INTRODUCTION TO THE CRACKING WITH OLLYDBG FROM ZERO

The idea of this INTRODUCTION TO the CRACKING WITH OLLYDBG FROM ZERO is the one to give to a base for all those that just begin in the art of cracking with OLLYDBG, treating to be an introduction but that provides a strong base to be able to enter to the reading and understanding of tutorials but advanced like which they are in present the NEW COURSE of CRACKSLATINOS, which by all means follows as well open to continue adding new features, aids and theories like to now.

The idea I am generated from which the present newbies that read the call NEW COURSE of CRACKSLATINOS, they are whereupon this one begins in a very high level, and they cannot be inserted gradually in he himself, thus feel frustrated and often they leave before beginning, the idea of this great INTRODUCTION is not to repeat tutes that exists in that course which they are already but of 500 and a spectacular level, if not rather to lay the the foundation so that the one who finishes this introduction, is to him but easy to read any tutorial, obvious it will require effort like everything in cracking, but the task ours is to try to lighten that effort, seating here bases of cracking in OLLYDBG so that he is compressible and can be understood easily.

BECAUSE OLLYDBG?

Here we will not enter to make great lucubrations or to reedit old controversies of SOFTICE versus OLLYDBG of as he is better nor nothing of that, I believe that until the SOFTICE fanatics they recognize that he is but simple to begin with OLLYDBG, since shows greater information and is but comfortable to learn, the idea it is to enter the world of cracking, by the door of the OLLYDBG, but ahead when one or knows, can transfer easily to any debugger learned because they change the forms to use of the programs, but not it essence.

FIRST IT IS FIRST

Exactly first it is to munir itself of the tool that we are going to use mainly, for it can make http://www.ollydbg.de/odbg110.zip click to go down it.

As here we are beginning from zero then, just we are becoming of the file, and now since it is a zipeado file, the unzipearemos with WINZIP preferredly to a folder in our rigid disk that we pruned to locate easily, a good serious idea to put this folder in C:/although it works in any place, I I will put it in C:/.

Once decompressed we can enter the folder and see

There this the EXE file OLLYDBG.exe which we will execute to take the OLLYDBG and to which it stops comfort I will do a direct access to him in my writing-desk.

Good already we have lowered and prepared to start to our OLLYDBG.exe, we executed it.

It appears to us east poster warning to us that the DLL that this in the OLLYDBG folder is but old that the one of system, if we tightened IF, erased the old one of the folder of the OLLY and used the one of system, I in spite of not seeing great differences always I prefer to choose that it uses the own one before the one of system, since it was conceived with that DLL, therefore I choose NO

There this the empty OLLYDBG, and as always the first program that we will open but that nothing to watch the different parts from the OLLYDBG and to bird flight to be able to locate to us in its different parts, is the famous CRACKME OF CRUEHEAD that will come attached in this tutorial.

In order to open the file to debuggear in the OLLYDBG, we go to CASES OUT OPEN or we click in the icon

The window will be opened so that we look for the file to debuggear in this case is crackme of CRUEHEAD.

There crackme is opened aforesaid and so far it does not matter that we do not understand what shows us already but ahead we will learn that, the idea is to be showing to the parts of the OLLYDBG and certain configurations of he himself so that when in successive tutes, says, for example they go to the DUMP, they know at least where this, so this is but that nothing for location, is not tute deep on OLLY.

There we see the four parts of the main window of the OLLYDBG 1) DESENSAMBLADO:

Also called listing, the OLLY shows the desensamblado listing to us of the program that we are going to debuggear, by DEFAULT here the OLLY comes formed to analyze the program that we are going to debuggear when initiating, this is formed in OPTIONS-DEBUGGING OPTIONS.

That is when noticeable being that tilde in CAR START ANALYSIS OF MAIN MODULATES the OLLYDBG analyzed the program and showed additional information on he himself.

There this the initial listing of crackme of analyzed CRUEHEAD, and if it starts without analyzing underneath we can see the difference.

The analyzed window sample but information, that although not yet we know or that is, is seen but

completes, equal is good for knowing that of the analyzed window the analysis can be cleared, if one this in agreement with he himself or one does not realize that he himself this mistaken which can happen.

Often the OLLYDBG shows parts that are not listed correct because I interpret bad the feasible code like data, in that case see DB like these

In that case I can manually clear the analysis that the OLLYDBG has made making RIGHT CLICK in the listing and choosing ANALISIS-REMOVE ANALYSIS FROM IT MODULATES

and in that case the listing side without correct analysis but

Another small thing that makes to the clarity to work and that at least to my I like, although each one can vary in these subjects is to colorizar the JUMPS and CALLS that is done clicking right APPEARENCE – HIGHLIGHTING – JUMPS AND CALLS

The result is the following one

There we see that in celestial they are emphasized the CALLS and in yellow the JUMPS, which is but clear for the Vista.

