I want to know how could i manually execute a function that exists inside the attached application ?. I have searched everywhere and can't find any useful word about it. In IDA Pro it is called appCall so what is it's equivalent for olly?
Calling any function manually is equivalent to assembling the function call inplace
suppose you are running calc.exe under ollydbg
the internal Function SetBox(< x >,< y >) sets the check mark in the inv and hyp check boxes in scientific mode
< x > can have two values set == 1 and unset == 0
< y > == Id of the CheckBox and you have determined the Id to be 0x8c and 0x8d
you have also determined that this Function is __stdcall
suppose you want to call this function manually and want to set the checkbox with id 0x8c all you need to do is find a place and assemble the following sequence and execute them
push 1
push 0x8c
call calc.SetBox
when doing this all you need to take care is not to corrupt the stack and when you have finished executing the snippet return back to the place where you originally diverted from
ollydbg.exe calc.exe ->f9 to run the exe and then f12 to pause note the address where ollydbg has paused (for xpsp3 it will be ntdll!KiFastSystemCallRet())
now find a code cave assemble use new origin here to transfer eip to the newly assembled code execute the snippet when done select the original paused address (for xpsp3 ntdll!kiFastSystemCallRet()) and reset eip back to that address with new origin here and f9 to run the exe you will notice you have set the check mark without clicking on the checkbox :)
on occasions i either do it manually (f12 bookmark eip scroll down to vacant space assemble execute and return back via bookmark)
or use a script and run it with ODBGSCRIPT
script for scenerio described above (calc checkbox) when you have paused ollydbg with f12 below
edit commented script and added a malloc to rid cave searching chore
var myret ;variable
var cave ;variable
var mem ;variable
mov myret , eip ;save current eip
alloc 1000 ;allocate memory (no need to search for code caves
mov mem, $RESULT ;save for freeing the allocated memory
mov cave,$RESULT ;mov newly allocated space to var cave
mov eip , cave ;detour current eip to cave
asm cave, "push 01" ;assemble instruction (pop all push dont corrupt stack)
add cave,$RESULT ;lenght added to find next address for assembling
asm cave, "push 08c" ;assemble next instruction
add cave,$RESULT ;len of previous instruction added to current address
asm cave, "call calc.SetBox" ; assemble call
step ; we assembled 3 instructions lets step thrice
step ;
step ;
mov eip , myret ;restore saved eip
free mem,1000 ;free
go ;run the binary to notice the check box ticked