11

I'm debugging some app inside the ollydbg, so this two steps i set to start debugging the app.

  1. I load the exe from file menu with input arguments
  2. Set breakpoint on msvcr71.printf function

After this two initial steps, when I hit F9 the app show some messages generated with printf function depending from the input arguments(by now i'm testing wrong password which shows the app messages about wrong password). So now I need to jump to the code which hold the logic, the code that made the call to printf, by checking if the pass was good or bad. How this can be done, when I have set breakpoint?

Thanks

jvoisin
  • 2,516
  • 16
  • 23
Igor
  • 111
  • 1
  • 4

3 Answers3

13

Here is a way how you would go back to the caller. The following is a small C++ crackme for demonstration

#include<stdio.h>
#include<string.h>
#include<conio.h>

int main()
{
    char code[50];
    char valid[]="12345";
    printf("Enter your password : \n");
    gets(code);
    if(!strcmp(code,valid))
        printf("That's it!!!\n");
    else
        printf("Try again!!!\n");
    getch();

    return 0;
}

Step 1

Now as usual you load the app in OllyDBG. Now assume that we do not know anything the inner logic of the crackme. So lets put a breakpoint on the functions which prints on the console. So the best bet is to search for all intermodular calls.

enter image description here

Step 2

So you see it calls puts .This function is used to display a string on the console and is called from 3 places. So lets place a breakpoint on the function itself so that we can know from where it is called.

Now the function is defined at VA 0x75898D04 . So put a breakpoint over there.

enter image description here

Step 3

Now run the app by pressing F9 till breakpoint is hit.

enter image description here

Now look at the stack at the bottom right it shows the place from where puts would return after executing as well as the parameters passed to this function.

Since this parameter passed is the string asking for password we can skip it until we get to the badboy message string. So continue pressing F9 until you get to the point where the parameter passed is the badboy message. (The console meanwhile asks for the password and write something there)

So we run till here.

Step 4

enter image description here

puts would return to VA 0x401C66 and the parameter passed is the badboy message. So lets go to 0x401C66. Press Ctrl+G in the CPU window to go there. You can also press Enter directly on the return address shown on the stack.

So we land here.

enter image description here

Step 5

Just above the puts call there is a strcmp call checking our entered serial with a hardcoded value. If you explore a little you can see that the hardcoded value is 12345

(You may set a breakpoint on the strcmp call and restart the target to see what is being compared to whom)

So that's the serial which would skip the badboy message and land us to the goodboy message.

I am not suggesting the Ctrl+F9 method because you may sometimes encounter function which never returns. Such functions are specifically coded to obfuscate and thwart static and dynamic analysis. However in other cases Ctrl+F9 method is pretty good.

Community
  • 1
0xec
  • 6,090
  • 3
  • 23
  • 33
4

Once your breakpoint on printf() is hit, press Ctrl+F9 to tell OllyDbg to run until the end of the printf() function, then press F7 to single-step the return instruction back to the caller.

Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
  • If I try ctrl + f9, the code print just the first meesage from all three, otherwise with f9 print all three messages. Both ctrl+f9 or f9 skips the code till kifastsystemcallret call. So the code stuck here so i can't move, just to restart the app. With ctrl + f9, after this hit i hit f7, but the code not jump to that code logic i need, something random. Thanks for your help. – Igor Dec 27 '13 at 22:38
  • Please post a screenshot of OllyDbg paused at the printf() breakpoint. – Jason Geffner Dec 27 '13 at 22:55
  • Ok to update you a little. I'm learning from the book 'secret of reverse engineering. http://i.imgur.com/To9LhuV.png This one is about the breakpoint.

    http://i.imgur.com/r7M7xCN.png This screenshot shows where code skips after i hit f9.

     – Igor Dec 27 '13 at 23:00
  • That breakpoint is not on the printf() function; it's on the call to the printf() function. And don't bother using F9 in this context as it will just run your program until it terminates. – Jason Geffner Dec 27 '13 at 23:34
  • With ctrl + f9 the app in debug mode print just the first message and not printing the other two. But if I use ctrl + f9 and then f7 as you tell me here how it looks and where go the code http://i.imgur.com/aWBrdCg.png – Igor Dec 27 '13 at 23:45
  • My answer above was given with the understanding that your debugger was suspended at the first instruction of printf(). – Jason Geffner Dec 28 '13 at 01:31
  • Maybe this screenshot will help, this is what is saying the authour in his book. http://prntscr.com/2eisds So i'm loading the messages, just i don't know how to get inside the function. the assembly code is that function which i need to get there... – Igor Dec 28 '13 at 04:14
  • I'm still have the problem. I'm hiting ctrl + f9, but i can't get in the function that made the call to printf(). – Igor Dec 29 '13 at 04:43
1

Both of Your ScreenShots are irrelevent the app has terminated in first screenshot and it is in some random ZwMapSection in second screenshot

you posted you set a bp on printf was the breakpoint hit ? if it was hit then you can look at the call stack using ctrl+k ollydbg will show you who called printf

your screenshots do not show if you had hit the break and if you are suspended in call to printf as Jason posted in his comment

also with ollydbg you can use runtrace feature to trace the complete path that can help you isolate the logic have you tried using it

blabb
  • 16,376
  • 1
  • 15
  • 30