Good with that our listing it is but easy to interpret, although not yet we have but the remote idea that it means, but good it is necessary to prepare the tools before to be able to go little by little learning

2) REGISTRIES The second important window of the OLLYDBG is the one of the REGISTRIES

We remembered that the window of registries is in the right superior part of the OLLYDBG, there shows enough but information that the registries in if.

It has very many more information than not yet we will see, but the way of visualization in three forms can be changed. (VIEW FPU REGISTERS, VIEW 3D NOW REGISTERS and VIEW DEBUG REGISTERS) by default it comes chosen first.

So far we will not deepen much in that since we will worry more than nothing in the subject REGISTRIES and FLAGS, I mention it so that they know that there are several views in the registry.

3) STACK OR POUNDS: Good we see call STACK there OR BATTERY is not much single configuration here possible the option to show the information relative to registry ESP or registry EBP.

By default and what but it is used is the Vista relative to ESP, but to change at sight according to EBP, doing right click in stack choosing GO TO EBP we changed and to return GO TO ESP we return to the option by default.

In successive deliveries we will explain the operation of stack well so far we watched as its configuration can be only varied.

4) DUMP:

The window of the DUMP has many options of visualization, by DEFAULT shows to the HEXADECIMAL visualization of 8 columns or bytes to us, which can be modified making RIGHT CLICK in the DUMP and choosing the wished option.

The option by DEFAULT is the one that but is used generally, although we have options to change to show desensamblado (DISASSEMBLE), Text (TEXT) and diverse formats (SHORT, LONG, FLOAT)

And in addition option SPECIAL – PE HEADER that but ahead in next chapters we will see so that it serves this that is very useful.

We already know the parts that are seen in the main window of the OLLYDBG, although also are more windows than they are not seen directly, is possible to be acceded to them, as much by the menu, as by the bellboys of the views.

We will see that he is each one

Button L or VIEW-LOG ahead shows to us what the OLLYDBG writes in the window of the LOG which can be formed to show different types from information, by default in the window of the LOG it is there keeping information on the starting, and of the information written in he himself by the different CONDITIONAL BREAKPOINTS LOGS, which side but, so far we see there, the information of the process which I start, in this case crackme of cruehead, the DLL that position, and certain tips on the analysis.

One of the important options but of this window is the one of loguear to a row, for certain cases that we wish to keep the information in a row from text, in that case CLICK DERECHO-LOG TO CASES OUT.

Button and or VIEW-EXECUTABLES shows the listing to us of feasible that uses the program, exe, dlls, ocxs, etc

Here also the right button has many options that so far we will not see since we are watching in general form the OLLYDBG.

Button M or VIEW – MEMORY, shows the memory to us occupied by our program, see the sections of the feasible one, dlls that the process uses, as well as stack there and diverse sections allocadas by the system, and often when running the programs, such make new allocaciones of memory. In run time.

Clicking right we can make SEARCH in the memory to look for in her, strings, chains hexa, unicode etc, in addition it gives the possibility us of placing different types from breakpoints in the sections, as thus also the possibility of changing the access to same with SETH the ACCESS already we deepen in this.

Button T or VIEW-THREADS gives the listing us of the THREADS of the program

Although we do not even know that is this and the explanation arrived in the next chapters is good is become familiar in where this each thing, soon we will learn that it is and as they are used ahead but.

The button W or VIEW-WINDOWS shows the windows to us of the program, as not yet it ran, are no windows so this empty one.

Button H or VIEW-HANDLES, shows handles so far locate it to us, we will already explain that it is and so that serves

Button C or VIEW-CPU returns us to the main window of the program.

Button/or VIEW-PATCHES shows the patches to us if the program has been modified, so far this emptiness when being without changes

Button K or VIEW-CALL STACK shows us call stack, that is the listing of calls which we entered, until the point where the program this prisoner.

Button B or VIEW-BREAKPOINTS is the placed listing of breakpoints common in the program, does not show to the hardware breakpoint nor memory breakpoints, here single the common BP.

Button R or VIEW-REFERENCES shows the window to us of references which gives the results us of when we make a search of references in the OLLY

Button… or VIEW-RUN DRAWS UP, it shows the listing to us if we have made some RUN IT DRAWS UP in our machine, and it also has the possibility of choosing LOG TO CASES OUT, to keep the result from the traceo in a file txt

Good up to here a paneo to flight of bird by the important bellboys but, we did not detail explanation

because even it is necessary to learn something of ASM before, and practicing the use of the OLLYDBG we could be clarifying but deeply so that it serves to each button and each OPTION, the idea is to go away becoming familiar with where they are the things that we will see in the next deliveries.

