Search Results

Search found 13 results on 1 pages for 'ollydbg'.

Page 1/1 | 1 

• How to find a function of application with ollydbg?

  - by user3725506

  Let's say i released the application below. using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Windows.Forms; namespace WindowsFormsApplication2 { public partial class Form1 : Form { public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { MessageBox.Show("Hello World!","Message Box"); } } } Now here is my questions: How to find the function of button which is responsible to show message box after pressing the button with ollydbg? How to disable the button click ? Notes:this must be done with ollydbg only. Assume that i don't have access to the code. A step-by-step example would be greatly appreciated.

  Read the article

• Is there something like the OllyDbg / SoftICE disassembler + debugger for java?

  - by Ran Biron

  Is there a utility similar to OllyDbg / SoftICE for java? I.e. execute class (from jar / with class path) and, without source code, show the disassembly of the intermediate code with ability to step through / step over / search for references / edit specific intermediate code in memory / apply edit to file... If not, is it even possible to write something like this (assuming we're willing to live without hotspot for the debug duration)?

  Read the article

• Explanation of the disassembly of the simplest program (x86)

  - by noname

  The following code int _main() {return 0;} Compiled using the command: gcc -s -nostdlib -nostartfiles 01-simple.c -o01-simple.exe gcc version 4.4.1 (TDM-1 mingw32) OllyDbg produced this output: http://imgur.com/g81vK.png Can you explain what happens here? Analysis so far: // these two seems to be an idiom: PUSH EBP // places EBP on stack MOV EBP, ESP // overwrites EBP with ESP MOV EAX, 0 // EAX = 0 LEAVE // == mov esp, ebp // pop ebp // according to // http://en.wikipedia.org/wiki/X86_instruction_listings What is the meaning of all this?

  Read the article

• Manually setting breakpoints in WinDBG

  - by chris

  I am trying to examine the assembly for an executable using WinDBG, but I am having a hard time getting to it. I want to set a breakpoint at the first instruction in my program, but when I try to do that manually (using the address of the module), WinDBG tells me that it is "unable to insert breakpoint" at that location due to an "Invalid access to memory location." I notice that when I create a breakpoint through the source code GUI, the address is not the same as the first part of my module (In my example: "Win32FileOpen", a simple program I wrote.) Is there a header of some sort that requires adding an offset to the address of my module? In another question, I saw the suggestion: "I would attempt to calculate the breakpoint address as: Module start + code start + code offset" but was unsure where to obtain those values. Can somebody please elaborate on this? The reason I don't just use the source GUI is that I want to be able to do this with a program that I may not have the source/symbols for. If there is an easier way to immediately start working with the executable I open, please let me know. (e.g. Opening an .exe Olly immediately shows me the assembly for that .exe, searching for referenced strings gives me results from that module, etc. WinDBG seems to start me off in ntdll.dll, which is not usually useful for me.) 0:000> lm start end module name 00000000`00130000 00000000`0014b000 Win32FileOpen C (private pdb symbols) C:\cfinley\code\Win32FileOpen\Debug\Win32FileOpen.pdb 00000000`73bd0000 00000000`73c2c000 wow64win (deferred) 00000000`73c30000 00000000`73c6f000 wow64 (deferred) 00000000`74fe0000 00000000`74fe8000 wow64cpu (deferred) 00000000`77750000 00000000`778f9000 ntdll (pdb symbols) c:\symbols\mssymbols\ntdll.pdb\15EB43E23B12409C84E3CC7635BAF5A32\ntdll.pdb 00000000`77930000 00000000`77ab0000 ntdll32 (deferred) 0:000> bu 00000000`00130000 0:000> bl 0 e x86 00000000`001413a0 0001 (0001) 0:**** Win32FileOpen!main <-- One that is generated via GUI 1 e x86 00000000`00130000 0001 (0001) 0:**** Win32FileOpen!__ImageBase <-- One I tried to set manually 0:000> g Unable to insert breakpoint 1 at 00000000`00130000, Win32 error 0n998 "Invalid access to memory location." bp1 at 00000000`00130000 failed WaitForEvent failed ntdll!LdrpDoDebuggerBreak+0x31: 00000000`777fcb61 eb00 jmp ntdll!LdrpDoDebuggerBreak+0x33 (00000000`777fcb63)

  Read the article

• Is there a disassembler + debugger for java (ala OllyDbg / SoftICE for assembler)?

