Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Olly Registers Recorder (https://forum.exetools.com/showthread.php?t=9394)

n0ital 03-22-2006 04:11
Olly Registers Recorder
 
Olly experts,

What is the best way to record (log) the value of EAX & EDX while going through a specific EIP inside a loop? Proggy has long loops (500 itterations or so) and I would like to record the value of EAX & EDX for each itteration while at a specific EIP...

Couldn't find a way to do it with "Trace" so thought there might be some plug-in (script) that would provide this feature...

10X all

goggles99 03-22-2006 04:19
The right most column in the Trace window has "Modified Registers".

n0ital 03-22-2006 05:28
Hi goggles99,

Not sure I understand how this would allow logging of 3000 or so EAX/EDX values at a specific EIP...

arnix 03-22-2006 06:23
You can use a simple OllyScript, see its documentation for more help, it is really easy, a small hint from the readme.txt:

BPL addr, expr
--------------
Sets logging breakpoint at address addr that logs expression expr
Example:
bpl 401000, "eax" // logs the value of eax everytime this line is passed

JuneMouse 04-07-2006 00:27
1 Attachment(s)
do you want to log both the register at one conditional breakpoint ?
ollydbg natively lets you log one single expression per conditional breakpoint only

if you are not afraid of recompiling the cmdline.dll source
i recently wrote some code to log multiple expressions


it may be buggy and it surely is untested on different platforms
and with different compilers
i used bccfreecommandline tools and used the original makefile
to compile this

i have attached the source as well as a precompiled dll (replace original in plugin path do not rename and use there may be clashes to get the attention of ollydbg_pausedex() function on renaming i dont know
did not test it rigourously )

any bug reports are welcome

n0ital 04-07-2006 03:35
Hi JM,
the intent is to log the value of eax, ecx & edx while it loops through a specific eip...the proggy only loops through this eip to validate a manual entry...the next step will be to auto-feed the loop with the ecx values perhaps through some injected code (cave) and perhaps do a KG from the data...the data is only valid for one run of the proggy because it initiates the loop with random data... will have a peek at your code... 10x


All times are GMT +8. The time now is 00:51.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX