In this tutorial, I will attempt to introduce you to using OllyDBG. Olly has many functions and the only way to truly learn them all is to experiment and practice. That being said, this tutorial will give you a brief overview. Additional topics not covered in this tutorial will be discussed in later tutorials, so that by the end, you should have a pretty good grasp of Olly.
I am including some files in this tutorial. You can download the files and PDF version of this tutorial on the tutorials page. They include a simple binary that we will be using in olly, an Olly cheat sheet, my version of Olly with some cosmetic changes, and a new ini file that you can replace Olly’s default init file with that will help with new users (thanks go out to the immortal Lena151 for this). They can be downloaded directly here or from the tutorials page. If you would rather use the original Olly, you can download it here .
Loading the app
The first step is to load the intended binary into Olly. You can either drag and drop the file onto Olly’s disassmebly window, or click the load icon on the top far left and choose the file. In this case, load “FirstProgram.exe”, downloaded from this site. Olly will do analysis (if you can read it fast enough in the bottom bar of Olly’s display) and will stop at the programs Entry Point (EP):
The first thing to notice is that the EP is at address 401000, as we can see in the first column. This is a pretty standard starting point for an executable (at least an executable that has not been packed or obfuscated anyway). If your screen looks different and Olly has not stopped at 401000, try going into Appearance and selecting debugging options, click on the “Events” tab, and make sure “WinMain (if location is known)” is checked. Then restart the app).
Let’s get a snapshot of the memory space taken up by “FirstProgram.exe”. Click on the “Me” icon (or “M” if using a different version of Olly):
If you look in the address column, you will see that at location 401000, the row contains the size 1000, the name “FirstPro” (short for FirstProgram), the section name “.text, and that it contains “SFX, code”. As we will learn later in this series, exe files have different sections in them that contain different types of data. In this section is the “code” for the program. It is 1000h bytes long and it starts at address 401000 in memory.
Below this you will see the other sections of our FirstProgram; there is an .rdata section that contains data and imports at address 402000, a section called “.data” that contains nothing at address 403000, and finally, a section called “.rsrc” that contains resources (such as dialog boxes, images, text etc. Keep in mind that these sections can be called anything- it is completely up to the programmer.
You may wonder why the .data section has nothing in it. Well, in actuality, it does. It has things like global variables and random data. Olly just chooses not to list this as he doesn’t know exactly what kind of data is stored in there.
At the top of the sections is a section called “PE Header”. This is a very important section, one we will get very much into in a future article. For now, just know that it is like an instruction manual for Windows with steps for loading this file into memory, how much space it needs to run, where certain things are etc. It is at the head of just about any exe (and DLL for that matter).
If you now look down the list, you will see other files other than our First Program app. We see comctl32, imm32, gdi32, kernel32 etc. These are DLL files that our app needs in order to run. A Dll file is a collection of functions that our program can call that have been provided by windows (or another programmer). These are things such as opening dialog boxes, comparing strings, creating windows and the like. Collectively, these are the Windows API. The reason programs use these is because if we had to program every function, just displaying a message box could take thousands of lines of code. Instead, Windows has provided a function like CreateWindow that does this for us. This makes programming much, much easier for the programmer.
You may wonder how these DLL’s got into the address space of our program and how windows knew which ones were needed. Well, this information is stored in the PE Header listed above. When Windows loads our exe into memory, it checks this header and finds the names of the DLL’s, as well as what functions in each DLL our program needs, and then loads these into our program’s memory space so that our program can call them. Every program loaded into memory will also have the required DLL’s that the program need loaded into it’s memory space. This means that, conceivably, some DLL’s may be loaded several times in memory if several programs are currently loaded and all use that particular DLL. If you would like to see exactly which functions our program calls, you can right-click in Olly’s disassembly window and select “Search For” -> “All Intermodular Calls. This shows something like the following:
This may be surprising, but this list is VERY small, Usually, there are hundred’s or thousands of functions needed for a commercial product, but because our sample program is so simple, it doesn’t need very many. Although, when you think about what our program does, it seem like quite a lot of functions just to perform such a basic role! Welcome to Windows . This window shows the name of the DLL first, followed by the name of the function. For instance, User32.LoadIconA is in the DLL User32 and the function name is LoadIconA. This function usually loads the icon on the top left corner of the window.
Next, let’s do a search for all strings in the app. Right-click the disassembly window and choose “Search For” -> “All Referenced Text Strings:
This window shows all text strings it could find in our app. Since this app is very simple, there are only a couple. Most apps will have MANY more (sometimes in the 100′s of thousands) unless they have been packed or obfuscated. In this case, you may see none at all! The reason packers do this is because reverse engineers (at least new ones) rely heavily on text strings to find important functions in a binary, and removing the text strings makes it much harder. Imagine if you did a search for text strings and saw “Congratulations! You entered the correct serial”? Well, this would be a huge help to a reverser (and we will see this time and again). By the way, double-clicking on one of the strings will take you to the instruction that uses it in the disassembly window. This is a nice feature so you can jump right to the code that uses the string.
Running the program
If you look in the top left corner of Olly you should see a yellow window that says “Paused”. This is telling you that the app is paused (at the beginning in this case) and ready for you to do something. So let’s do something!. Try hitting F9 (or choose “Run” from the “Debug” menu option). After a second, our program will pop up a dialog box (it may open behind Olly, so minimize Olly’s window to make sure.)
That same box that said Paused should now say Running. This means that the app is running, but running inside Olly. You may interact with our program, in fact do See how it works and what it does. If you accidentally close it, click back over to Olly and hit ctrl-F2 (or choose Debug->Restart) to re-load the program, and you can hit F9 to run it again.
Now try this: as the program is running, click over to Olly and click the pause icon (or click F12, or choose Debug->Pause). This will pause our program wherever in memory it happened to be running. If you now try to view the program, it will look funny (or won’t show up at all). This is because Windows is not updating the view as it is paused. Now hit F9 again and you should be able to play with the program again. If anything goes wrong, just click the double left facing arrow icon or choose Debug-restart (or ctrl-F2) and the app will re=load and pause at the beginning. You can now run it again if you wish.
Stepping the program
Running an app is fine and dandy, but doesn’t give you a heck of a lot of information about what’s going on. Let’s try single-stepping. Reload the application (reload icon, ctrl-F2, or debug->restart) and we will be paused at the start of the application. now press F8. You will notice that the current line selector has gone down one line. What Olly has done is run one line of instructions and then paused again. If you were really observant, you would have noticed the stack window scrolled down one and has a new entry at the top:
This is because the instruction that we performed, PUSH 0″ ‘pushed’ a zero onto the stack. This shows up on the stack as “pModule = NULL”. NULL is another name for zero. You also may have noticed that in the registers window, the ESP and EIP registers have turned red:
When a register turns red, it means that the last instruction run changed that register. In this case, the ESP register (which points to the address of the top of the stack) was incremented by one since we pushed a new value onto the stack. The EIP register, which points to the current instruction that is being run has also increased by two. This is because we are no longer on address 401000, but 401002- running that last instruction was two bytes long and we are now paused on the next instruction. This instruction is at 401002, which is the current value of EIP.
The instruction that Olly is now paused on is a CALL. A call instruction means that we want to temporarily pause in the current function we are in and run another function. This is analogous to calling a method inside a high level language, for instance:
int main()
{
int x = 1;
call doSomething();
x = x + 1;
}
In this code, we first make x equal to 1, then we want to pause this line of logic and instead call doSomething(). When doSomething is done, we will resume with our original logic and increase x by 1.
Well, the same is true in assembly language. We first PUSHed a zero onto the stack and now we want to call a function, in this case the one in Kernel32.dll called GetModuleHandleA():
Now press F8 once more. The current line indicator will move down one, the EIP register will stay red and increase by 5 (as the instruction that ran was 5 bytes long) and the stack was brought back to what it originally showed. What happened here is that since we pressed F8, which mean “Step-Over”, the code inside the call was performed and Olly paused on the next line after the call. Now, inside of this call the program could have done anything, but we ‘stepped over’ it.
Now, to see the other option, re-start the program (ctrl-F2), press F8 to step over the first instruction, but this time hit F7 on the call instruction. You will notice that the entire window looks different now:
This is because F7 is “Step-In”, meaning Olly made the call and paused at the first line of this new function. In this case, the call jumped to a new area of memory (EIP = 4012d6). Theoretically, if we kept stepping through this new functions lines of code, we would eventually get back to the statement after the call that got us here, back at the beginning. Of course, there are shortcuts to this, but for now, let’s just re-start the program and start over, as we don’t want to get too lost.
Now that we are paused at the beginning of the program, hit F8 (Step-Over) 4 times and we will land on this statement:
You will notice that there are 4 PUSH statements in a row. This time, watch the stack window as you hit F8 4 times and watch the stack grow (it actually grows down – remember the plate example?). I think we’re starting to get the feel for PUSHing on the stack…
Now you may ask WHY we pushed these arbitrary numbers onto the stack. In this case it is because these 4 numbers are being passed as parameters to a function (the function we are about to call at address 401021). If we take our previous high-level program and modify it a bit, it will become clearer:
int main()
{
int x = 1;
int y = 0;
call doSomething( x, y );
x = x + 1;
}
Here, we declare two variables, x and y, and pass them into the doSomething Function. The doSomething function will (probably) do something with these variables and then return control back to the calling program. The stack is one of the main ways that variables can be passed to a function: each variable is PUSHed onto the stack, the function is called, and the in the function, these variables are accessed, usually using the inverse of the PUSH instruction which is POP.
The stack is not the only way to do this, it is just the most often used. These variables could also have been put into registers and accessed through these registers inside the called function, but in this case, the compiler of our program chose to put them on the stack. All of this will become clearer after you study assembly language (you are studying assembly language, aren’t you?). We will also go over this several times in the future.
Now, if we press F8 one more time, you will notice that it will say “Running” in the active bar in Olly and our program’s dialog box will show up. This is because we stepped-over the call that actually has most of the program in it. Inside this call is code that enters a loop waiting for us to do something, so we never get control back to the line after the call. Well, let’s fix that…Click over to our program and hit the ‘close’ button to end the app. Olly will immediately pause on the next line after the call:
You will also notice that our program has disappeared. This is because, somewhere in that call, the dialog window was closed. Also, if you look down one line you will see that we are just about to call kernel32.dll -> ExitProcess. This is the Windows API that stops an application, so basically Olly has paused our program after it has closed the window but before it has actually been terminated! If you now press F9, the program will terminate, the active bar in Olly will say “Terminated” and we are no longer debugging anything.
Breakpoints
Let’s try something else, re-load the app (ctrl-F2) and double-click on the line at address 401011 in the second column (you will be clicking on the opcodes “6A 0A”. Address 401011 will now turn red:
What you have done is set a breakpoint on address 401011. Breakpoints force Olly to pause execution when it reaches it. There are different types of breakpoints in order to stop execution on different events:
Software Breakpoints
A software breakpoint replaces the byte at your breakpoint address with a 0xCC opcode, which is an int 3. This is a special interrupt that tells the operating system that a debugger wishes to pause here and to give control over to the debugger before executing the instruction. You won’t see the instruction change to 0xCC, Olly does this behind the scenes, but when Olly hits it an exception occurs and Olly will trap the exception and allow the user to do what he/she wishes. If you select to allow the program to continue (either by running it or stepping), the 0xCC opcode is replaced back with it’s original.
In order to set a software breakpoint, you can either double-click on the opcode column, or you can highlight the row you want the breakpoint on, right-click on it, and choose Breakpoints->Toggle (or hit F2). To remove the breakpoint, you can double-click on the same line or right-click and select Breakpoint->Remove Software Breakpoint (or hit F2 again).
Now that we have a BP (breakpoint) set at address 401011 and our program is paused at the first instruction, hit F9 (run). Our program will run but will pause at the line with our BP on it.
I also want to point out something very helpful. Click on the “Br” toolbar icon or select View->Breakpoints. You will see an entry in the breakpoint window that shows our currently set BP:
This gives you a quick overview of all of your breakpoints set. You can double-click on one of them and the disassembly window will jump to that breakpoint (though the EIP will stay the same as you are not actually changing the flow of control of the program. double click the EIP register to go back to the current line set to execute next).
If you highlight a breakpoint and click the space bar, the breakpoint will toggle between enabled and disabled. You can also highlight a breakpoint row and hit “DEL” key which will remove the breakpoint.
Lastly, restart the program, go into the breakpoints window, highlight the breakpoint we set at address 401011, and hit the space bar. The “Active” column will change to “Disabled”. Now run the program (F9). You will notice that Olly did not stop at our BP because it was disabled.