  - by Ran Biron

  Is there a utility similar to OllyDbg / SoftICE for java? I.e. execute class (from jar / with class path) and, without source code, show the disassembly of the intermediate code with ability to step through / step over / search for references / edit specific intermediate code in memory / apply edit to file... If not, is it even possible to write something like this (assuming we're willing to live without hotspot for the debug duration)? Edit: I'm not talking about JAD or JD or Cavaj. These are fine decompilers, but I don't want a decompiler for several reasons, most notable is that their output is incorrect (at best, sometimes just plain wrong). I'm not looking for a magical "compiled bytes to java code" - I want to see the actual bytes that are about to be executed. Also, I'd like the ability to change those bytes (just like in an assembly debugger) and, hopefully, write the changed part back to the class file. Edit2: I know javap exists - but it does only one way (and without any sort of analysis). Example (code taken from the vmspec documentation): From java code, we use "javac" to compile this: void setIt(int value) { i = value; } int getIt() { return i; } to a java .class file. Using javap -c I can get this output: Method void setIt(int) 0 aload_0 1 iload_1 2 putfield #4 5 return Method int getIt() 0 aload_0 1 getfield #4 4 ireturn This is OK for the disassembly part (not really good without analysis - "field #4 is Example.i"), but I can't find the two other "tools": A debugger that goes over the instructions themselves (with stack, memory dumps, etc), allowing me to examine the actual code and environment. A way to reverse the process - edit the disassembled code and recreate the .class file (with the edited code).

  Read the article

• How do you find a functions virtual call address in assembly?

  - by Daniel

  I've googled around but i'm not sure i am asking the right question or not and i couldn't find much regardless, perhaps a link would be helpful. I made a c++ program that shows a message box, then I opened it up with Ollydbg and went to the part where it calls MessageBoxW. The call address of MessageBoxW changes each time i run the app as windows is updating my Imports table to have the correct address of MessageBoxW. So my question is how do i find the virtual addres of MessageBoxW to my imports table and also how can i use this in ollydbg? Basically I'm trying to make a code cave in assembly to call MessageBoxW again. I got fairly close once by searching the executable with a hex editor and found the position of the call, and I think I found the virtual address. But when i call that virtual address in olly and saved it to the executable, the next time i opened it the call was replaced with a bunch of DB xyz (which looked like the virtual address but why did the call get removed? Sorry if my terminology is off as i'm new to this so i'm not quite sure what to call things.

  Read the article

• how to push a string address to stack with assembly, machine code

  - by Yigit

  Hi all, I am changing minesweeper.exe in order to have an understanding of how code injection works. Simply, I want the minesweeper to show a message box before starting. So, I find a "cave" in the executable and then define the string to show in messagebox and call the messagebox. Additionally of course, I have to change the value at module entry point of the executable and first direct it to my additional code, then continue its own code. So at the cave what I do; "hello starbuck",0 push 0 //arg4 of MessageBoxW function push the address of my string //arg3, must be title push the address of my string //arg2, must be the message push 0 //arg1 call MessageBoxW ... Now since the memory addresses of codes in the executable change everytime it is loaded in the memory, for calling the MessageBoxW function, I give the offset of the address where MessageBoxW is defined in Import Address Table. For instance, if MessageBoxW is defined at address1 in the IAT and the instruction just after call MessageBoxW is at address2 instead of writing call MessageBoxW, I write call address2 - address1. So my question is, how do I do it for pushing the string's address to the stack? For example, if I do these changes via ollydbg, I give the immediate address of "hello starbuck" for pushing and it works. But after reloading the executable or starting it outside of ollydbg, it naturally fails, since the immediate addresses change. Thanks in advance, Yigit.

  Read the article

• zip password crack possible?

  - by tm1rbrt

  I have a piece of software i have to install on company laptops. The installer needs a serial to work properly, but i don't have it (my manager isn't here so i cant ask him). The installer tells me to ring a phone number which doesnt appear to be connected anymore. I would download win32dasm and ollydbg and have a go at cracking the installer but i dont really have time and i havnt done it in years. There is a zip file on the disc that looks like it contains all the program files but it is passworded. Is it feasible to crack this or will it take ages?

  Read the article

• Windows disassembler: looking for a tool...

  - by SigTerm

  Hello. I'm looking for a (preferably free) tool that can produce "proper" disassembly listing from a (non-.NET) windows PE file (*.exe or *.dll). Important requirement: it should be possible to run the listing through a windows assembler (nasm, masm or whatever) and get working exe again (not necessarily identical to original one, but it should behave in the same way). Intended usage is adding new subroutines into existing code, when source is not available. Ideally, tool should be able to detect function/segment boundaries, API calls, and generate proper labels for jumps (I can live without labels for loops/jumps, though, but function boundary detection would be nice), and keep program resources/segments in place. I'm already aware of IdaPRO(not free), OllyDBG (useful for in-place hacking, doesn't generate disassembly listing, AFAIK), ndisasm (output isn't suitable for assembler), dumpbin (useful, but AFAIK, output isn't suitable for assembler) and "proxy dll" technique. Ideas? Or maybe there is a book/tutorial that explains some kind of alternative approach?

  Read the article

• How to debug a process using Visual Studio?

  - by Ian Boyd

  If an application† crashes: i hit "Debug" and Visual Studio is my currently registered Just-In-Time (JIT) debugger: Visual Studio appears, but there's no way to debug anything: i do not see any disassembly. i do not see any symbols i do not see reconstructed source code from reflection i do not see any registers the call stack is empty Other JIT debugger products are able to show disassembly, but they are either command-line based (Debugging Tools for Windows), or do not support symbols (OllyDbg, Delphi). Additionally, my question is about debugging using Visual Studio, since i already have it installed, and is already my registered JIT. How do you debug a program using Visual Studio? Alternatively: has anyone written a graphical debugger that supports the Microsoft symbol server? † not, necessarily, written in Visual Studio Edit: Changes title to process rather than application, since the latter somehow implies "my application."

  Read the article

• x86 CMP Instruction Difference

  - by Pindatjuh

  Question What is the (non-trivial) difference between the following two x86 instructions? 39 /r CMP r/m32,r32 Compare r32 with r/m32 3B /r CMP r32,r/m32 Compare r/m32 with r32 Background I'm building a Java assembler, which will be used by my compiler's intermediate language to produce Windows-32 executables. Currently I have following code: final ModelBase mb = new ModelBase(); // create new memory model mb.addCode(new Compare(Register.ECX, Register.EAX)); // add code mb.addCode(new Compare(Register.EAX, Register.ECX)); // add code final FileOutputStream fos = new FileOutputStream(new File("test.exe")); mb.writeToFile(fos); fos.close(); To output a valid executable file, which contains two CMP instruction in a TEXT-section. The executable outputted to "text.exe" will do nothing interesting, but that's not the point. The class Compare is a wrapper around the CMP instruction. The above code produces (inspecting with OllyDbg): Address Hex dump Command 0040101F |. 3BC8 CMP ECX,EAX 00401021 |. 3BC1 CMP EAX,ECX The difference is subtle: if I use the 39 byte-opcode: Address Hex dump Command 0040101F |. 39C1 CMP ECX,EAX 00401021 |. 39C8 CMP EAX,ECX Which makes me wonder about their synonymity and why this even exists.

