I'm a complete newbie. I wanted to crack a demo protection as follows:

1) Ctrl-F2
2) F8 until the nag screen appears.
3) Set breakpoint on currently highlighted call.
4) Ctrl-F2
5) F9 to arrive at breakpoint.
6) Remove this breakpoint.
6) F7 into the call.
8) F8 until the nag screen appears.
9) Set breakpoint on currently highlighted call.
10) Ctrl-F2
11) And so on. So hopefully the breakpoint moves closer and closer to the nag screen code.

The problem is that the code eventually calls a second EXE file. Any breakpoints that I set in the second EXE file are removed from the breakpoint window after each Ctrl-F2.

Of course, if I now try to open the second EXE as a new file in Olly, then the environment is completely wrong (stack, registers, and so on).

Can someone please tell me how to set breakpoints in the second EXE file. I searched the posts back to Jan 04.

Regards,
Alan

olly manage the actual process, if create other process you need put a bp in CreateProcessA and change the flag to 4 for CREATESUSPENDED and reach the RET of the api, look the EP and put a INFINITE LOOP in the EP of the new process, next with process manipulator put the process to RUN, and attach with other olly.

You are un the EP pause, quit the infinite loop and continue debugging this new process.

Ricardo

Thanks for your answer Ricardo. I've spent all day trying to understand it. The only bit I can do (I think) is to put "bpx CreateProcessA".

How do I "change the flag to 4"? Does "4" mean "0000 0100"?

How do I "put a INFINITE LOOP"?

What does "attach with other olly" mean? If I have the parent process in one Olly, and the child process in the other Olly, do I click "Attach" in the parent or in the child?

Regards,
Alan

Not Bpx put

Bp CreateProcessA

when stop look the parameters in the stack (this is a example creating a process named license.exe)

0012FF9C 00426090 |ModuleFileName = "License.exe"
0012FFA0 00000000 |CommandLine = NULL
0012FFA4 00000000 |pProcessSecurity = NULL
0012FFA8 00000000 |pThreadSecurity = NULL
0012FFAC 00000000 |InheritHandles = FALSE
0012FFB0 00000004 |CreationFlags = CREATE_SUSPENDED
0012FFB4 00000000 |pEnvironment = NULL
0012FFB8 00000000 |CurrentDir = NULL
0012FFBC 0040605E |pStartupInfo = 9aloader.0040605E
0012FFC0 0042605A \pProcessInfo = 9aloader.0042605A

If you look the parameter CreationFlags is in 4 (CREATE SUSPENDED) when you reach the bp this value will be in zero, right click in this parameter, MODIFY and put the value 4.

Next EXECUTE TILL RETURN

when you reach the RET you need put a infinite loop in the EP of the new process, look the name of the file, look previously with peeditor the Entry Point.

Open PUPE and go to Patch and put the adress of the OEP, and look the values in tjis adress (NOTE THE ORIGINAL VALUS IN A PAPER), and change for EB FE and click patch.

With this the program have a infinite loop in the entry point and when you quit the suspended mode will be looping in this adress.

Use ProcessMemoryManipulator and in the list of the process, look the name, and select RESUME, and the process will be RUNNING LOOPING.

The last part open OTHER OLLY INSTANCE and go to ATTACH and select the name of the new process and atach and when stop in DEBUG BREAK, press RUN again, and next pause.

You are un the EP, change the bytes for the originals of the EP and continue debugging.

DONīt CLOSE the FIRST OLLY ONLY MINIMIZE
Ugh this is a tutorial jeje if you read tutorials with imagen you understand more i think

Ricardo Narvaja

Thank you for your very detailed reply.

The nag window appears before I get to the breakpoint "CreateProcessA".

This is what happens:

I use F8 to set breakpoints further and further into the program.

If the programs are PARENT.EXE and CHILD.EXE, then all the calls are similar to:

CALL PARENT.nnnnnnnn

All these calls can be breakpointed.

Eventually, I arrive at calls such as:

CALL CHILD.nnnnnnnn

When I breakpoint this call, then press CTRL-F2, the breakpoint disappears from the "Breakpoints" window. All the previous breakpoints remain in the "Breakpoints" window.

(The child calls are actually listed as:
CALL nnnnnnnn

After the call is executed, the line in Olly changes to:
CALL CHILD.nnnnnnnn )

The assembly listing looks as if PARENT.EXE and CHILD.EXE are just one long program joined together.

I searched for "jeje imagen tutorial" in Google. It seems that all the tutorials are in Spanish. Unfortunately, I know less about Spanish than I do about disassembling. Expressed mathematically, this is:
Spanish < Assembler =< 0.01%

Regards,
Alan

i think you are confused, olly only can work with one process, if a second process is created is separated of the first is not posible from a process make a call to other process.

Ricardo

Can I send you some screen shots to prove that the parent EXE is calling routines from a second EXE?

Alan

send me

ricnar456@yahoo.com.ar

Ricardo