I'm trying to learn how to deal with MD5 hashing and installshield is a good place to start. I have an old program with an old version 5, when I use the command line interface bpx getdlgitem olly does not break when I enter the correct serial or any serial for that matter. Using softice it breaks all day long and I can trace the code to follow the hashing process. Is there something I'm doing wrong because olly doesn't break? I've looked through all the options and don't see anything.

I don't think installshield uses ring 0 methods, and because olly is ring 3, am I missing something as to why olly won't break on the identical command?

Any insight would help.........:|

Chris

Try setting "BP GetDlgItem" That will break inside the actual GetDlgItem function. I think in the Olly Commandbar BPX sets a breakpoint on the Call to a certain function. not the execution. This call could be made by ordinal or maybe redirected and Olly will never break because it does not see "CALL user32.getdlgitem"

if you the commandbar plugin and if you are in nt box it will set bp to
the first line in the system
if you use this syntax bp GetDlgItem
Breakpoints
Address Module Active Disassembly Comment
004010EF FILE Always CALL <JMP.&USER32.GetMessageA>
77E1783F USER32 Always MOV ECX, DWORD PTR SS:[ESP+4]

77E1783F USER32.GetDlgItem MOV ECX, DWORD PTR SS:[ESP+4]
77E17843 CALL USER32.ValidateHwnd
77E17848 TEST EAX, EAX
77E1784A JE SHORT USER32.77E17864

if you use bpx and if the call is not avl in the exe then
it will show you all the calls (the output of ctrl+n) in the appropriate exe

if you are not in the context of the exe but you are in some dll
and use the bpx sysntax and if it was available in that dll
it will set the bp there not in the application you wish to set it
Breakpoints
Address Module Active Disassembly Comment
004010EF FILE Always CALL <JMP.&USER32.GetMessageA>
77E1783F USER32 Always MOV ECX, DWORD PTR SS:[ESP+4]
77E1A4E2 USER32 Always PUSH EBP


after setting bpx use alt+b and look at where the bp is set before you jump to any conclusion like it sets blah on blah blah

thanks and regards

that worked perfectly and thanks!

The next question, is there a way to have olly follow a passed argument to an exe load function? The way installshield works is that it is creating a temporary directory for the installation process files and once that is set the setup.exe terminates and I can no longer follow it.

I've saved the decompressed files but all the 3 exes (setup, _insXXX, and ~tempXXX) work in concert with each other, but olly can't seem to follow those newly created installation files.

How do I get olly to follow into the install tempory files? The excecutable modules doesn't list them as valid files because they are labeled as ~blah.exe and the mask assumes they are invalid, yet the data generation is done there as part of the install.

??

Thanks
Chris

well lets hope we are not veering into offtopic here
i would prefer you ask questions related to ollydbg usage
rather than getting into some other thing

but as an answer if it is spawning a process then you can use file attach
on the other process that is spawned

the alt+e executable modules would list the debuggee not debuggees
child

if they are acting in concert then there must be some link to them with
the present debuggee or may be it is shell executing those
newly made files
any way look at file attach option and see if there is a new process
spawned and if it is waiting for some synchronization object
like ZwWaitForMultipleObjects

Maybe ntdll.ZwWaitForMultipleObjects

0012FE34 00000015 &#92;Arg1 = 00000015
0012FE38 00BA04A4 ASCII "/SL4 &#036;1F01B0 "C:&#92;Documents and Settings&#92;Administrator&#92;Desktop&#92;blah.exe" 522577 50688 "
0012FE3C 00BB78BC ASCII "C:&#92;DOCUME~1&#92;ADMINI~1&#92;LOCALS~1&#92;Temp&#92;is-569QB.tmp&#92;is-KEJVU.tmp"

C:&#92;DOCUME~1&#92;ADMINI~1&#92;LOCALS~1&#92;Temp&#92;is-MONND.tmp&#92;_shfoldr.dll

That info is exactly what I'm encountering, how to tell olly to watch for those files as they spawn, the problem is the executable modules do not show those files during run time. If I could get olly to attach to them as they are running then I'd have my problem solved. Should olly be set to break on the command? I've tried using the command search for all intermodular calls, set breaks on those, and still it doesn't break on the temporary files.

Could that be a dll call during the runtime? That is why I'm confused.

Thanks for the quick responses.....

Chris

a process can be spawned only with some of these apis
viz CreateProcess() (and all it variants like as user as blah w etc etc)
or in some cases may be using WinExec () this is backward compatible
api that actually calls CreateProcess some where in its process

or the new process may be using ShellExecute() A or W
ShellExecuteEx () A or W

and other variants of ShellExec

or some may be Directly using NativeApi in ntdll

like ZwCreateProcess()
77F92D2C ntdll.ZwCreateProcess MOV EAX, 29
77F92D31 LEA EDX, DWORD PTR SS:[ESP+4]
77F92D35 INT 2E
77F92D37 RETN 20

watch them and you can find when a new process is spawned

I've seen those as stated, I think that answers my question. Thank you for your help

Chris

how am i able to trace a program loaded by createprocess? lets say i am tracing program_A then it loads program_B using createprocess, how am i be able to trace program_B?

You can attach using another instance of Olly.

It is easier if you break on WriteProcessMemory and then attach with the other instance of Olly to the created Thread.

i tried using Attach but the program is already finished. i was hoping i could analyze the decryption process but the process is already over when i attached it.

how do i break on WriteProcessMemory? i think this could be the answer. i tried on Debugging Options to enable all Events but it couldnt break on thread loading so i assume createprocess didnt create any threads.