Ok, I am about to be in a place where I cant access the internet with any degree of reliability As a new cracker, what should I have for dissassemblers? I have reserached quite a buit but nothing has quite covered this.....I have softice freeware versiion (avaiilable on simtel) and ollydbg. Whcih should I start out with? Sorry for the bad typing, I have had quite a few beers tonightl. For those who might not think I am serious, I realize what sort of pursuit I am getting into and I dont think I haVve asked anything unreasonable. I am merely in a time crunch and need some advice....

Thanks,
milman

I don't know what kind of tutorials you have found that don't mention any disassembler, but the following two are the ones mainly used: IDA Pro and WDASM.

Im sorry I didnt phrase my question very well. Let me try again I was a bit intoxicated when I wrote that. I have downloaded the freeware version of IDA Pro and I have WDASM as well. My question was actually in regards to debuggers. I have been reading the posts here where Softice has problems with win xp and was wondering if I should try a different debugger or stick with softice.Like I said I downloaded the ollydbg but havent seen a lot about that app.

Thanks

OllyDbg is where the fun is, followed closely by SoftIce. You'll want both.

If you go against something that is using drivers (ring 0), SoftIce is the way to go. I would also use SoftIce from time to time just to keep your skills sharp.

For everything else, I'd just use Olly. With Olly, you still have access to the rest of your computer while a process is stopped, and that is even more handy than it sounds. When you have the plug-ins installed, you can do most everything you can do in SI (with very similar commands).

After dumping in Olly, unless the protection is simple, I go directly to IDA for any of the mental work. Then, I dump the map to Olly, and use Olly for the final tests.

IDA can make even complex protections obvious. Plus, given decent symbol names, it makes the debugging process in Olly go much faster.

It took about 3 days of using Olly to fathom the fact I would never again use W32DASM. Even with that said, I still find myself learning new ways to use Olly almost daily. It's a very powerful debugger, without having to give up ring 3. It's also has fewer quirks than SI...

sgdt, would you develop further on what you were saying about how a parallel use of IDA and OllyDbg could further "enhance our debugging experience" (ahhhhhhh, I'm talking like a MS spot!!!! ).

yaa

I use Olly (and sometimes SoftIce) to remove encryption wrappers should they exist. I will then usually run in Olly just to see what I'm up against. If it takes more than a couple minutes, I then close it and load it into IDA.

IDA gives you, with almost no exaggeration, more information than the original coders had. You can even find coding mistakes quite easily (more on this in a minute).

You can graph out a registration check, even one that is very complex, with little effort. Nearly all convolution can be overcome with judicious use of code/data keys, and you visually see any place that could possibly be referencing data or code (or checking to see code is in-tact). It has an amazingly easy ability to have the program be exponentially easier to read as you work with it, by using named functions, named and typed parameters, and stack or global variables. As you work with the target, it becomes easier and easier to visually understand what is happening at a high level.

How does this help in Olly? Glad you asked! Because IDA allows you to navigate and name things so quickly (after initial disasm time), these names can be easily exported to Olly. Then, when your down in the code and a break suddenly fires, you get nice names as to where you are. You could do this in Olly alone, but it probably wouldn't be as fast or detailed.

Coding mistakes... Got to love 'em. I have a friend that had a plethora of shareware games from the same company loaded on her computer. They were all expired, and she asked if I could do anything about it. I only had a half an hour of free time, and there were like 30 games. There was no way I could fix them all.

I brought up Olly, and was able to correct the first game in about 5 minutes or so, but when I loaded one up in IDA, I discovered it had a flaw... By using it's graph function, I could visually see that it would set good guy to true if it opened the registry entry, but would never set it back to false if it couldn't deal with the data it was reading. It expected a number. (The root key was based on the serial number of the hard disk, all games were sub-keys of this).

So I wrote a program to enumerate through all the keys from all the games, and set them to Alpha values. Voila, all the expired games were no longer expired. They weren't technically registered, but they didn't pop nag screens or keep track of how long they were used. They were "as good as" registered. Total time was well within the 30 minutes I had.