Hardware Breakpoints
A hardware breakpoint uses the CPU’s debug registers. There are 8 of these registers built into the CPU, R0-R7. Even though there are 8 built into the chip, we can only use four of them. These can be used for breaking on reading, writing or executing a memory section. The difference between hardware and software breakpoints is hardware BP’s don’t change the process’s memory, so they can be more reliable, especially in programs that are packed or protected. You set a hardware breakpoint by right-clicking on the desired line, selecting Breakpoint, and then choosing Hardware, on Execution:
The only way to see what memory BP’s you have set is to select “Debug” and “Hardware Breakpoints”. There is a plugin that will make this a lot easier, but we’ll discuss that later
Memory Breakpoints
Sometimes you may find a string or a constant in the program’s memory, but you don’t know where in the program it is accessed. Using a memory breakpoint tells Olly that you want to pause whenever ANY instruction in the program reads or writes to that memory address (or groups of addresses.) There are three ways to select a memory breakpoint:
- For an instruction, right-click on the desired line and select Breakpoint->Memory, On Access or Memory, On Write.
- To set a BP on an address in the memory dump, highlight one or more bytes in the dump window, right-click on them and choose the same option as above.
- You can also set a BP for an entire section of memory. Open the Memory window (“Me” icon or View->Memory), right click the section of memory you desire, and right-click and choose “Set Break On Access for either Access or Write.
Using The Dump Pane
You can use the dump pane to inspect the contents of any memory location in the debugged process’s memory space. If an instruction in the disassembly window, a register, or any item in the stack contains a reference to a memory location, you can right click that reference and select “Follow in Dump” and the dump pane will show you the address section. You can also right-click anywhere in the dump pane and select “Go To” to enter an address to view. Let’s try it.
Make sure the FirstProgram is loaded and paused at the beginning. Now, press F8 eight time and we will be on the instruction at address 401021 that says CALL FirstPro.40102c. If you look at this line, you will notice that this call is going to jump us down to address 40102c, which happens to be 3 lines down from where we currently are. Hit F7 to step in to the jump and we will then be at that address at 40102c. Remember that this is a CALL instruction, so we will eventually come back to 401021 (or at least the instruction after this).
Now, step the code (F8) until we get to address 401062. You can also just set a breakpoint on this line and hit F9 to run to it. Remember how to set a breakpoint? double-click on the opcode column on the line you want to set the BP. You can also just highlight the line and hit F2 to toggle the BP on and off). Now we are paused at address 401062:
Now, let’s look at the line we are paused at. The instruction is MOV [LOCAL.3], FirstPro.00403009. As I’m sure you know (because you have been studying assembly language :p ) this instruction moves whatever is at address 00403009 onto the stack (which Olly references as LOCAL.3). You can see in the comments column that Olly has discovered that at this address is the ASCII string “MyMenu”. Well, let’s have a look. Right-click on the instruction and select “Follow in Dump”. You will notice that we have a couple options here:
In this case, select “Immediate Constant”. This loads whatever address is being affected in the instruction. If you had chosen “Selection”, the dump window would have shown the address of the highlighted line, in this case 401062 (the line we were paused at). We would basically just be looking at a dump of what we were looking at in the disassembly window. Lastly, if we had chosen “Memory address”, the dump screen would show the memory for LOCAL.3. This would in effect show the memory for the local variables we were working with (on the stack). Here;s what the dump looks like after selecting Immediate Constant”:
As you can see, the dump now shows memory starting at address 403009, which is the address the instruction Olly was loading the ASCII string from. On the right, you can see the string, “MyMenu”. On the left, you can see the actual hex for each character. you may notice that after “MyMenu” are some additional strings. These strings will be used in other parts of the program.
Finally, Something Fun!
To end this part of the tutorial, let’s do something fun. Let’s edit the binary to display our own message! We will change the “Dialog As Main” string to something of our own and then see what happens.
First, click on the “D” of “Dialog As Main” in the ASCII section of the dump window:
You will notice that the first hex digit is also highlighted on the left. This digit corresponds to the letter “D”. If you look it up on an ASCII chart you will see that the hex for the letter “D” is 0×44. Now, click and drag to select the entire string “Dialog As Main”:
Now, right-click anywhere on the selection and choose “Binary” -> “Edit”. This allows us to change the memory contents of our program:
We should then have a screen that looks like this:
The first field shows us our string in ASCII. The second field is for Unicode (which this program doesn’t use, so the field is blank) and the last field is the raw data relating to this string. Now, let’s change it. Click on the first letter of the string (the “D”) and type anything you want over top of the “Dialog As Main” string. Just make sure you don’t add more letters than in the original string! You may overwrite other strings the program need, or worse, code that the program needs!!! In my case, I typed “Program R4ndom”:
Now click OK and run the app (click inside Olly and hit F9). Switch over to our program, type something in and select “Options” -> “Get Text”. Now look at our dialog box!!!
