This plugin allows you to search for a given text when automatically
stepping through the debugged program.
When the plugin is enabled, it will step automatically through the debugged
program once a step command (like Step Into) is issued.
Enabling the plugin is done with the “Options” menu command.
menu.PNG
options.PNG
After enabling, press F7 to start.
After each step, the plugin will check which registers have changed.
If a changed register points to an ASCII string, it is logged.
If a search string has been defined and it is contained in the ASCII string
pointed to by the register or the Information pane, the stepping is paused.
Comparison is case sensitive.
A search string is defined by entering it with the “Options” menu command.
It is remembered in the OllyDbg INI file.
Entering an empty string disables the break on string command.
OllyStepNSearch can search in strings pointed to by registers (search in registers toggle)
and it can search in the Information pane of the CPU window (search in information toggle).
Read the “Information window” help section of the OllyDbg v1.10 help file if you’re not familiar
with the Information pane.
If the search string is not found, debugging is resumed. If the current address
is lower than the limit address (by default 0x10000000) a step into command is
issued. A step over command is issued if the current address is higher than the
limit address, or if the current command is a call/jump to an address higher
than the limit address.
The limit address can be changed in the Options dialog.
The plugin can be disabled automatically when the search string is found (Disable after break toggle).
I added this option because I usually want to single step after finding the search string,
but often forgot to disable the plugin before single stepping.
Restarting the debugged program disables the plugin.
Debugging example:
•Start OllyDbg and load the ftp.exe program (in system32 directory)
•Start the OllyStepNSearch plugin “Options” menu command
•Enter “google” as Search string (without the double quotes, of course)
•Enable StepNSearch
•Click OK
•Press F7 to start debugging
•Go to the FTP window and type “open google.com” and press enter
• The StepNSearch plugin will stop debugging when a register points to a string containing google. On my Windows XP SP2, this happens when EAX points to “open google.com”.
•You can continue with F7 and see how ftp.exe parses the “open google.com” command
Here is a movie of this example on YouTube, a hires (XviD) version can be found here.
Download:
OllyStepNSearch_V0_6_1.zip (https)
MD5: D32BA4B0042BF9342B05FCBC0CF573B6
Like this:
Like Loading...
Comments (13)
13 Comments »
1.Awesome plugin. This will save a lot of time.
Thank you.
Comment by saida — Monday 11 September 2006 @ 15:34
2.what do you think about this- http://www.cracklab.ru/f/files/110c_13.11.2006_CRACKLAB.rU.tgz?
It is a trace script for Olly for logging all jxx (jne ..,jz.. …).
Is it possible to realize in your plugin?
Thanks
Comment by r999 — Saturday 25 November 2006 @ 12:01
3.No, OllyStepNSearch will not trace jumps. But since my plugin steps through the debugged program, it can be adapted to trace jump instructions.
Comment by Didier Stevens — Saturday 25 November 2006 @ 15:48
4.Thankyou, this is just what i needed.
U R KING
Comment by Matt — Tuesday 10 April 2007 @ 3:03
5.I think you should make a fully unicode compatible version by combining Decodeascii and Decodeunicode and by using unicode compatible dialog wih GetDlgItemTextW, wcsstr… just some idea
Comment by mikado — Sunday 2 December 2007 @ 4:57
6.OK, but until now, nobody asked me for unicode support.
Comment by Didier Stevens — Monday 3 December 2007 @ 19:51
7.Then I ask you. Please make it for me. Luv ya :P hehehe
Comment by mikado — Thursday 20 December 2007 @ 18:14
8.Unicode would be a very usefull addition indeed.
Comment by Thierry Zoller — Thursday 14 May 2009 @ 20:29
9.we need unicode yes but how are you going to do it? ollyscripting has “unicode 1″ (toggle) not implemented yet. good luck, we appreciate your work
Comment by Stefanie — Saturday 26 September 2009 @ 16:21
10.> we need unicode yes but how are you going to do it?
No idea, have yet to look at it ;-)
Comment by Didier Stevens — Sunday 27 September 2009 @ 12:05
11.Nice, should save me a lot of time, appreciate ur work man !
Comment by Vpoint7 — Wednesday 30 December 2009 @ 18:55
12.[…] Stevens wrote OllyStepNSearch, a plugin for OllyDbg to automatically step through a program in OllyDbg until an ASCII search […]
Pingback by OllyStepNSearch v0.6.2 – OllyDbg v1.10 Plugin and Source « MyBlog™ — Tuesday 30 November 2010 @ 23:07
13.I’ve optimized this plugin and added Unicode and Pascal searches along with the ASCII.
http://www.myblog.org/?p=263
Comment by Mark Adams — Tuesday 30 November 2010 @ 23:09