IDA is incredibly powerfull. So is Olly. Using the maps for exports allow you to take advantage of both's strengths. I don't always bring up IDA, but when something gets complex, it's nice to have a tool that can tackle it easily.

You must be very familiar with ASM.

I would use IDA more, but it just takes so long to load anything.

sgdt, I'd like to ask you more about Olly-IDA interactions .... what can you export from one and import in the other??? You seem to talk of some kind of symbols file that IDA can generate and be imported into Olly. What else??? Can Olly generate something that can clarify code once imported into IDA???

yaa

In IDA, I just export a MAP file.

As I mentioned, I use it only when I'm going against something thats at least a little complex. I name interesting functions, these go into the map. (I load the map into Olly).

Olly is great, but sometimes you don't get 'pointed to' saying 'hey, that's interesting'.

Take a (semi-)popular text editor. I could have found it's check routine in Olly very easy. However, there was another routine that would call the check routine with known good/bad values, ensuring it's integrety. If it failed, it would memset (zap) something that wouldn't show up for a while (if I remember, it was the class for saving your document) and cause an exception when you tried to save.

That would have been very difficult to find in Olly alone, but the additional references showed up in IDA like a glowing beacon to sleepy crackers.

It's almost synergy...

good idea, I've never thought of doing that yet, exporting from IDA into Olly. That should make even more effective work, like you said, synergy...

Thanks for the tip

-nt20

Any good (and recent) tutorial around to start using IDA???

BTW what scares me about using tools such as IDA is the dead listing approach I expect instrinsic in them ...
Algorithms are often complex, expecially if they intentionally try to obfuscate what really gets done. How can a dead listing approach be of any use in such a world???

yaa

Actually, there are a lot of tutorials out there. Google turns up a number of them, especially when you combine "softice" as a keyword.

Anyway, I think your inverting the point. Obfuscation is a LOT easier to get around in IDA than anything else I can think of. And being able to have a program draw up a chart of potential flows of code? It makes short work of most key check routines. You VISUALLY see the flow, it almost makes things TOO EASY!

There are, however, three downsides.

First, is that for complex polymorphic code (comlex packers and the like), it would be impractical to do an IDC script to unpack. So, dumping is nearly always done in OllyDbg or SoftIce *prior* to bringing up IDA. Simple XOR or the like, yeah, no problem. But IDC script wouldn't stand up to the likes of ASProtect. Dump first.

The second downside of IDA is initial load time. It can take many minutes to rip a meg EXE on my P2 laptop. A four meg exe can take a lot longer (it loves memory, and my lowly laptop hasn't got much).

The third downside is that it's not intuitive about programs created in Delphi. There are a few, and it would be nice if IDA handled Delphi targets the same way PE Explorer does. (If you ever run into a Delphi target, use PE Explorer!!!).

OK, back to good stuff. You run W32Param.IDC after loading, and now you have sensible variable names for all that code making Win32 calls. Variables that you can look at visually and see what set them, you click on a variable that got assigned someplace else, and you can see all the places that set or referenced it. It's Way Cool.

Enumerations and structures, including almost everything in the Win32 SDK, it's all there. A *FOLDING* editor!!! God, did DataRescue think of everything?

You almost don't need a debugger.

In case you didn't sense my happiness, IDA is PERFECT at reversing code. Yeah, you can crack stuff, but it is GREAT for reversing to! You have a feature you want in your program, and a program that does it nicely? It's damn close to cut and past to source code. Or you want to add a feature to someones EXE, and you want to make sure there won't be any ill effects caused by dependancies that aren't obvious? I mean, it's nearly impossible to hide stuf from IDA.

Bring up Google, find some recent tutorials, and then head to your favorite server to download (or, buy it. Wish I could right now, but I'm broke. God has BPX'd me..).

I think sgdt should make us a tut for all this advanced stuff.