Notice anything different about the title of the dialog box
-till next time
R4ndom
May 30th, 2012 on 6:10 am
Another Awesome Tutorial thanks
May 30th, 2012 on 8:31 am
In your link to the real ollydbg you’re missing the http part so it’s broken.
May 30th, 2012 on 9:06 am
Another:
“Now, let’s look at the line we are paused at. The instruction is MOV [LOCAL.3], FirstPro.00403009. As I’m sure you know (because you have been studying assembly language :p ) this instruction moves whatever is at address 00403009 onto the stack (which Olly references as LOCAL.3).”
This is incorrect .That instruction is moving the address 0×00403009 to ebc-c, not the string. I think it’s important you make that clear.
Other than that, good tutorial. I’m looking forward to it getting more advanced.
May 30th, 2012 on 3:29 pm
Just a suggestion you should also upload the program used for tutorial because some people just don’t get it until they do it themselves.For noobie it’s important not for some one like us who get used to it by practicing on Reverse me and Crackme , Kegen Me and many more
May 30th, 2012 on 8:12 pm
^^ He did, but it’s called tutorial3.exe not firstprogram.exe
May 30th, 2012 on 8:45 pm
Yeah, I’[m still working out the kinks. The files were uploaded but I didn’t make it as obvious as I probably should have.
May 30th, 2012 on 8:46 pm
Also, gdogg, It’s funny but I did toil with that when I was writing it. I knew I wasn’t being honest but I also didn’t want to go into a 3 paragraph explanation of pointers. I thought that a beginner wouldn’t notice the subtle difference and was planning on addressing it later.
May 30th, 2012 on 8:48 pm
and thanks for the heads up on the broken olly link. I have since fixed it.
May 31st, 2012 on 9:11 am
No problem. Keep up the good work.
May 31st, 2012 on 2:07 pm
We Like your work and will appreciate till we Die (lol)
May 31st, 2012 on 5:06 pm
I together with my friends were found to be taking note of the great thoughts located on your website and before long developed a horrible feeling I never expressed respect to you for those tips. All of the young boys were absolutely stimulated to read them and already have undoubtedly been loving them. Thank you for truly being simply kind and then for obtaining variety of fine topics millions of individuals are really needing to know about. My personal sincere regret for not saying thanks to you sooner.
May 31st, 2012 on 5:59 pm
Wow, I’m speechless. You are very welcome. It is comments lie yours that make me want to keep going. Thank you very much.
June 1st, 2012 on 5:55 am
Hi. Just wanted to say thanks. I’ve always been intrigued by Reverse Code Engineering and was looking for a easy to digest blog where I could learn from the basics. You have posted some excellent content in a very short period of time. Keep up the excellent work. I had a request – Once you get into intermediate tutorials and malware analysis could you analyze famous malwares/rootkits/worms like Stuxnet, Skyfire etc.?
Even if you can’t its fine I am thoroughly enjoying your website. Cheers!
June 1st, 2012 on 2:49 pm
I had planned on getting into some real malware down the road. I would probably start with banker.c. But that is a little while into the tutorial…
June 1st, 2012 on 3:42 pm
Don’t worry mate we are here with you till Eternity or till we die(lol)
June 2nd, 2012 on 6:15 am
Good to know! I’ve really enjoyed your tutorials so far. Keep ‘em coming! Thanks for the time and effort.
June 6th, 2012 on 7:21 am
Link for the files is broken.
June 12th, 2012 on 7:17 am
The link http://thelegendofrandom.com/files/tuts/tut3.zip was corrupted. please fix it. Thanks
June 12th, 2012 on 2:09 pm
To download the tutorial and support files, please go to the tutorials page and download it that way. Btw, where did you fin that link that was broken?
June 23rd, 2012 on 7:22 pm
Thanks for the great tutorial, however, just like the guys above me, the link to the download brings a 404 error specifically http://thelegendofrandom.com/files/tuts/tut3.zip
Keep up the great work!
June 23rd, 2012 on 7:29 pm
FYI,
I downloaded the files from the tutorials page. The broken link was from the very top of this page
June 25th, 2012 on 4:17 pm
You should try clearing your cache. I have tried every link on that page and they all work, though sometimes you can get a bad link cached and it won’t work…Let me know if you’re still having problems.
