I have searched and searched and cannot find what i'm looking for. I'm using ollydbg 2.1 and I can't figure out what a line is comparing. the line is "CMP CL, BYTE PTR DS:". I understand this except i can't figure out where i can see the value of CL. I know its an 8 bit register, and edx is a 32 bit register, but i can only find the value of the 32 bit registers, not the 8 bit registers. I was thinking cl could possibly be taking the first 8 bits of one of the 32 bit registers but i don't know which one. I believe this line is comparing the first byte in the edx register to the cl register, but where is the cl register?

another question i CANNOT find anywhere, is supposed i want to save the modifications i did, i know people get flamed for this question, but thats because they are asking about ollydbg 1, i'm using ollydbg 2 and it does not have an option to save the executable, and hours of googling have turned up no results on either of these questions, i would be greatful for any advice, thanks!
Posted on 2011-03-21 03:43:32 by iedoc

You ask for pretty basic information available just about everywhere on the web.
Start here: http://en.wikipedia.org/wiki/X86
Posted on 2011-03-21 06:33:41 by p1ranha
Please read Intel's "Intel® 64 and IA-32 Architectures Software Developer’s Manual", Volume 1, chapter 3.4.1.
Posted on 2011-03-21 13:31:16 by ti_mo_n
hey thanks for your speedy replies! I think your mistaking my questions though. I understand what the 32 and 64 bit architectures are, and a little about the registers. I was asking for information specifically on ollydbg 2.1, since it seems to be a newer release, and not too much information on what i'm looking for. Anyway, I found the answer to my first question, and i can't believe i missed it (i don't have much experience with debuggers, and just recently got ollydbg). For every line of code being executed in ollydbg, you can find what the values the line of code is using, so when i got to the ones using the 8 bit register "CL" i saw the value under the disassembler window. You can also see what the values of all the registers are by double clicking the 32 bit register in the register window. I didn't realize CL was not independent of the 32 bit registers, but the first 8 bits of the 32 bit "ECX" register.

About my second question though, still not able to figure it out. I know injecting modified code into an exe can totally mess it up, especially since the memory locations can change each time the program is started i think. I know ollydbg 1 you could just right click the disassembler and say save to executable, then "all code" or something, but there is nothing like that in ollydbg 2.1. there is an option to save backup, but it saves it in a bin, and i believe you can only use that bin file "in" ollydbg when your running that program, if that makes sense. So any help on figuring out how to save your modified code would be great! thanks again!
Posted on 2011-03-22 05:25:17 by iedoc
Basically, it looks like you're trying to "patch" an exe and then save it. I hop you realize it's illegal in many countries.
Posted on 2011-03-22 09:38:35 by ti_mo_n
Like i said earlier, i don't have much experience debugging and using ASM. I did a little searching for the best debugger, and it seemed to be between ollydbg and softice. I can't find softice (maybe i haven't looked hard enough), and ollydbg was free and easy to get. So in defense of myself, I have written a program for my company to connect to our mssql database and access our clients' information. However I keep getting an access violation when trying to store certain client information on the computer. This program i'm making for my company is not mandatory, giving me as much time as i need to finish it, so i've decided to try to fix this error outside of visual studio, just for the fact i'd like to learn a little more (The guy in our networking department always says its good to know a little about everything). I know I don't really know what i'm doing, so i'm sure i will not be able to fix this problem with ollydbg, but if i HAPPEN to find the problem and fix it with ollydbg, i would like to save the exe, because this problem is the only thing between me and a very large bonus ;)

I posted my questions in this forum as it seemed you guys might be able to help. I appreciate your effort though.

about patching programs in other countries, i'm in china, and i'm pretty sure there are no upheld laws on anything like patching a program. You can find fake everything here, even copied movie stores, copyright means nothing here.
Posted on 2011-03-22 22:17:51 by iedoc

about patching programs in other countries, i'm in china, and i'm pretty sure there are no upheld laws on anything like patching a program. You can find fake everything here, even copied movie stores, copyright means nothing here.


Which reaffirms why many people/companies don't care to take the time or money to customize or market their products in those countries...
Posted on 2011-03-23 10:27:53 by p1ranha
Regarding the question at hand:
I've not used the newer versions of OllyDBG, but if you wanted to save a modified executable with OllyDBG in the older versions you needed to use OllyDump plugin. I've used this to help a friend learn about opcode encodings by writing a "blank" program that has a few thousand NOP instructions followed by a call to ExitProcess, my friend was able to modify the NOPs and play around with the encodings, and save is state as he learned.

Regarding the current path of this thread:
We can do without any political arguments. And in regards to whether or not china has reverse engineering laws is irrelevant because it's against the forum rules.

Specifically this phrase:
Reverse Engineering discussion is generally not allowed due to the overwhelming nature of unprofessional people and their malicious purposes related to this subject. Since this website is under US Law, technically, if the discussion does not violate the DMCA and does not involve malicious intent, it is OK. Realistically, history shows that majority of questions posted involve some form of malicious or illegal intent, so we tend not to help people who ask questions related to any part of reverse engineering. In light of this, we ask you to limit your questions on how to operate a specific and legal debugger only. Unofficial plug-ins of any debugger are not supported here since they also tend to be written by other people with malicious intent. We have many excellent and knowledgeable programmers in this community, and they can usually figure out what you are trying to do. If we suspect you are doing something illegal, we will ask, and we reserve the right to not help you. So please, keep it clean and legal.


I've highlighted the few important parts. If you are looking for reverse engineering help, for now on I suggest directing your questions to the RCE board or some other related forums.

Regards,
Bryant Keller
Posted on 2011-03-23 17:03:26 by Synfire

Which reaffirms why many people/companies don't care to take the time or money to customize or market their products in those countries...


^^^Not gonna argue with that one

And thanks for attempting to answer my question Synfire, I appreciate it. I don't know exactly if what i was trying to do is reverse engineering, I was just following my code through line by line to find the cause of the error, but i can definitely see why you might think i'm doing something illegal, most of what google brought me to when searching for ollydbg was about cracking and stuff. Anyway, I was never really good at debugging my code, especially with a language i know almost nothing about. I know ollydbg has something called trace or whatever, i checked it out but i ended up just fixing the error in visual studio. I'll probably look into ASM sometime in the future, i know it could be very useful. But thanks again for trying to help, i'll come back to these forums if i have more questions about asm in the future

I forgot to mention i didn't even realize reverse engineering was against these forum rules in the first place, so sorry if i broke the rules, did not mean to
Posted on 2011-03-24 05:34:41 by iedoc