View Full Version : Translation
DENiSON
July 22nd, 2009, 18:36
Hi, im following a tutorial for a crackme and its showing how to crack the crack me but i have 1 problem the language in SoftICE (what the tutorial uses) and the language in Ollydbg (the debugger i use) are totally different
for example
012F:9E18 55 PUSH BP (in softice)
shows as
7C902200 > 55 PUSH EBP (in ollydbg)
is there a method i can use so that ollydbg speaks the same language as softice so to speak, it would be much easier as a newbie to understand the tutorials and where abouts i was in the software!
thanks
DENiSON
July 22nd, 2009, 20:05
Can it be worked out without knowing the first part of code? e.g just knowing the 55 push bp bit of code? afterall it's only the first bit that changes the instruction that follows doesn't
BanMe
July 22nd, 2009, 20:13
not sure I understand your problem ..maybe a little clarification is in order..
0x55 is the 'opcode' for push ebp..I hope that is the correct answer..
regards BanMe
Elenil
July 22nd, 2009, 20:14
the problem sounds a bit droll
7C902200 > 55 PUSH EBP (in ollydbg)
012F:9E18 55 PUSH BP (in softice)
the virtual address should not change (7C902200)
the 012F you see is the "selector" 9E18 the virtual address
55 is the opcode in hex PUSH EBP the asm command
you can turn off the selectors somehow just read the virtual addresses
what os are you using ?
DENiSON
July 22nd, 2009, 20:20
*Elenil* I'm using Ollydbg and that was my problem i didn't understand i didn't understand why the address in ollydbg and in softice appeared differentley
the tutorial showed it in 012F:9E18 55 PUSH BP format but obviousley i was reading it in ollydbg format and must have just misunderstood it. it was beggining to think i was in a totally different part of the code to the tutorial
naides
July 22nd, 2009, 20:35
Quote:
[Originally Posted by DENiSON;82021]
012F:9E18 55 PUSH BP (in softice)
The problem is a little more complicated: This notation is not due to the fact that you are tracing with softIce, but that you are in a 16 bit environment, where addresses are expresssed as Segment:Offset
In this case, segment is 012F and Offset 9E18.
When SofIce is tracing 32 bit environments the addresses are the same as Olly.
Also notice that what gets pushed is BP (A 16 bit size register) instead of EBP or extended Base Pointer (A 32 bit pointer)
shows as
7C902200 > 55 PUSH EBP (in ollydbg)
Now in Olly, you are looking at 32 bit code. In fact olly cannot debug 16 bit code, as SoftIce indeed can do.
Addresses are 32 bit long, (7C902200 ) or 4 bytes long. The register EBP is 32 bit long. Actually, this particular address 7C........ is probably not in your application code but up into the Operating system .dll modules kernel32.dll or user32.dll.
Also
push EBP
or
push BP
Is an extremely common asm instruction, used for setting up function call frames. There is little evidence taht you are looking at the same code in Olly and SoftIce
|
So probably you are using a rather old and outdated tutor and crackme, and/ or using Olly to trace an old 16 bit program, which does not work, you end up tracing the operating system instead.
Learning to crack and trace old 16 bit programs is practically useless these days.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.