June 26th, 2012 on 12:25 pm
i have the same problem, cleard cache, restarted, still 404. could you fix it/upload it somewhere else please?
June 26th, 2012 on 4:29 pm
OMG, I am so sorry. I misunderstood you. You meant the link on this page! It is now fixed. Sorry about that.
July 2nd, 2012 on 2:08 pm
I cannot find the FirstPogram.exe, sorry I’m a total noob.
July 2nd, 2012 on 2:09 pm
Sorry, I guess It would help to read the comments before posting. So tutorial3.exe is actually FirstProgram.exe, thanks.
August 5th, 2012 on 6:15 am
Thank you for your great Tutorials
August 18th, 2012 on 11:13 am
Hi
To be able to view the .hlp files on a system newer than XP, install this:
http://support.microsoft.com/kb/917607
And R4andom, thanks for a great guide!
August 26th, 2012 on 10:24 am
Thanks for this awesome tutorial.Reddit Brought me here!
December 18th, 2012 on 5:35 pm
Thank u for sharing this great tutorial for free. I would like to use your Olly but it has not stopped at 401000, even I did the this modification : Option – Debugging options – Events – WinMain checked. What is the problem ?
February 1st, 2013 on 5:06 pm
sir, something wrong with my hex dump it didn’t show same as yours… instead the number will file as row it file as column…
is it because im using 64bit? windows 7 ultimatE?
February 24th, 2013 on 9:04 am
Awesome Tutorial, Learned assembly language and practiced in half n hour
February 27th, 2013 on 4:07 am
I just wanted to really thank you for these tutorials. I am a newbie into Reverse Engineering and i’ve been reading many articles without understanding much. But i found this tutorial extremely didactic, with simple and easy explanations and step by step guiding which is great for a newbie. Also, after reading this third part, i am feeling more interested in learning this stuff. Just wanted to say thanks!!
March 9th, 2013 on 5:22 pm
Are you responsible for tutorials 1 – 23?
My antivirus program cleaned two of them 5 & 19 of high risk Trojan. If you are the sole provider of these, then I wouldn’t risk using your version of Olly either. If you are not the provider, then check your files before uploading.
March 25th, 2013 on 5:35 pm
” Pizza was called (and is still called) tomato pie and pizza pie in certain parts of the States. Remember to pre-heat your oven for at least 1 hour. Although the creation of flat bread with toppings resembles a green-onion pancake, it remains a mystery still whether the history of pizza starts with China.
March 29th, 2013 on 9:09 am
These tutorials are very well done.
At the end of this tutorial, you show how to change ascii characters in the dump window. How do you save these changes to the executable?
April 3rd, 2013 on 9:05 am
hi,
I am a beginner and i cant find first program.exe please help me..
April 5th, 2013 on 7:08 am
If some one wishes to be updated with most recent technologies after that he must be pay a quick visit this
website and be up to date everyday.
April 15th, 2013 on 8:24 am
Excellent, what a website it is! This weblog provides valuable data to us,
keep it up.
April 25th, 2013 on 2:07 am
Once your back gets sore, especially for mothers-to-be who are carrying twins or
maybe more, wearing a support belt is usually a real pain reliever.
Even though missing your periods doesn’t guarantee you’re pregnant.
For example,if the eggs from a younger women relating to
the age of 22-25 is utilized in an IVF cycle using a
women aging forty years,the success equal the 22-25 yr old age group.
You can discover out more to do with this product at the website or click here.
Generally having a much better understanding of yourself along with the world near you will
allow you to know the morals and principles you ought to pass along for your child.
April 28th, 2013 on 12:44 pm
Hi there,
I am new on this and a little bit of help from your side would be nice.
I am using olly with some tutorials and apps. I was doing nice until discover an app called imapbuilder! for pure knowledge reason (no second intention) I started to analyse and trying to reengeneering/hack this app. It is not packed, seems easy but I am stuck!
Can you help? can we change some ideas?
Everything is decided on a loop
004049E5 MOV EAX,[DWORD SS:LOCAL.1]
004049E8 MOV EAX,[DWORD DS:EBX*8+EAX]
004049EB MOV [DWORD SS:LOCAL.2],EAX
004049EE INC EBX
004049EF MOV [DWORD DS:EDI+0C],EBX
004049F2 CMP [DWORD SS:LOCAL.2],0
004049F6 JE SHORT 004049FB
004049F8 CALL [DWORD SS:LOCAL.2]
004049FB CMP ESI,EBX
004049FD JG SHORT 004049E5
134 cicles or 158hex and something happen when arriving to 102hex
I definitely think that when somebody understand how to hack this app he will will be a head of knowledge!
