Log in

View Full Version : A very newb question about step in and step over


ilove2
April 29th, 2005, 21:29
I just start learn how to use ollydgb, I want to see the serial code at 004010A3 . 807C24 12 77 CMP BYTE PTR SS:[ESP+12],77
but every time I step in or step over to
0040109D . 0F85 12040000 JNZ KGNME-6.004014B5
it jump to somewhere else, but I need to step into 77 and 70 in order to get my complete serials, is there anyway to do that ?

here is the code:

00401085 . 6A 1E PUSH 1E ; /Count = 1E (30.)
00401087 . 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14] ; |
0040108B . 52 PUSH EDX ; |Buffer
0040108C . 68 F1030000 PUSH 3F1 ; |ControlID = 3F1 (1009.)
00401091 . 56 PUSH ESI ; |hWnd = 00360278 ('-=( KeyGen Me 6 )=-',class='#32770')
00401092 . FF15 DC704000 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; &#92;GetDlgItemTextA
00401098 . 807C24 13 72 CMP BYTE PTR SS:[ESP+13],72
0040109D . 0F85 12040000 JNZ KGNME-6.004014B5
004010A3 . 807C24 12 77 CMP BYTE PTR SS:[ESP+12],77
004010A8 . 0F85 07040000 JNZ KGNME-6.004014B5
004010AE . 807C24 15 70 CMP BYTE PTR SS:[ESP+15],70
004010B3 . 0F85 FC030000 JNZ KGNME-6.004014B5
004010B9 . 68 A4724000 PUSH KGNME-6.004072A4 ; /Text = "Level 1 - d0ne"

Ricardo Narvaja
April 30th, 2005, 05:49
well 72 is the letter r, maybe is looking if a letter of your fake serial is a r or bad boy.
Look in [esp+13], [esp+12] etc what values are.
Ricardo Narvaja

ilove2
April 30th, 2005, 13:08
that is a source code from crackme,
I know the other 2 real serials is in [ESP+12] and [ESP+15], but every time I step to 0040109D . 0F85 12040000 JNZ KGNME-6.004014B5 (which is jump if not equal to ) it jumps to other place instead keep going down to 004010A3 . 807C24 12 77 CMP BYTE PTR SS:[ESP+12],77
I try to use step into or step over but they just don't go down

blabberer
May 1st, 2005, 13:07
jnz == jne == jump if not equal or not zero will jump

so it checks if the byte ptr at [esp+13] == 72 (r) if it is not equal then it will jump to 4014b5
if it is equal it will go down to the next comparison
checks if the byte there is == 77 (w) if it is not equal it will jump to 4014b5 else it will go down to next comparison and so on and so forth
so as ricardo advised check what bytes are there in [esp+ ###]

btw these bytes are probably not filled by the GetDlgItem coz it pushes
[esp+14] as buffer address

ilove2
May 1st, 2005, 23:50
so how I check them, I have to step in them right, my question is HOW DO I STEP THERE, every time I step to the first JNZ then I press STEP OVER OR STEP INTO it jumps to somewhere else instead go down to next function

Ricardo Narvaja
May 2nd, 2005, 05:44
first of all

go to debugging options in OLLY and check this marks

in

CPU mark

SHOW DIRECTION OF JUMPS
SHOW JUMP PATH
SHOW GRAYED PATH IF JUMP IS NOT TAKEN
SHOW JUMPS TO SELECTED COMMAND

with this when you reach a conditional jump you see a red arrow if the jump is taken and a gray arrow if the jump is not taken

when you reach the conditional jump of the example and the JUMP will BE TAKEN (RED) go to the registers window and change the flag in this case Z flag

double click in Z flag and the arrow is gray and the JUMP is not taken

continue tracing

Ricardo Narvaja

ilove2
May 2nd, 2005, 21:25
I follow what you told me and it is kind mess up, take a look at the code

00401092 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; GetDlgItemTextA
00401098 CMP BYTE PTR SS:[ESP+13],72 ;72=='r' ( I have to set a break point here instead at getdlgitemte, flag Z set to 1)
0040109D JNZ 004014B5
004010A3 CMP BYTE PTR SS:[ESP+12],77 ;77=='w' (same thing, other break point, flag Z set to 1)
004010A8 JNZ 004014B5
004010AE CMP BYTE PTR SS:[ESP+15],70 ;70=='p' (same, 3rd break point, flag Z set to 1)
004010B3 JNZ 004014B5

I don't know what is flag Z stand for but I follow what you but I have to change the number from 0 to 1 or 1 to 0 to jump to other function

gabri3l
May 2nd, 2005, 21:58
Okay, In a debugger Step Into means Step through the code and INTO any calls you encounter.
Step Over means Step through the code and OVER any calls you may encounter. When the program Steps Over the call it doesn't mean that the code inside the call is not executed. It just means that you aren't stepping through all the code inside that call.

What you want to do is actually change how the program executes the code. By "stepping over" a Jump. In this case Olly's Step Over command does not mean Ignore a command and go to the next one.

To do what you want to do you need to change your Origin.
Step over the code until you reach the JNZ
Select the line directly under the JNZ and Right-Click
Choose "New Origin Here"
There you go you have "stepped over" the Jump.

Ricardo Narvaja
May 3rd, 2005, 06:13
is the same change the value of Z in the registers (from o to 1 or viceversa) you change the destination of the JNZ if jump to not jump or not jump to jump

Ricardo Narvaja

ilove2
May 4th, 2005, 19:19
Thank you gabri3l, I follow what you told me and I successfully get the serials

and thank you to ricardo narvaja, to teach me that mcuh stuff, before I only know how to look for JNZ JZ and change them to others, now I know little about how to get the serials. It seens ollydbg is more powerful than I thought