OllyDbg 2.01 - Finding a command referencing a static string - debugging

I've taken up cracking and reverse-engineering recently with the help of OllyDbg 2.01 and crackmes executables.
So in this particular crackme, I was scrolling through the commands and noticed a PUSH with an ASCII string "&File" (it's a menu string) :
So I thought : "If I can find this information by simply scrolling, surely there must be an automatic way to find a command referencing a particular string".
So I get to the top of the program, hit CTRL+B and search for ASCII "File" to hopefully find it again :
After hitting OK, OllyDbg doesn't find the earlier PUSH. Instead, I get this :
Mmmh.. Okay, that's not what I expected, but let's see what's in there. so I right click => Follow in Dump, and I get this :
So yeah, we found our string in the dump. However, I still haven't found my original PUSH. You can also notice that the string's address is the same as the PUSH's argument (40512C).
As a last try, I right click on the letter at address 40512C, select "Find References", but nope : no reference found.
So TL ; DR question : how do I automatically find a command referencing a string ? Because obviously I'm not gonna scroll the whole command stack everytime I want to find a string.
PS : the string doesn't appear in "referenced text strings" either.
Thanks in advance for your help.
EDIT : okay so I found a solution. I searched the code for "2C 51 40 00" which is the address backward, and i found my PUSH again. It's a bit hacky, anyone with a more efficient solution is welcome to share.

So, there are multiple ways to do this. What I prefer is the following :
Ctrl+G and go to your string in the dump. (0x0040512C) Select the first byte and hit Ctrl+R. This will give you a list where the particular string is referenced. You could also place a hardware breakpoint on the first byte of the string "&" and then you will break every time something accesses it. You could also search for constants (the address or the ascii characters themselves).
By the way there is a subsite dedicated for reverseengineering :)

Related

To build a flow using Power Automate to download linked csv report in gmail

I'm trying to create a flow using Power Automate (which I'm quite new to) that can get the link/URL in an email I receive daily, then download the .csv file that normally a click to the link would do, and then save the file to a given local folder.
An example of the email I get:
Screenshot of the email I get daily
I searched in Power Automate Community and found this insightful LINK post & answer almost solved it. However, after following the steps and built the flow, it kept failing at the Compose step.
Screenshot of the Flow & Error Message
The flow
Error message
Expression used:
substring(body('Html_to_text'),add(indexOf(body('Html_to_text'),'here'),5),sub(indexOf(body('Html_to_text'),'Name'),5))
Seems the expression couldn't really get the URL/Link? I'm not sure and searched but couldn't find any more posts that can help.
Please kindly share all insights on approaches or workarounds that you think may help me solve the problem and truly thanks!
PPPPPPPPisces
We need to breakdown the bits of the function here which needs 3 bits of info
substring(1 text to search, 2 starting position of the text you want, 3 length of text)
For example, if you were trying to return an unknown number from the text dog 4567 bird
Our function would have 3 parts.
body('Html_to_text'), this bit gets the text we are searching for
add(indexOf(body('Html_to_text'),'dog'),4), this bit finds the position in the text 4 characters after the start of the word dog (3 letters for dog + the space)
sub(sub(indexOf(body('Html_to_text'),'bird'),2)),add(indexOf(body('Html_to_text'),'dog'),4)), I've changed the structure of your code here because this part needs to return the length of the URL, not the ending position. So here, we take the position of the end of the URL (position of the word bird minus two spaces) and subtract it from the position of the start of the URL (position of the word dog + 4 spaces) to get the length.
In your HTML to text output, you need to check what the HTML looks like, and search for a word before the URL starts, and a word after the URL starts, and count the exact amount of spaces to reach the URL. You can then put those words and counts into your code.
More generally, when you have a complicated problem that you need to troubleshoot, you can break it down into steps. For example. Rather than putting that big mess of code into a single block, you can make each chunk of the code in its own compose, and then one final compose to bring them all together - that way when you run it you can see what information each bit is giving out, or where it is failing, and experiment from there to discover what is wrong.

Whenever specific button clicked it does something in Pascal

Hello.
Can anyone help me with scanning buttons always and when I click specific one it does something even Im writing? I want to be filling a record with like 9 attributes but when Im atc. at fourth I want to close it. I tried some readkey stuff :
procedure searching();
var p:char;search:string='';
begin
repeat
p:=readkey();
write(p);
search+=chr(p);
until (p=#27) or (p=#13);
if (p=#27) then menu()
else
...
but the problem was that it written some character it was not possible to erase it and I knew that backspacing and writing again made my search filled with characters I did not wanted in there. Couldn't find a topic about it in pascal so im trying here. Don't flame for english please. Hope you get what I meant, also English is maybe the problem I can't find it, whatever. Waiting for answer, Thanks, Maroš.
but the problem was that it written some character it was not possible to erase it
Why not? Just handle #8 (backspace) and truncate your last character from the search string. You can use both System.Delete (by deleting the last character) and System.SetLength (by setting the length to current length - 1).

How do I remove the 'Done' message after my program has executed?

