Heya, sometimes you have to reverse an ASLR “protected” process with ollyDbg. Unfortunately, Olly does ont have an JUMP-TO (Ctrl+g) command for relative base offsets. So i implemented one myself using mmBBQ.
local function odbg_cexpression_offset(context)
local addr = context.arg32(1, "wchar_t*");
local wstring = wstr(addr);
if string.starts(wstring, "+") then
local mod = odbg.getMainModule();
string_addr = string.format("0x%X", (wstring+mod.base));
dbg.writeMemory(addr, char2wchar(string_addr));
end
end
codecave.inject("odbg_cexpression_offset", getProcAddress(0, "Cexpression"), odbg_cexpression_offset, codecave.INTERCEPT_PRE);
local addr = context.arg32(1, "wchar_t*");
local wstring = wstr(addr);
if string.starts(wstring, "+") then
local mod = odbg.getMainModule();
string_addr = string.format("0x%X", (wstring+mod.base));
dbg.writeMemory(addr, char2wchar(string_addr));
end
end
codecave.inject("odbg_cexpression_offset", getProcAddress(0, "Cexpression"), odbg_cexpression_offset, codecave.INTERCEPT_PRE);
It simply injects a codecave at the function Cexpression. If the function is called (ctrl+g -> Follow expression) it searches for a + at the first Position of the string and adds BaseOfCode+ImageBase to the value after the +. I will add a ollyDbg package to mmbbq in a later revision.
greetz defragger
EDIT:
i changed the code a bit, we dont need to allocate a buffer for our new string. olly made enough place on stack wchar_t[256] for that expression string so we simply write into the stack :)
In case of ASLR’ed images, why don’t you use LABELS?
You can use (Shift+:) to insert labels at addresses of interest. Upon terminating, OllyDbg inserts labels in the .UDD file as relative offsets. Next time OllyDbg loads the image LABELS are restored from the corresponding .UDD file.
hey, what about the MMORPG Bot series, will it be continued? That was so cool.
Also you can just download and install the “Enhanced Mitigation Experience Toolkit” aka EMET from Microsoft.
Then you can turn it off and on globally.
It has some per process control options but unfortunately you can’t turn ASLR completely off that way; has to be global.
Yes youre right, you also could change DllCharacteristics flag in the PE header. But if you want to do something productive with your work, you have to work with offets :)