modify the instructions in ollydbg

[tianna0370]

Hello:

I am developing a plugin for Ollydbg now, but I am struggled to modify the assembly code by Ollydbg API. For example, in the main windows, there is an instruction "PUSH EAX". I'd like to change it to "PUSH EBX". I have tried two APIs: Assemble() and Writememory(), but didn't success. Am I right? Could anyone write a piece of sample code for me?

thanks a lot in advance.

Fan

[ragdog]

Hi

Have you try this?

I use this for my OllyMod plugin

.data
szPatch db 53h  ; push ebxinvoke GetCurrentProcess
    mov Handle, eax   mov szOffset,0xxxxxxh ;<<<< your offset
invoke VirtualProtect, eax, 10,PAGE_EXECUTE_WRITECOPY, offset Old
invoke WriteProcessMemory, Handle, szOffset, offset szPatch, 1, 0 		

I think before you patch this address add ReadProcessMemory and compare result for check if at this address push eax

Greets

Edited August 13, 2010 by ragdog

[ghandi]

Instead of posting "It didn't work" why not show us what you tried to use, maybe someone who has coded a plugin can help with your problem? What parameters are you passing to Assemble, etc... I am assuming you mean to change the code in the context of the debuggee, not OllyDbg itself?

ragdog:

 mov szOffset,0xxxxxxh ;<<<< your offset 
invoke VirtualProtect, eax, 10,PAGE_EXECUTE_WRITECOPY, offset Old 

At this point, EAX == the handle to the process (FFFFFFFF) which is an invalid address to pass to VirtualProtect, i would have thought you would use 'szOffset' (thats a different prefix for a DWORD/UINT variable. )

Having said this, i was under the impression the OP was trying to make his plugin so that it modifies the target process, not OllyDbg.

HR,

Ghandi

Edited August 14, 2010 by ghandi

[ragdog]

Sorry i have what forgot

invoke GetCurrentProcess
   mov Handle, eax
	mov eax, 0xxxxxxxh ;your offset
 	mov szOffset, eax
  invoke VirtualProtect, eax, 10,PAGE_EXECUTE_WRITECOPY, offset Old
 invoke WriteProcessMemory, Handle, szOffset, offset szPatch, 1, 0 	

Edited August 14, 2010 by ragdog

[tianna0370]

Thank you very much for both of your helps. What I did is to develop a plugin that analyze the assembly code in ollydbg window and then change some instructions automatically so that the executing sequence will be changed. If anyone have some ideas about how to change the instructions, please let me know.

Thanks a lot again

[ghandi]

Instead of posting "It didn't work" why not show us what you tried to use, maybe someone who has coded a plugin can help with your problem? What parameters are you passing to Assemble, etc... I am assuming you mean to change the code in the context of the debuggee, not OllyDbg itself?

You have not provided any information, how can we help you if you wont do anything to help yourself.

HR,

Ghandi

[tianna0370]

Sorry about that. I wrote the code as below:

void modifyInstruction(ulong address)

{

t_memory *pmem;

unsigned int pocetBytup=0,pocetBytu=0,length=0;

ulong cmdsize;

char cmd[MAXCMDSIZE],*pdecode,*errors;

ulong decodesize;

t_disasm da;

t_asmmodel am;

cmdsize=MAXCMDSIZE;

Readmemory(cmd,address+pocetBytu,cmdsize,MM_RESTORE|MM_SILENT);//read the original instruction and calculate the length of code

pmem=Findmemory(address+pocetBytu);

pdecode=Finddecode(address+pocetBytu,&decodesize);

pocetBytup=pocetBytu;

pocetBytu+=Disasm(cmd,cmdsize,address+pocetBytu,pdecode,&da,DISASM_CODE,0);

strcpy(cmd,"PUSH 4");//get the new instruction which will write it to the memory

Writememory(cmd,address,pocetBytu-pocetBytup,MM_RESTORE|MM_SILENT);//write the new instruction to the memory

}

After I test it on some case, the original instruction has been changed to two instructions: "PUSH EAX" and "PUSH EBP", not the expected instruction "PUSH 4". What's wrong with the code?

Thank you