I made a program that is similar to clearing RAM. However, it always leaves a "Done" message followed by a dotted line after being executed. In addition, if you scroll up, you can see that the program was executed. Is there a way to remove both of these things? If you can't hide the fact that a program was executed, could you suppress the 'Done' message?
I have tried adding ClearHome" and " as the last line of my program, and neither stops the Done message from displaying.
Bonus points if your solution can be contained within the original program.
In a separate program, type the following line of code:
AsmPrgmFDCB00AEC9
Then at the end of the original program, type the following line of code:
Asm(prgmPROGRAMNAME
It is recommended that you test this out first with all programs archived, just running the above line of code alone, in case it fails. Hex codes like that one have been known to fail, and sometimes clears the RAM.
You can also try these other hex codes, but always keep in mind the warning above. My RAM has been cleared by this before, so use caution:
http://tibasicdev.wikidot.com/hexcodes
This works on TI 83 and 84, may be different with other calculator types.
EDIT:
I found a way to do this without an external program, and is much simpler.
Just add the following line of code to the end of your program:
Output(1,1," //no space, just a quote
You may or may not have to add ClrHome before that line of code.
This should prevent the Done message from appearing at the end.
Hope this helps!
Put an empty string at the end of your program, so your last line looks like this:
""
Or this
"
The empty string is stored to ans and will be displayed as a blank line rather than the Done message.
There is also an assembly hexcode to do this without leaving the blank line at the top:
FDCB00AEC9
When run at the end of the program using one of the various methods of running assembly, it will leave you with a blank, fully operational homescreen.
Outputting an empty string will prevent the Done message and also preserve Ans, in case a calling program is expecting to use it.
Output(Y,X,"")
See http://tibasicdev.wikidot.com/output for more details on Output(.
In your situation, run Clear Entries (found under Mem), then scroll up so that the Done message is selected and press Clear to get rid of it.

using xpath in selenium.get.Text and selenium.click

I have Адреса магазинов on page and want to store text, then click on this link and verify that the page where am I going to contains this text in headers. So I tried to find element by xpath, and selenium.getText get the right result, but selenium.click goes to another link. Where have I made a mistake? Thanks in advance!
String m_1 = selenium.getText("xpath=html/body/div[3]/div[2]/div[1]/h4[1]");
selenium.click("xpath=html/body/div[3]/div[2]/div[1]/h4[1]");
selenium.waitForPageToLoad("30000");
assertTrue(selenium.getText("css=h3").contains(m_1));
page:http://www.svyaznoy.ru/map/
Resume:
using xpath=//descendant::a[#href='/address_shops/'][2] or css=div.deff_one_column a[href='/address_shops/'] get right results
using xpath=//a[#href='/address_shops/'] - Element is not currently visible
xpath=//a[#href='/address_shops/'][2] - Element not found
There is a missing slash at the beginning of the expression. I am kind of surprised this got through at all - the first slash means "begin at root node".
Also, it is better to select the <a> element instead of the <h>. Sometimes it works, sometimes is misclicks, sometimes the click doesn't do anything at all. Try to be as concrete as you can be.
Try this one.
String m1 = selenium.getText("xpath=/html/body/div[3]/div[2]/div/h4/a");
selenium.click("xpath=/html/body/div[3]/div[2]/div/h4/a");
selenium.waitForPageToLoad("30000");
// your variable is named m1, but m_1 was used here
assertTrue(selenium.getText("css=h3").contains(m1));
By the way, there are even better XPath expressions you could use. See the documentation, it really is helpful. Just an example, this would work, too, and is much easier to write and read:
String m1 = selenium.getText("xpath=//a[#href='/address_shops/']");
selenium.click("xpath=//a[#href='/address_shops/']");
Sorry, didn't notice page link. Css for second link can be something like that css=div.deff_one_column a[href='/address_shops/']

I get this window while editing Ruby Files in Vim. What is it?

I usually get this new window open up suddenly while I am editing a Ruby file in VIM. This is getting irritating because, i cant type in anything while its processing. And it usually happens arbitarily. Does any one here know which plugin could be doing this? Or is this somekind of VIM's process?
This is happening when you hit K in normal mode.
K Run a program to lookup the keyword under the
cursor. The name of the program is given with the
'keywordprg' (kp) option (default is "man"). The
keyword is formed of letters, numbers and the
characters in 'iskeyword'. The keyword under or
right of the cursor is used. The same can be done
with the command >
:!{program} {keyword}
There is an example of a program to use in the tools
directory of Vim. It is called 'ref' and does a
simple spelling check.
Special cases:
- If 'keywordprg' is empty, the ":help" command is
used. It's a good idea to include more characters
in 'iskeyword' then, to be able to find more help.
- When 'keywordprg' is equal to "man", a count before
"K" is inserted after the "man" command and before
the keyword. For example, using "2K" while the
cursor is on "mkdir", results in: >
!man 2 mkdir
- When 'keywordprg' is equal to "man -s", a count
before "K" is inserted after the "-s". If there is
no count, the "-s" is removed.
{not in Vi}
If you notice, it's running ri in the open window, which is the ruby documentation app.
In Unixy environments, the help program normally runs inline, just displacing the vim output for a minute.
Is this using gvim, or command-line vim?
In either case, you can try monkeying with 'keywordprg' to fix the popup
Or, if you can't train yourself not to type it, you can just use :nnoremap K k to change what K does (in this case, just treat it as normal k command and go up one line).
I have this same issue on my work desktop, but not my home machine. The setups are near identical.
While stalking down a possible cause, I noticed that when I leave my cursor over a Ruby symbol such as File, Vim would popup a short description of the File class. After comparing all the various vim scripts and ri-related files that I could find, I finally settled on the only solution that worked...
Open $HOME/_vimrc and add the following line:
autocmd FileType ruby,eruby set noballooneval
Previously, I commented out a block in $VIMRUNTIME/ftplugin/ruby.vim, but Brian Carper suggested a better solution of :set noballooneval. I added the autocmd line so it is only executed with Ruby files.
If anyone figures out a true solution, please contact me. :(

Resources