tonyweb Posted November 13, 2012 Posted November 13, 2012 (edited) Hi guys/girls, I'm really new to Olly plugin writing, so I'm here to beg for your help. I'm writing a very simple plugin for Olly 1.10 that deals with bytes in CPU dump. I'm using Readmemory and Writememory functions and all works fine ... but modified bytes don't look like modified and I can't invoke undo action on them I'll explain better. When you do some action on CPU dump like "Binary | Fill With xxx" operations you end up with "red" modified bytes in the dump, bytes you can even restore back to their initial value. That's the effect I'd like to reproduce. Any pointer, hint or suggestion is appreciated (I'll understand if you'll give me a mouthful ) . Thanks in advance and Best Regards, Tony P.D. I saw there's a Havecopyofmemory function but I don't think it could be of any help for my matter, or am I wrong [EDIT] Just found that if I'll use "Fill With" options before the one from my plugin, Olly gives me the desired effect ... how can I trigger it if my "action" is the first to be invoked ? Thanks again for any help. Regards, Tony Edited November 13, 2012 by tonyweb
kao Posted November 13, 2012 Posted November 13, 2012 (edited) Look at OllyDbg disassembly how "Fill with 00's" is implemented (for v1.10 - address 0451306). In short - use function Dumpbackup(). EDIT 2x: I shouldn't rush with the responses.. Edited November 13, 2012 by kao 1
tonyweb Posted November 13, 2012 Author Posted November 13, 2012 (edited) @kao You're the man kao! Old and good reversing of Olly itself ... I'm really a dumb Thank you so much mate ... obviously it's working !!! Case closed Best Regards, Tony P.D. Now I'll try to understand how you reached the location you pointed me, so I won't have to bore you again ... hopefully [EDIT] A simple BP on _Writememory will do it seems (but I'm almost sure you used a more suitable/complex approach) ... thanks again [EDIT 2] I ended up writing this (may be useful for other beginners like me) //t_memory* memPtr = Findmemory(selStartAddr);if ( memPtr != 0 && memPtr->copy == 0 ) // if memory block was backuped in CPU window, pointer to backup copy, or NULL otherwise;{ // To support "undo" (credits to kao: cfr. http://forum.tuts4you.com/topic/30438-answered-how-to-support-undo-in-cpu-dump-from-olly-plugin) Dumpbackup(pd, BKUP_CREATE); // Create or update backup copy. (t_dump *pd)} Edited November 13, 2012 by tonyweb
kao Posted November 13, 2012 Posted November 13, 2012 Indeed, BP on _Writememory is the fastest way to locate correct code. More complex (and much slower!) approach is to analyze WndProc and try to locate proper handler.
tonyweb Posted November 16, 2012 Author Posted November 16, 2012 @kao That's why you're a professional reverser and I'm just an amateur Thanks again and Best Regards, Tony
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now