Ostatnio powróciłem do dawno porzuconego pomysłu stworzenia pluginu dla Olka, który będzie dostarczał podobną funkcjonalność odnośnie zmiany
nazwy/wartości m.in funkcji czy stałej jak IDA.
Myślę, że najlepiej jego zastosowanie i funkcjonalność przedstawić w akcji:
[+]Sposób użycia
Powiedzmy, żę chcemy zmienić nazwę CALL’a z domyślnej reprezentowanej przez adres na bardziej przyjazną nam.
Wybieramy linie w oknie disasembler’a, w której występuje interesujący nas CALL:
następnie PPM i wybieramy Change value:
w widocznym poniżej okienku wpisujemy proponowaną przez nas nazwę i zatwierdzamy ją poprzez ENTER lub kliknięcie przycisku Set:
Otrzymany efekt wygląda następująco:
[+]Propozycja zastosowań
A oto lista przykładów prezentująca prawdopodobnie wszystkie możliwe miejsca w kodzie gdzie można zastosować omawiany plugin:
==CALL== 004012D7 . E8 EC110000 CALL Project2.004024C8 004012D7 . E8 EC110000 CALL <project2.some_call> ==JMP== 004012F5 E9 1E120000 JMP Project2.00402518 004012F5 E9 1E120000 JMP <project2.some_jump> ==Global variable== 004012FC . A0 71304000 MOV AL,BYTE PTR DS:[403071] 004012FC . A0 71304000 MOV AL,BYTE PTR DS:[<g_variable>] 0040135F . FF35 7F304000 PUSH DWORD PTR DS:[40307F] 0040135F . FF35 7F304000 PUSH DWORD PTR DS:[<g_variable>] (...)
Plugin można pobrać stąd : NameChanger.zip
Oczywiście zapraszam do testowania i przesyłania mi feedbacku o ewentualnych zmianach jakie powinny zajść w kolejnej wersji itp.I recently returned to an idea of an OllyDbg plug-in which would provide functionality similar like in an IDA related with inter alia :changing name of functions or setting more readable form for global variables.
I think that the best way to present its adoption and functionality is to see it in an action:
[+]How to use it?
Let’s we say that we want to change a name of CALL from a default one represented by address to more readable for us. We choose a line in a disassembly window where interesting for us CALL is located:
next RMB and we choose Change value:
In visible below window we put proposed by us new name and then confirm it via an ENTER or a Set button:
Obtained effect looks as follows:
[+]Proposed uses
Below you can find probably all possible places in a disassembler where plug-in can be use:
==CALL== 004012D7 . E8 EC110000 CALL Project2.004024C8 004012D7 . E8 EC110000 CALL <Project2.some_call> ==JMP== 004012F5 E9 1E120000 JMP Project2.00402518 004012F5 E9 1E120000 JMP <Project2.some_jump> ==Global variable== 004012FC . A0 71304000 MOV AL,BYTE PTR DS:[403071] 004012FC . A0 71304000 MOV AL,BYTE PTR DS:[<g_variable>] 0040135F . FF35 7F304000 PUSH DWORD PTR DS:[40307F] 0040135F . FF35 7F304000 PUSH DWORD PTR DS:[<g_variable>] (...)
Plug-in can be downloaded from here : NameChanger.zip
Of course all kind of constructive feedback is welcome 😉
Pingback: Tweets that mention Icewall's blog » NameChanger ver 1.0 – OllyDbg plugin -- Topsy.com
Pingback: NameChanger ver 1.0 – OllyDbg plugin | Computer Security Articles
Consider this:
call project2.004024c8
follow the call and @4024c8, type “:” without the quotes and enter the name of the routine. Voila! You have now:
call project2.the_name_you_used
The same goes for every memory location you can refer to.
So, the question is why use your plugin at all?
Peace!
@Dimiter Andonov
You have right, we can achieve the same effect e.g follow CALL and set up Label,BUT still we can do it faster via NameChanger plus consider situation when u want change address representation:
MOV EDX,DWORD PTR DS:[40CEA4]
in this situation u need to follow 0x040CEA4 via “Follow in Dump->Memory address” move to dump window and set up label via “:”.
I think that using plugin u gonna make it faster and more easily, plus I’m planning to add hot key in next version which will increase that speed also.
@Icewall
Well, good luck then. Just wanted to point out that the same functionality can be achieved without a dedicated plugin. I have been using OllyDbg on daily basis for more than 3 years and have never found that naming I’ve described above is too slow. Moreover, when I do reverse engineering I am never concerned if I would save a few seconds on technicalities.
Just my 2 cents, other people might find your plugin very useful.
Peace.
@Dimiter Andonov
Thank you for your opinion ;).
I think it;s not about time ,it’s more about convenience.. one click instead of couple. Similar thing appears when u mention about IDAFicator plugin and its graphical buttons e.g for
Showing all string references in .exe …we can do it without plugin right? RMB->Search for-> All referenced text strings, but I much more prefer click one button “AB” and get the same results.
I appreciate your work, but just as @Dimiter in my opinion it is not so useful at all… When I need to “name” something, some address in memory I just simply type, previously mentioned, colon and type a label. If I need to label some “not-easily-accessible-memory-address” then I just type (in CommandLine plugin) “l ADDR, Label” . That’s all.
In my opinion, to extend functionality of yours’ plugin, you should learn it to do some magics 😉 Add features like “intelligent naming”. This feature would be for example responsible for automatically setting the names for the routines and addresses, just as it had been done in IDA. Think about analysing first bytes from memory addresses that instruction refers to and based on this analyse – build a name for these addresses. This would be tasty 😉
Cheers.
@MGeeky
Thank you for your opinion ;). Maybe in next release I will add suggested by u functionality.
I believe this has been done several times over as well with sig plugins? Thanks for the plugin and good luck in continuing the improvements.