  Read the article

• Far jump in ntdll.dll's internal ZwCreateUserProcess

  - by user49164

  I'm trying to understand how the Windows API creates processes so I can create a program to determine where invalid exes fail. I have a program that calls kernel32.CreateProcessA. Following along in OllyDbg, this calls kernel32.CreateProcessInternalA, which calls kernel32.CreateProcessInternalW, which calls ntdll.ZwCreateUserProcess. This function goes: mov eax, 0xAA xor ecx, ecx lea edx, dword ptr [esp+4] call dword ptr fs:[0xC0] add esp, 4 retn 0x2C So I follow the call to fs:[0xC0], which contains a single instruction: jmp far 0x33:0x74BE271E But when I step this instruction, Olly just comes back to ntdll.ZwCreateUserProcess at the add esp, 4 right after the call (which is not at 0x74BE271E). I put a breakpoint at retn 0x2C, and I find that the new process was somehow created during the execution of add esp, 4. So I'm assuming there's some magic involved in the far jump. I tried to change the CS register to 0x33 and EIP to 0x74BE271E instead of actually executing the far jump, but that just gave me an access violation after a few instructions. What's going on here? I need to be able to delve deeper beyond the abstraction of this ZwCreateUserProcess to figure out how exactly Windows creates processes.

  Read the article

• OpenGL Calls Lock/Freeze

  - by Necrolis

  I am using some dell workstations(running WinXP Pro SP 2 & DeepFreeze) for development, but something was recenlty loaded onto these machines that prevents any opengl call(the call locks) from completing(and I know the code works as I have tested it on 'clean' machines, I also tested with simple opengl apps generated by dev-cpp, which will also lock on the dell machines). I have tried to debug my own apps to see where exactly the gl calls freeze, but there is some global system hook on ZwQueryInformationProcess that messes up calls to ZwQueryInformationThread(used by ExitThread), preventing me from debugging at all(it causes the debugger, OllyDBG, to go into an access violation reporting loop or the program to crash if the exception is passed along). the hook: ntdll.ZwQueryInformationProcess 7C90D7E0 B8 9A000000 MOV EAX,9A 7C90D7E5 BA 0003FE7F MOV EDX,7FFE0300 7C90D7EA FF12 CALL DWORD PTR DS:[EDX] 7C90D7EC - E9 0F28448D JMP 09D50000 7C90D7F1 9B WAIT 7C90D7F2 0000 ADD BYTE PTR DS:[EAX],AL 7C90D7F4 00BA 0003FE7F ADD BYTE PTR DS:[EDX+7FFE0300],BH 7C90D7FA FF12 CALL DWORD PTR DS:[EDX] 7C90D7FC C2 1400 RETN 14 7C90D7FF 90 NOP ntdll.ZwQueryInformationToken 7C90D800 B8 9C000000 MOV EAX,9C the messed up function + call: ntdll.ZwQueryInformationThread 7C90D7F0 8D9B 000000BA LEA EBX,DWORD PTR DS:[EBX+BA000000] 7C90D7F6 0003 ADD BYTE PTR DS:[EBX],AL 7C90D7F8 FE ??? ; Unknown command 7C90D7F9 7F FF JG SHORT ntdll.7C90D7FA 7C90D7FB 12C2 ADC AL,DL 7C90D7FD 14 00 ADC AL,0 7C90D7FF 90 NOP ntdll.ZwQueryInformationToken 7C90D800 B8 9C000000 MOV EAX,9C So firstly, anyone know what if anything would lead to OpenGL calls cause an infinite lock,and if there are any ways around it? and what would be creating such a hook in kernal memory ? Update: After some more fiddling, I have discovered a few more kernal hooks, a lot of them are used to nullify data returned by system information calls(such as the remote debugging port), I also managed to find out the what ever is doing this is using madchook.dll(by madshi) to do this, this dll is also injected into every running process(these seem to be some anti debugging code). Also, on the OpenGL side, it seems Direct X is fine/unaffected(I ran one of the DX 9 demo's without problems), so could one of these kernal hooks somehow affect OpenGL?

  Read the article

1