introduction to cracking with olly 01
Post on 07-Dec-2015
Embed Size (px)
INTRODUCTION TO THE CRACKING WITH OLLYDBG FROM ZERO
The idea of this INTRODUCTION TO the CRACKING WITH OLLYDBG FROM ZERO is the one to give to a base for all those that just begin in the art of cracking with OLLYDBG, treating to be an introduction but that provides a strong base to be able to enter to the reading and understanding of tutorials but advanced like which they are in present the NEW COURSE of CRACKSLATINOS, which by all means follows as well open to continue adding new features, aids and theories like to now.
The idea I am generated from which the present newbies that read the call NEW COURSE of CRACKSLATINOS, they are whereupon this one begins in a very high level, and they cannot be inserted gradually in he himself, thus feel frustrated and often they leave before beginning, the idea of this great INTRODUCTION is not to repeat tutes that exists in that course which they are already but of 500 and a spectacular level, if not rather to lay the the foundation so that the one who finishes this introduction, is to him but easy to read any tutorial, obvious it will require effort like everything in cracking, but the task ours is to try to lighten that effort, seating here bases of cracking in OLLYDBG so that he is compressible and can be understood easily.
Here we will not enter to make great lucubrations or to reedit old controversies of SOFTICE versus OLLYDBG of as he is better nor nothing of that, I believe that until the SOFTICE fanatics they recognize that he is but simple to begin with OLLYDBG, since shows greater information and is but comfortable to learn, the idea it is to enter the world of cracking, by the door of the OLLYDBG, but ahead when one or knows, can transfer easily to any debugger learned because they change the forms to use of the programs, but not it essence.
FIRST IT IS FIRST
Exactly first it is to munir itself of the tool that we are going to use mainly, for it can make http://www.ollydbg.de/odbg110.zip click to go down it.
As here we are beginning from zero then, just we are becoming of the file, and now since it is a zipeado file, the unzipearemos with WINZIP preferredly to a folder in our rigid disk that we pruned to locate easily, a good serious idea to put this folder in C:/although it works in any place, I I will put it in C:/.
Once decompressed we can enter the folder and see
There this the EXE file OLLYDBG.exe which we will execute to take the OLLYDBG and to which it stops comfort I will do a direct access to him in my writing-desk.
Good already we have lowered and prepared to start to our OLLYDBG.exe, we executed it.
It appears to us east poster warning to us that the DLL that this in the OLLYDBG folder is but old that the one of system, if we tightened IF, erased the old one of the folder of the OLLY and used the one of system, I in spite of not seeing great differences always I prefer to choose that it uses the own one before the one of system, since it was conceived with that DLL, therefore I choose NO
There this the empty OLLYDBG, and as always the first program that we will open but that nothing to watch the different parts from the OLLYDBG and to bird flight to be able to locate to us in its different parts, is the famous CRACKME OF CRUEHEAD that will come attached in this tutorial.
In order to open the file to debuggear in the OLLYDBG, we go to CASES OUT OPEN or we click in the icon
The window will be opened so that we look for the file to debuggear in this case is crackme of CRUEHEAD.
There crackme is opened aforesaid and so far it does not matter that we do not understand what shows us already but ahead we will learn that, the idea is to be showing to the parts of the OLLYDBG and certain configurations of he himself so that when in successive tutes, says, for example they go to the DUMP, they know at least where this, so this is but that nothing for location, is not tute deep on OLLY.
There we see the four parts of the main window of the OLLYDBG 1) DESENSAMBLADO:
Also called listing, the OLLY shows the desensamblado listing to us of the program that we are going to debuggear, by DEFAULT here the OLLY comes formed to analyze the program that we are going to debuggear when initiating, this is formed in OPTIONS-DEBUGGING OPTIONS.
That is when noticeable being that tilde in CAR START ANALYSIS OF MAIN MODULATES the OLLYDBG analyzed the program and showed additional information on he himself.
There this the initial listing of crackme of analyzed CRUEHEAD, and if it starts without analyzing underneath we can see the difference.
