pyutic Posted April 14, 2015 Share Posted April 14, 2015 (edited) As you know, OllyDbg provides labelling. When I see referenced address which assembly code has, I would get information(Label name) if referenced address is labeled.But If labeled address would be referenced indirectly(e.g. mov eax, dword ptr[eax]) or labelled address is stack, OllyDbg cannot show label to reverser. (also, Status bar which is below CPU cannot show label too)Is there other way to view label in OllyDbg? It's too hard to analyze obfuscated code because of this poooor behavior Edited April 14, 2015 by pyutic Link to comment Share on other sites More sharing options...
mrexodia Posted April 14, 2015 Share Posted April 14, 2015 (edited) If a register is on the label address it should show the label in the registers view. However, you should use x64dbg. Screenshot of what you want: This obviously only works at runtime, since it is very hard or even impossible to predict an address without knowing the register context. Edited April 14, 2015 by Mr. eXoDia 2 Link to comment Share on other sites More sharing options...
pyutic Posted April 14, 2015 Author Share Posted April 14, 2015 (edited) If a register is on the label address it should show the label in the registers view. However, you should use x64dbg. Screenshot of what you want: This obviously only works at runtime, since it is very hard or even impossible to predict an address without knowing the register context. Thanks for your answer. Is no way to view indirectly referenced label in OllyDbg? It's too bad news ;( Should that debugger provides implements for anti-anti-dbg technique? Edited April 14, 2015 by pyutic Link to comment Share on other sites More sharing options...
Conquest Posted April 14, 2015 Share Posted April 14, 2015 (edited) But If labeled address would be referenced indirectly(e.g. mov eax, dword ptr[eax]) or labelled address is stack, OllyDbg cannot show label to reverser. Let me correct your sentence. Ollydbg or any other disassembler wont(cannot possibly ever) show the address. Some indirect jumps can be deduced though Mov R32,#Addr Call/JMP R32 Edited April 14, 2015 by Conquest Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now