I have a program that executes differently depending on what files are present on my computer. I'd like to run a trace in two scenarios (with the default file and with an edited version of the file) and then compare the traces to see where things differ.
Is there an in built method to do this in ollydbg? I'm by no means an expect with ollydbg, but I'm willing to put in any amount of time and effort to figure this out - I just need a little direction.
Thanks!
version used: ollydbg v2 but method is similar for v1 too
ollydbg allows you to log the trace i have done some crude diffs in the past as below you can try improvise
here is the source code that's used for demo
keep in mind i had the source so i compiled it and linked with with /FIXED linker switch to vs 2017 linker so that ASLR doesn't get into play and make life harder if you have a prebuilt binary and cant force load it in same address each time text diffing will be tedious
for example push 402080 will be push f02080 which shouldn't matter but text diff will show it a a difference and it is pure noise
#include <stdio.h> #include <stdlib.h> void main (int argc , char *argv[]) { if (argc !=2 ) { printf("usage %s password\n" , argv[0]); exit(-1); } int password = atoi(argv[1]); if(password == 1337) { printf("good\n"); exit(1); } else { printf("Try again\n"); exit(0); } } open a blank ollydbg and set trace options like this and close it
open a command prompt and run the executable wit a wrong pass
ollydbg.exe diffway.exe 4567 when ollydbg stops on initial breakpoint open the trace window 1) view run trace or ... icon
2) right click
3) log to file -> file name (say wrongpass.txt)-> ok
4) ctrl+f11 to trace in this will end in a termination
5) trace window-> right click -> stop Logging -> close ollydbg
repeat the procedure with right pass and rightpass.txt as file name
you will now have two text files of two executions
sed grep awk diff are your friends now
rip the modified registers column we are not interested in registers
sed s/"...=.*"//g wrongpass..txt >> ripwrongpass.txt sed s/"...=.*"//g rightpass..txt >> riprightpass.txt diff -w riprightpass.txt ripwrongpass.txt we got the first divergence between executions here
:\>diff -w riprightpass..txt ripwrongpass..txt 170028,170029c170028,170029 main 00401050 PUSH 0043E1B4 main 00401055 CALL 004010C0 --- main 00401066 PUSH 0043E1BC main 0040106B CALL 004010C0 170477a170478,171087 > main 00410D40 MOVZX EAX, BYTE PTR DS:[ECX*8+EAX+43EF78]; > main 00410D48 SHR EAX, 4
