Log in

View Full Version : Another Nub question for you guys..


benfinkel
July 11th, 2005, 19:33
I've seen the many poorly written noob questions out there and I'm sorry for posting another.

I was reading the instructions on this website:
http://www.woodmann.com/fravia/muadib_elicense.txt
("http://www.woodmann.com/fravia/muadib_elicense.txt
")

But trying to translate into the world of OllyDbg.

Could someone help me with the very first part?
"Load the program in some SoftICE loader. Wait for the trial
screen to come up and then put a bpx on GetModuleHandleA.
Push the "Try It" button and press F12 until you enter the
KERNEL32 module."

Here is what I have done:

Loaded the executable with OllyDbg.
Clicked Plugins-->Command Line
typed 'bpx GetModuleHandleA', and hit enter.
Nothing happens.

Hit View-->THreads
There are two listed.
I double-click the Red one.
PLugins-->Command Line
type 'bpx GetModuleHandleA', and hit enter
An Intermodule Calls window pops up, but nothing in it looks like the call I'm looking for.

Thanks for any points in the right direction.

-Ben

benfinkel
July 11th, 2005, 21:15
Hey, I'm even working further on this myself.

I found this following site:
http://www.digzine.com/issues/3/dig3.txt
("http://www.digzine.com/issues/3/dig3.txt
")

Which is a little (okay, a LOT) beyond my skill set. I'm trying to work out the first piece of his instructions:

"The easiest way is to put a “breakpoint on read” at the start of the
main code segment, as the wrapper will have to read in the encrypted
code to decrypt it. This immediately launches into the thick of
assembler code: "

Breakpoint on Read??? Main Code segment??? These are unfamiliar terms to me. Here is how I tried to do it:

Start my executable
launced Ollydbg
File-->Attach
Chose the Executable I just launched
Clicked Attach
--It opens to CPU Thread xxxx, Module ntdll
click View --> Executable Modules
Right-Click the exe I launched (it has to be decrypted, aye?)
Choose View Code in CPU
--It opens to CPU Thread xxxxx, Module tpf (name of my exe)
Right-Click the very first line --> Breakpoint --> Memory, on access
F9 Run Program

Then I get an Access violation when executing .... press SHIFT f7/f8/f9 to pass to program.

And there I stand.

benfinkel
July 11th, 2005, 21:26
Aren't you guys glad to join me on my expedition?

So I did this:

Launched the exe
Launched olly and attached to the exe
View Executable Modules
Right-Click the exe
Choose 'Follow Entry'
Memory Access bp on THAT line, and voila. I found the code he mentioned.

Of course, now I don't know what this means:

"So a hardware breakpoint at (in this case) 03362D5F will give the IV on a
plate: F9 A9 96 F9 BC 80 43 0E."

I know that my address is different (02583B13) but I'm not sure how to 'Put a hardware breakpoint' on it.

Thanks again,

-Ben

P.S. - How do I utilize the following piece of information he gives:

"<the following is the signture for finding this routine>
03362BB2 |. 68 00010000 PUSH 100
03362BB7 |. 6A 00 PUSH 0
"
? Thanks.

benfinkel
July 11th, 2005, 22:01
Or how about a different approach as well.

The man says:
"...there’s nothing to stop the user waiting until the code segment is
decrypted, then dumping it back to the original exe file. This is what
most wrapper-cracking tutorials say to do."

How would I manage that? I can attach to the process, and I can get the software running (with a license), so at what point and how would I dump a decrypted version of the executable?

Thanks

Ricardo Narvaja
July 12th, 2005, 06:01
Could someone help me with the very first part?
"Load the program in some SoftICE loader. Wait for the trial
screen to come up and then put a bpx on GetModuleHandleA.
Push the "Try It" button and press F12 until you enter the
KERNEL32 module."

translation to OLLY (only for WIndows XP, 2000, 2003 or NT not possible in W95, 98, ME)

Load the program in ollydbg, wait the trial screen, go to the command line in OLLYDBG and type Bp GetModuleHandleA, Push the "Try It" button and whan stop you are in kernel32 in the api GetModuleHandleA.

Ricardo Narvaja

benfinkel
July 12th, 2005, 08:47
Thank you Ricardo,

I appreciate the detailed answer. I"m going to try that and play around myself some more. I'll be back.

--Ben

Bob
July 19th, 2005, 10:23
you seem to be learning ok by yourself, you don't need our help

But to set a hardware breakpoint, just right-click the code (make sure hilighted line in the right place) and select Breakpoint > Hardware, on execution

Dumping should be done before executing OEP, when the code is decrypted in memory. There are many tools to do this, but you just need a good hexeditor.. Basically, save the area of memory to disk once it is unpacked, then close everything and load the original exe in a hexeditor and replace the orig (encrypted) section with the one saved.
To find the offsets use PEiD or LordPE or any of their clones..

~BoB~