work for your problem because most of the time I had used it for nags. Try pausing ollydbg, then press Alt+F9 that you usually takes you to the line of code were the object has been invoke, and you can do backward trace from there.

this has got nothing to do with tracing backwards

to use it you simply hit ctrl+b

type in a sequence lets say 66 ?? 3a

and hit ok

ollydbg will stop on first such found sequence

use ctrl+l to get the same sequence

a sample search on ollydbg itself for above sequence with masked ??



as to finding who initialised ebx from arbitrary position you have to analyse the disassembly and find out manually if you cannot use trace and log

use call stack find who is in the first frame and analyse the disassembly
you should spot some mov ebx,R32 or mov ebx,[CONST], or pop ebx, or many other infinite variations of getting a value into register

Thanx for the reply.

1.
I interpreted the help file sentence to mean there is an option within olly that will do the binary masking automatically. e.g. I binary copy a block of instructions, press some shortcut key.. or click some option. When I paste into binary search (Ctrl-B), the fixups (i.e. ???s) are already substituted for me. That would be a useful function for locating "block of codes" between different versions of a program.

2.
Is there anyway for me to search "EBX" in disassembler (like a text search on the disassembler) ?

well if you can use mnemonic instead of raw opcodes you can try find all sequences

it accepts a pseudo "ANY #" in its search sequence

for example you want to search for a pushad popad block that has 6 instructions in between

you can ask ollydbg to search for
pushad
any 6
popad

the 6 instructions in between can be any junk
if first and seventh instructions are pushad and popad respectively ollydbg will provide you those blocks in a seperate window

a text search for string "ebx" no im not aware of any such capabilities
may be you could look at the code highlighting dlaiogs and modify it to suit your needs it has highlighting options for general purpose register may be you could make a branch in it asking it to highlight user specified register

the raw functionality for specific register highligting exists in trace log
may be you reverse analyse study and combine both these options
and make a plugin that does

tx for your response. I think i'll stick to manually masking the binary string. Its much more precise. I only post the question here bcos i thought olly can do the masking automatically (mis-interpretation of the help text).