The analyzed window sample but information, that although not yet we know or that is, is seen but
completes, equal is good for knowing that of the analyzed window the analysis can be cleared, if one this in agreement with he himself or one does not realize that he himself this mistaken which can happen.
Often the OLLYDBG shows parts that are not listed correct because I interpret bad the feasible code like data, in that case see DB like these
In that case I can manually clear the analysis that the OLLYDBG has made making RIGHT CLICK in the listing and choosing ANALISIS-REMOVE ANALYSIS FROM IT MODULATES
and in that case the listing side without correct analysis but
Another small thing that makes to the clarity to work and that at least to my I like, although each one can vary in these subjects is to colorizar the JUMPS and CALLS that is done clicking right APPEARENCE HIGHLIGHTING JUMPS AND CALLS
The result is the following one
There we see that in celestial they are emphasized the CALLS and in yellow the JUMPS, which is but clear for the Vista.
Good with that our listing it is but easy to interpret, although not yet we have but the remote idea that it means, but good it is necessary to prepare the tools before to be able to go little by little learning
2) REGISTRIES The second important window of the OLLYDBG is the one of the REGISTRIES
We remembered that the window of registries is in the right superior part of the OLLYDBG, there shows enough but information that the registries in if.
It has very many more information than not yet we will see, but the way of visualization in three forms can be changed. (VIEW FPU REGISTERS, VIEW 3D NOW REGISTERS and VIEW DEBUG REGISTERS) by default it comes chosen first.
So far we will not deepen much in that since we will worry more than nothing in the subject REGISTRIES and FLAGS, I mention it so that they know that there are several views in the registry.
3) STACK OR POUNDS: Good we see call STACK there OR BATTERY is not much single configuration here possible the option to show the information relative to registry ESP or registry EBP.
By default and what but it is used is the Vista relative to ESP, but to change at sight according to EBP, doing right click in stack choosing GO TO EBP we changed and to return GO TO ESP we return to the option by default.
In successive deliveries we will explain the operation of stack well so far we watched as its configuration can be only varied.
The window of the DUMP has many options of visualization, by DEFAULT shows to the HEXADECIMAL visualization of 8 columns or bytes to us, which can be modified making RIGHT CLICK in the DUMP and choosing the wished option.
The option by DEFAULT is the one that but is used generally, although we have options to change to show desensamblado (DISASSEMBLE), Text (TEXT) and diverse formats (SHORT, LONG, FLOAT)
And in addition option SPECIAL PE HEADER that but ahead in next chapters we will see so that it serves this that is very useful.
We already know the parts that are seen in the main window of the OLLYDBG, although also are more windows than they are not seen directly, is possible to be acceded to them, as much by the menu, as by the bellboys of the views.
We will see that he is each one
Button L or VIEW-LOG ahead shows to us what the OLLYDBG writes in the window of the LOG which can be formed to show different types from information, by default in the window of the LOG it is there keeping information on the starting, and of the information written in he himself by the different CONDITIONAL BREAKPOINTS LOGS, which side but, so far we see there, the information of the process which I start, in this case crackme of cruehead, the DLL that position, and certain tips on the analysis.
One of the important options but of this window is the one of loguear to a row, for certain cases that we wish to keep the information in a row from text, in that case CLICK DERECHO-LOG TO CASES OUT.
Button and or VIEW-EXECUTABLES shows the listing to us of feasible that uses the program, exe, dlls, ocxs, etc
Here also the right button has many options that so far we will not see since we are watching in general form the OLLYDBG.
Button M or VIEW MEMORY, shows the memory to us occupied by our program, see the sections of the feasible one, dlls that the process uses, as well as stack there and diverse sections allocadas by the system, and often when running the programs, such make new allocaciones of memory. In run time.
Clicking right we can make SEARCH in the memory to look for in her, strings, chains hexa, unicode etc, in addition it gives the possibility us of placing different types from breakpoints in the sections, as thus also the possibility of changing the access to same with SETH the ACCESS already we deepen in this.
Button T or VIEW-THREADS gives the listing us of the THREADS of the program
Although we do not even know that is thi