Hello,

I search how i can get each commands of a debugged process in OllyDbg.

I think i need to use this function : ulong Readcommand(ulong ip,char *cmd);

My program entry point :

004C5C74 > $ 55 PUSH EBP

var
     Commande : string;if Readcommand($004C5C74, PAnsiChar(Commande)) > 0 then
     // success
else
     // error

But when u try it, it's not working

Readcommand return all time 0 !

I need to have : Commande := 'PUSH EBP'

Can you help me ?

Thanks,

Mathieu

Edited April 1, 201114 yr by mrousse83

Hi

I have no Experience about Delphi

Readcommand return the size of bytes

Masm:

local cmd [256]:DWORD invoke Readcommand,0040100Ch, addr cmd
 .if eax!=0
 	True
 	.else
      	Fasle
 .endif

or

BYTE szCmd[MAXCMDSIZE]; dwAddr = dwBase + dwOffset;    	nRetCode = Readcommand(dwAddr, (char *)szCmd);
    	PROCESS_ERROR(nRetCode);

ragdog, and cmd contains the instruction ?

Thanks

Edited April 1, 201114 yr by mrousse83

ragdog, and cmd contains the instruction ?

Thanks

Yes correct

Reads command from the memory of debugged process and restored breakpoints. Returns length of the read code (at most MAXCMDSIZE bytes) or 0 if memory can't be read.

Note: Any access to the memory in different process is extremely time-expensive. As in many cases different parts of OllyDbg access same command several times, Readcommand maintains small 1-command cache significantly improves the wholesave productivity of OllyDbg. If you need to access several compactly placed commands, Readmemory is usually much faster.

ulong Readcommand(ulong ip,char *cmd);

Parameters:

ip - address of the command in the memory space of debugged process. If ip is 0, function invalidates cache and returns 0;

cmd - buffer of length at least MAXCMDSIZE bytes that receives command.

You can all Read about Api Interface in Plugins.hlp of the Pdk package from Olly

Thanks for your precisions ragdog.

Do you know why memory can't be read, because Readcommand return all time 0 ?

I need to change memory rights access ?

Mathieu

Readcommand does not return the assembler instruction. It does return the opcode of the command.

Maybe you have to use a char array instead of string for this function, not sure.

Edited April 1, 201114 yr by GoJonnyGo

OK !

What functions i need to use for get assembler instruction ?

Thanks,

Mathieu

var
     Commande : string;if Readcommand($004C5C74, PAnsiChar(Commande)) > 0 then
     // success
else
     // error

Ok, firstly you haven't initialized the Commande string in this code. If you are using a string as a buffer you must first give it a size, and it might help to initialize the chars to nulls too.

Secondly, it's a string not a buffer, meaning that it's data starts at 1 not 0. So to reference the data at index 1 it's best to use @Commande[1]

But anyway, code should look more like this:

Var
  Cmd : Array [0 .. MAXCMDSIZE-1] Of Char;
  Len : DWord;
Begin
  FillChar(Cmd, MAXCMDSIZE, 0);
  Len := Readcommand($004C5C74, Cmd);
  If (Len > 0) Then Begin
    // Do further processing ..
  End Else Begin
    // Fail ..
  End;
End;

In Delphi an array of chars is treated as a PAnsiChar, so usage is exactly the same.

Also, you might want to check out my Delphi PDK, which will make your plugin compatible with OllyDbg and Immunity Debugger (including patched OllyDbg editions)
/>http://forum.tuts4you.com/index.php?app=forums&module=forums&section=findpost&pid=121002

Edited April 1, 201114 yr by BoB

Thanks for your help and example BoB, work's fine !

Readcommand return opcode, but i want to get assembler instruction, do you know what functions i need to use for get assembler instruction of a given address ?

Thanks a lot,

Mathieu

Yeah, use this:

Function  Disasm(src: PChar; srcsize: ULONG; srcip: ULONG; srcdec: PChar; disasm: p_disasm; disasmmode: Integer; threadid: ULONG): ULONG; cdecl;

OK !

Thanks BoB !

Mathieu