LIKE FORMING THE OLLYDBG LIKE JIT (JUST IN TIME DEBUGGER)

I clarify that it does not agree to have constantly formed the OLLYDBG LIKE JIT, single agrees to make it sometimes special, since when being as JIT captured the error of any program of our machine and started single, which can be annoying if we are not debuggeando or crackeando, therefore I teach to them as it is formed for special cases, but agrees to leave it with the option that brings by default that not this like JIT.

In order to place the OLLYDBG as JIT we go to OPTIONS-JUST IN TIME DEBUGGING

And jam button MAKE OLLYDBG JUST IN TIME DEBUGGER and DONATES

In order to clear it, in he himself place jam RESTORE JUST IN TIME DEBUGGER and IT DONATES

Adding PLUGINS to the OLLYDBG

The OLLYDBG brings the option to add plugins that is necessary to us to make certain task, so far single we will add plugin COMMAND BAR to learn as they are added such.

We lowered plugin COMMAND BAR which can be lowered of HERE and most of plugins they are Here

There this lowered in my writing-desk plugin I decompress it with WINZIP I enter the folder that I decompressed to see the content

Now before nothing we create a folder for the PLUGINS in our machine, I believe it in C:/and it will call PLUGINS nothing else.

I go to C and I create a NEW FOLDER

There this, can be located in any place, but to my I like to have everything in C for that reason she places it there, anyway we must form the OLLYDBG so that she recognizes this folder like which she will have plugins.

For it in the OLLYDBG we go to OPTIONS-APPEARANCE

And in the window that is opened we go to eyelash DIRECTORIES

We see that in where aims at path of plugins (PLUGIN PATH), in fact this aiming to us at the folder where this the OLLYDBG.exe and could leave it there, but to my I like to have plugins separated therefore in where she says PLUGIN PATH-BROWSE I look for the folder that creates for my plugins.

There I chose the folder PLUGINS that creates and leaves east warning

That is that I must reinitiate the OLLY so that it recognizes the new folder of plugins, but before I copy the content that lowers of comand bar to my folder of plugins.

There it copies all the content and I stick it in my folder PLUGINS

There this the content of plugin Command Bar in the folder PLUGINS, each plugin that lowers and adds solodeberé to copy its content there, often with copying single the DLL is sufficient.

It saves I close the OLLYDBG if the even open tapeworm and the reinicio.Vemos that in menu PLUGINS appeared to me the COMMAND BAR and the options of he himself.

In the inferior part of the OLLYDBG we as well see the installed COMMAND BAR

It is a bar to tipear commandos whom to us much facilitated the things, but ahead we will see its use, so far the important thing is to know how to add plugins.

In order to clear any PLUGIN just by to clear the corresponding DLL of our folder PLUGINS and to reinitiate the OLLYDBG, it will disappear, I advise to them that they always leave activates the COMMAND BAR.

I again take crackme of CRUEHEAD IN OLLYDBG

The used keys but in the OLLYDBG are:

F7: It executes a single line of code (if these in a CALL enter he himself to execute it on the inside) F8: It executes a single line of code (if these in a CALL do not enter he himself executes it complete without entering ysigue the following line after the CALL)

Those two forms to tracear manually are truely different and according to each case we will use F7 or F8 which we will see more ahead.

F2: It places a Breakpoint COMMON in the line that marks with the Mouse or this grisada in the listing, to paraquitar the BP again apretas F2.

For example:

I want to put a BP in 40101A because frame with the Mouse that line

When doing click a single time is marked and been grisada as we see in the image, apreto F2 soon.

We see that it is painted of red the zone of the direction, that means that a BP or Breakpoint is assets there, if apreto F2 takes off again.

F9: In order To run the program he is similar to RUN, with this the program will run, until it finds some BREAKPOINT, or some EXCEPTION that stops it or FINALIZES by some reason, when tightening RUN we will see in the inferior corner of the OLLYDBG the word RUNNING that is that this RUNNING.

There I take the CRACKME OF CRUEHEAD, we can see it run

If I SLOW DOWN the execution in OLLYDBG tightening F12 or DEBUG – IT SLOWS DOWN

We see that the OLLYDBG changes to show PAUSED that is that this SLOW one, we can return to make it run with F9 or DEBUG-RUN.

In order to close the apreto program that this being been DEBUGGEADO DEBUG-CLOSE

Good this to be a glance to flight of bird of the OLLYDBG which we will deepen ahead but because it has very many options and configurations which we will continue studying in the next deliveries, is very useful that lowers the program forms it and watches where they are the things that tute shows this, as well as they add plugin to him to practice, and make run and slow down the CRACKME OF CRUEHEAD, they prove to put a Breakpoint to him and they practice those things so that in the second delivery but they are familiarized with he himself and we pruned to advance surely slow but, and without doubts.

A hug to all the CRACKSLATINOS Until part 2 Ricardo Narvaja 07 of November of 2005