Adding Lua to ollyDbg with mmBBQ (example poc)

defragger · **Joined:** Wed Nov 02, 2011 7:02 am **Location:** Germany

Heya,

i would like to show our new mmBBQ API with a nice prove of concept.
We will add Lua scripting to ollyDbg.

What you need is:
- http://duschkumpane.org/mmbbq/releases/mmbbq_3.0.0.zip
- a text editor (notepad is okay)

Unzip the archive use START.bat without changing anything to get a list of processes in your system that you could inject our mmbbq into.

Just select the index or pid of the process.

Youre able to define a new target in the config.lua file, so that mmbbq will inject into it if the process is available. Make your TARGETS section in config.lua look like this:

Code: Select all

_G.TARGETS = {  
   {
      ["name"] = "ollydbg",
      ["title"] = "OllyDbg",
      ["ver"] = "2.01 (alpha 4)",
      ["exe"] = "ollydbg.exe",
      ["lua"] = "olly_target.lua",
   },
};

The ["lua"] part defines the entry to the lua script for the new target. Just create olly_target.lua and add your
lua code that will be executed when you inject mmbbq into ollyDbg 2.0. Now its time for some reversing stuff.
Just start ollyDbg and attach another to it, search in the attaching olly for "Names". There you can find the exported olly functions:

There you can find for example Setint3breakpoint, if we set a breakpoint there and set a breakpoint in the other olly we will see how this function will be called.

A call from our lua API to Setint3breakpoint will now look like this:

Code: Select all

function setBp(address)
  asmcall.cdecl(getProcAddress(0, "Setint3breakpoint"), address, 0x3001000, 0, 0, 0, 0x53E4B7, 0x53E4B7, 0x53E4B7);
end

I have done some additional functions:

Code: Select all

function removeBp(address)
  asmcall.cdecl(getProcAddress(0, "Removeint3breakpoint"), address, 0x1000);
end

function findLabel(address)
  local buffer = new("wchar_t[255]");
  asmcall.cdecl(getProcAddress(0, "Findlabel"), address, buffer, 0);
  local label = dbg.readWStr(buffer_ptr, true);
  print(label);
end

function addLabel(label, address)
  local wlabel = char2wchar(label);
  asmcall.cdecl(getProcAddress(0, "InsertnameW"), address, 0x21, wlabel);
end

So we are able to find labels for a specific address, set labels, set and remove INT3 breakpoints from lua

Our POC in action:
Set and remove Breakpoints in ollyDbg from Lua (mmbbq) - YouTube

Additional information about mmBBQ: mmBBQ

Feel free to ask or visit us at irc.freenode.net #duschkumpane

greetz defragger

Vampirewolve · **Joined:** Tue Mar 01, 2005 8:31 pm

Looks nice.

TheUnknownSoldier · **Posted:** Sat Aug 04, 2012 6:31 am

nice idea, but two comments:
1) there is an unofficial ollydbg2 sdk, no need to go the long way to get function defs
2) Y U NO USE FFI?

willsteel · **Joined:** Mon Oct 31, 2011 5:30 pm **Location:** Germany

TheUnknownSoldier wrote:

2) Y U NO USE FFI?

we use ffi a lot. but not in this example. you can use it of course for the exported olly functions.
we use the asmcall wrappers to call internal non-exported functions that need to have several registers set properly in order to run. ffi cant handle that. see http://duschkumpane.org/mmbbq/luadoc/modules/common.asmcall.html. This module gives you the missing pieces that ffi dont offer for non-exported functions, register usage or other special calling conventions. asmcall can also be used to delegate a function call to the main thread, that is very useful and required when reversing GUI applications in order to get around deadlocks and such. ffi cant handle those things.

but in this case (exported olly functions) your right. ffi is also possible. mmbbq uses LuaJIT and so ffi can be used anywhere in it like this:

Code: Select all

ffi.cdef[[
  int Removeint3breakpoint(address, int foobar);
]]
ffi.C.Removeint3breakpoint(0x12345678, 0x1000);

cheers,
will

defragger · **Joined:** Wed Nov 02, 2011 7:02 am **Location:** Germany

Thought its more informative cause others see how to reverse without any information from a sdk or something like that.

TheUnknownSoldier · **Posted:** Tue Aug 07, 2012 8:05 am

defragger » Mon Aug 06, 2012 9:16 am wrote:

Thought its more informative cause others see how to reverse without any information from a sdk or something like that.

not really that 'informative' when you have symbol data available, its almost on par with having the SDK, but it should its point of interacting with olly from Lua. might be cool if y'all used the plugin sdk to create an auto-loader for mmBBQ (you could even use it to communicate to mmBBQ in an attached process).

willsteel wrote:

TheUnknownSoldier wrote:

2) Y U NO USE FFI?

we use ffi a lot. but not in this example. you can use it of course for the exported olly functions.
we use the asmcall wrappers to call internal non-exported functions that need to have several registers set properly in order to run. ffi cant handle that. see http://duschkumpane.org/mmbbq/luadoc/mo ... mcall.html. This module gives you the missing pieces that ffi dont offer for non-exported functions, register usage or other special calling conventions. asmcall can also be used to delegate a function call to the main thread, that is very useful and required when reversing GUI applications in order to get around deadlocks and such. ffi cant handle those things.

now that second part is pretty cool, good to see that you are using FFI then

Blizzhackers

Adding Lua to ollyDbg with mmBBQ (example poc)

Who is online