Jump to content
Tuts 4 You

Ollydbg Attach

Scale

By Scale
in Programming and Coding

Recommended Posts

Scale

Scale

Posted
Posted

If i attach to a process and make it crash then close it in olly, restart the program and attach again all threads will be suspended and won't resume.

The only way to get a succesfull attach is to restart olly everytime, Is this just me?

Thanks!

atom0s

atom0s

Posted
Posted

Happens to me too. It does get annoying but I've kinda gotten used to having to restart Olly every time.

ghandi

ghandi

Posted
Posted

Debugging the attach process, Olly doesnt exhibit these problems, but when running it naked it does (i've always banged my head against the wall with this problem). The thought of coding a plugin to address this has been something i have entertained a few times but never did anything about it. This time it got the better of me and i patched OllyDbg.exe instead.

DISCLAIMER: The following patch is unconfirmed and may possibly break something else, you have been warned!!!


00478DC2                 .  E8 FB630300                            CALL <JMP.&KERNEL32.SuspendThread>              ; \SuspendThread
00478DC7                 .  8BF0                                   MOV ESI,EAX
00478DC9                 .  8BC6                                   MOV EAX,ESI
00478DCB                 .  2B83 20060000                          SUB EAX,DWORD PTR [EBX+620]
00478DD1                 .  8945 FC                                MOV DWORD PTR [EBP-4],EAX
00478DD4                 .  8B53 0C                                MOV EDX,DWORD PTR [EBX+C]
00478DD7                 .  52                                     PUSH EDX                                        ; /hThread
00478DD8                 .  E8 97630300                            CALL <JMP.&KERNEL32.ResumeThread>               ; \ResumeThread
00478DDD                    85F6                                   TEST ESI,ESI
00478DDF                    7F 1B                                  JG SHORT 00478DFCTO00478DC1                 .  50                                     PUSH EAX                                        ; /hThread
00478DC2                 .  E8 FB630300                            CALL <JMP.&KERNEL32.SuspendThread>              ; \SuspendThread
00478DC7                 .  8BF0                                   MOV ESI,EAX
00478DC9                 .  8BC6                                   MOV EAX,ESI
00478DCB                 .  2B83 20060000                          SUB EAX,DWORD PTR [EBX+620]
00478DD1                 .  8945 FC                                MOV DWORD PTR [EBP-4],EAX
00478DD4                 .  8B53 0C                                MOV EDX,DWORD PTR [EBX+C]
00478DD7                 .  52                                     PUSH EDX                                        ; /hThread
00478DD8                 .  E8 97630300                            CALL <JMP.&KERNEL32.ResumeThread>               ; \ResumeThread
00478DDD                    85C0                                   TEST EAX,EAX
00478DDF                  ^ 75 F3                                  JNZ SHORT 00478DD4

Patching the above, Olly will continue calling ResumeThread until the thread suspend count returns 0, an active thread. A cleaner way would be to insert a hook so that the "TEST ESI,ESI" can still exist, this is most likely preferable to overwriting it as i have done. But the short term result i got from this was that i could attach to processes and they would allow me to resume execution without problem.

HR,

Ghandi

Scale

Scale

Posted
  • Author
Posted

Thanks ghandi!

What is the ESI test for?

I have been reversing for years and i still barely know what each register does shame on me,

Now that i think of it maybe you know a good paper on registers, i think i could learn allot from that :)

Thanks again

ghandi

ghandi

Posted
Posted (edited)

Okay, i've just modified a vanilla version (unpatched) OllyDbg.exe and it works ok so far. Instead of just patching like that, i've changed the call to JMP DWORD PTR [&ResumeThread] (its an 0xE9 relative call, so relocations are unaffected) to call a routine i inserted into a code cave, so that the ESI check is preserved. Once again, this is only provided as Proof-Of-Concept, no guarantees or warranties provided.


00478DD8                    E8 97630300                            CALL <JMP.&KERNEL32.ResumeThread>to00478DD8                 .  E8 67680300                            CALL 004AF644

The actual address of your call may differ, if you decide to place your code at a different address, but here is the content of the routine.


004AF644                /$  55                                     PUSH EBP
004AF645                |.  8BEC                                   MOV EBP,ESP
004AF647                |>  FF75 08                                PUSH DWORD PTR [EBP+8]
004AF64A                |.  E8 8DDD0500                            CALL 004AF174 ;<JMP KERNEL32.ResumeThread>
004AF64F                |.  85C0                                   TEST EAX,EAX
004AF651                |.^ 75 F4                                  JNZ SHORT 004AF647
004AF653                |.  8BE5                                   MOV ESP,EBP
004AF655                |.  5D                                     POP EBP
004AF656                \.  C2 0400                                RET 4

Now it will call this routine instead of ResumeThread and upon returning will still perform the ESI check. ESI is simply one of the 8 general purpose registers, it also serves as the source pointer for string operands, like LODSB, SCASB, MOVSD. In this particular case, you can see above our call that ESI is actually the set to the value of EAX, which holds the return value from its call to SuspendThread. If you call SuspendThread and receive 0, then something is wrong because it is meant to return the thread suspend count. Each call to SuspendThread increments this counter, while its value is > 0, the thread is in suspended state. ResumeThread decrements this counter, which is why i made the loop to call ResumeThread until the counter was 0 and the thread could be active again.

HR,

Ghandi

Edit: After some testing, this is not a good patch, it breaks OllyDbg. Sorry... It disabled the ability to suspend/pause a thread, unless you use a breakpoint and Olly doesnt realize the app has exited. I also have some doubts over using 0 as the counter test value, because when i changed it to CMP AL,1 i had the exact same results. My conclusion is i have patched a place which shouldnt be patched and another method needs to be devised, like a plugin to hook the "Resume" handler so that only it will call ResumeThread looping until it reaches 0...

Edited by ghandi

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...