Looking forward to have your feedback in my mail,
all the best!
May 4th, 2013 on 5:02 pm
I have a few ollydbg’s since I started learning about asm last night. and something that is confusing me is that my ollydbg ( that one I DLed from the link, not the version 2.0 that I DLed from the ollyDBG site) starts at 77470000, rather than 401000. if i open the same files in the 2.0 version ,from the ollydbg site, it will start at the same point as your screenshots suggest. Are you able to tell me why this is?
July 20th, 2013 on 9:14 am
Try push F9 and see whats happend. Or click the RUN icon in toolbar.
/Fravia
May 8th, 2013 on 11:50 pm
I don’t know if it’s just me or if everybody else
encountering problems with your website. It appears like some
of the written text on your content are running off the screen.
Can somebody else please comment and let me know if this is happening to
them as well? This could be a problem with my internet browser because I’ve had this happen previously. Many thanks
May 11th, 2013 on 10:18 pm
Hey there, I think your site might be having browser compatibility issues.
When I look at your blog site in Chrome, it looks fine but when opening in Internet
Explorer, it has some overlapping. I just wanted to give
you a quick heads up! Other then that, great blog!
May 17th, 2013 on 8:34 pm
Greetings! Very helpful advice within this article! It’s the little changes that produce the most important changes. Thanks for sharing!
May 24th, 2013 on 10:27 am
You really make it seem so easy with your presentation but I in finding this matter to be actually something that I believe I might never understand. It seems too complex and very huge for me. I am having a look forward for your next submit, I will attempt to get the hold of it!
June 11th, 2013 on 1:09 pm
What’s up, this weekend is fastidious designed for me, for the reason that this moment i am reading this wonderful informative post here at my house.
June 15th, 2013 on 1:07 am
Good info. Lucky me I recently found your site by accident (stumbleupon).
I have book marked it for later!
June 15th, 2013 on 4:42 am
I love it when folks come together and share opinions.
Great site, stick with it!
June 15th, 2013 on 3:33 pm
Heya! I know this is somewhat off-topic however
I had to ask. Does running a well-established website such as yours require a massive amount work?
I am completely new to writing a blog but I do write in my journal everyday.
I’d like to start a blog so I will be able to share my own experience and thoughts online. Please let me know if you have any ideas or tips for brand new aspiring blog owners. Appreciate it!
June 23rd, 2013 on 12:16 am
I’m now not certain the place you are getting your information, but great topic. I needs to spend a while studying much more or working out more. Thank you for excellent information I was looking for this info for my mission.
June 25th, 2013 on 7:20 pm
Hi, legit comment here I can’t seem to get your local values to display as in your screenshots, i’m running win 7 x64, are there any special steps i need to take to get this to show?
Really enjoying your tutorials, thanks!
June 26th, 2013 on 6:15 am
Don’t mind this, i found the forums and someone had the exact same issue there
June 26th, 2013 on 1:45 am
Great introduction to what I am sure will be a great series in Ollydbg and RCE. I’m looking at your tutorials as well as Lena151.
Could you comment on why assembly language appears to have a lot of disorder to its structure (i.e. jumps after jumps and calls after calls)? Why can’t it follow the simple hierarchical structure higher level programming such as C, C++, Java, etc uses?
Thanks in advance for the reply!
July 5th, 2013 on 11:32 am
We are a group of volunteers and starting a brand new scheme in our community. Your web site offered us with valuable information to paintings on. You have done a formidable job and our whole community can be grateful to you.
July 17th, 2013 on 3:12 pm
I have been waiting for a TCG like this for a long time and the best part
is that it will be completely free-to-play when it is released.
He became my Big Brother and would come and take me to different places or just to his house to be with his family.
I would like to make it clear that I am not out
to save-the-world. He jumped up and snatched me
down from a fence I was trying to escape over. After taking him what
he wanted, he asked what was I doing, saying nothing, he asked if I wanted to hang out with him; I “hung out” for four years, he had finally gotten what he wanted.
August 11th, 2013 on 9:10 am
fantastic thnx
August 27th, 2013 on 10:41 am
How to detect events in exe file?
For example there is one textbox and checked text1.change() event.
How to detect this with ollydbg.