Jump to content

modify the instructions in ollydbg


tianna0370

Recommended Posts

Hello:

I am developing a plugin for Ollydbg now, but I am struggled to modify the assembly code by Ollydbg API. For example, in the main windows, there is an instruction "PUSH EAX". I'd like to change it to "PUSH EBX". I have tried two APIs: Assemble() and Writememory(), but didn't success. Am I right? Could anyone write a piece of sample code for me?

thanks a lot in advance.

Fan

Link to comment

Hi

Have you try this?

I use this for my OllyMod plugin

.data
szPatch db 53h ; push ebxinvoke GetCurrentProcess
mov Handle, eax mov szOffset,0xxxxxxh ;<<<< your offset
invoke VirtualProtect, eax, 10,PAGE_EXECUTE_WRITECOPY, offset Old
invoke WriteProcessMemory, Handle, szOffset, offset szPatch, 1, 0

I think before you patch this address add ReadProcessMemory and compare result for check if at this address push eax

Greets

Edited by ragdog
Link to comment

Instead of posting "It didn't work" why not show us what you tried to use, maybe someone who has coded a plugin can help with your problem? What parameters are you passing to Assemble, etc... I am assuming you mean to change the code in the context of the debuggee, not OllyDbg itself?

ragdog:


mov szOffset,0xxxxxxh ;<<<< your offset
invoke VirtualProtect, eax, 10,PAGE_EXECUTE_WRITECOPY, offset Old

At this point, EAX == the handle to the process (FFFFFFFF) which is an invalid address to pass to VirtualProtect, i would have thought you would use 'szOffset' (thats a different prefix for a DWORD/UINT variable. ;))

Having said this, i was under the impression the OP was trying to make his plugin so that it modifies the target process, not OllyDbg.

HR,

Ghandi

Edited by ghandi
Link to comment

Sorry i have what forgot


invoke GetCurrentProcess
mov Handle, eax
mov eax, 0xxxxxxxh ;your offset
mov szOffset, eax
invoke VirtualProtect, eax, 10,PAGE_EXECUTE_WRITECOPY, offset Old
invoke WriteProcessMemory, Handle, szOffset, offset szPatch, 1, 0
Edited by ragdog
Link to comment

Thank you very much for both of your helps. What I did is to develop a plugin that analyze the assembly code in ollydbg window and then change some instructions automatically so that the executing sequence will be changed. If anyone have some ideas about how to change the instructions, please let me know.

Thanks a lot again

Link to comment
Instead of posting "It didn't work" why not show us what you tried to use, maybe someone who has coded a plugin can help with your problem? What parameters are you passing to Assemble, etc... I am assuming you mean to change the code in the context of the debuggee, not OllyDbg itself?

You have not provided any information, how can we help you if you wont do anything to help yourself.

HR,

Ghandi

Link to comment

Sorry about that. I wrote the code as below:

void modifyInstruction(ulong address)

{

t_memory *pmem;

unsigned int pocetBytup=0,pocetBytu=0,length=0;

ulong cmdsize;

char cmd[MAXCMDSIZE],*pdecode,*errors;

ulong decodesize;

t_disasm da;

t_asmmodel am;

cmdsize=MAXCMDSIZE;

Readmemory(cmd,address+pocetBytu,cmdsize,MM_RESTORE|MM_SILENT);//read the original instruction and calculate the length of code

pmem=Findmemory(address+pocetBytu);

pdecode=Finddecode(address+pocetBytu,&decodesize);

pocetBytup=pocetBytu;

pocetBytu+=Disasm(cmd,cmdsize,address+pocetBytu,pdecode,&da,DISASM_CODE,0);

strcpy(cmd,"PUSH 4");//get the new instruction which will write it to the memory

Writememory(cmd,address,pocetBytu-pocetBytup,MM_RESTORE|MM_SILENT);//write the new instruction to the memory

}

After I test it on some case, the original instruction has been changed to two instructions: "PUSH EAX" and "PUSH EBP", not the expected instruction "PUSH 4". What's wrong with the code?

Thank you

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...