You are on page 1of 11

INTRODUCTION TO THE CRACKING WITH OLLYDBG DIVIDES 3

THAT THEY ARE THE REGISTRIES AND SO THAT THEY SERVE

Now so that they serve and that is exactly the registries?Good the processor needs assistants in its
task of executing the programas.Los registries help it in it, when we see instructions ASM we will
see for example that they do not sepueden to directly add the content of two positions of memory,
the processor must pass unade they to a registry and soon to add it with the other position of
memory, this is an example but by all means certain registries have uses but specific we see.

ESP aims at the superior value of stack, we see in our Crackme de Cruehead like example.

ESP is worth 12FFc4 and if we watched stack in OLLY at he himself moment

We see that it points at the superior of ours stack or said value in likeable form, to the superior
letter of our deck or card pack.

EIP is another very important registry aims at the instruction that this being executed at this
moment we see

Let us see in the listing of the OLLYDBG, that when starting crackme of Cruehead, this
unemployment there in 401000, which it is the first instruction to by all means execute and the
value of EIP when this prisoner is 401000 there.
If apreto F7 executes the first instruction and happens to the following one.

EIP now is worth 401002 and in a the listing we see that I execute the first instruction and now are
in 401002.

The other registries can take variable values and serve to attend the processor in the executions of
the instructions, ECX is used almost always as accountant the others are fluctuating and attend in
the execution of programs as we see in the explanation of each instruction.

We remembered where the OLLYDBG showed the value to us of the REGISTRIES

We see at first that they are EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI and EIP

Those are the calls REGISTRIES of 32 bits

OLLYDBG express the content in hexadecimal, we see for example that EAX is worth 00000000,
and the maximum value that could have is FFFFFFFF, if we passed it to BINARY serious
11111111111111111111111111111111.
We see that they are 32 bits each one with the possibility of being 0 or 1 in I number binary, for that
reason is called to these, registries of 32 bits.

In language ASM they are possible to be operated with parts of the registries of 32 bits, in this case
EAX, can be subdivided.

Let us see in the OLLY for more practicidad with an example:


It will change the value of EAX to which I want in this case 12345678.Abro the OLLYDBG and
there my program will be the CRACKME OF CRUEHEAD, although could sercualquiera. Once it
starts and it stops in the beginning I click right in EAX and I choose MODIFY

In the window that is opened I write in the hexadecimal line value 12345678

It is thus

Soon acceptance with OK

There we see as I am changed to the value that I wished, OLLYDBG has the particularitity to put in
RED the values that are modified.

As we said are possible to be used single parts of EAX, in this serious case AX the registry of 16
bits that is the four you complete numbers of EAX, therefore AX would be worth in this case 5678,
we corroborate it in OLLY in commandbar tipeemos

AX (since the question mark also serves to find the value of an expression or a registry)

When apreto ENTER

We see that it says 5678 that it is what we supposed, AX are you complete four numbers of EAX.
Also they exist TO and the AH, as they are these we watch in OLLYDBG

TO

AH

That is if EAX=12345678 AX are you complete four numbers

6 AH 5 and number and TO you as well complete two numbers

Also in same form EBX it is possible to be subdivided in BX, VH and BL and so on exist
subdivisions for almost all the other registries.

LIKE CHANGING THE VALUES OF THE REGISTRIES

We already saw as values of the registries in OLLYDBG can be changed, which we did in EAX is
possible to be done in the other registries of the same form, marking the registry which we wished
to change of value, soon making CLICK DERECHO-MODIFY, safe in the case of EIP, since he
himself aims at the instruction that this executing itself.

In order to change EIP we operated of the following form:

Since EIP always aims at the instruction that is going away to execute, we chose a new instruction
in the listing.

As soon as this marking like in this example 40101A, I make in her CLICK DERECHO-NEW
ORIGIN HERE and changed EIP 40101A, continuing the program executing itself thence.

As we see is left to EIP being worth 40101A

THAT THEY ARE THE FLAGS?

As we saw in the first tutorial in OLLYDBG underneath the registries are flags or flags.
We see quelosflagsson CPA ZS TDy Or

We see that single they can have values of zero or one, that notice that when executing certain
instruction to us, has happened something, according to flag that is.
Let us be watching that indicates each one:

FLAG OR OR FLAG OVERFLOW (DESBORDAMIENTO)

One activates when when doing an operation, the result changes of sign giving an incorrect value.

Let us watch in east OLLYDBG example, as always in the CRACKME OF CRUEHEAD of step
vamospracticando to use the OLLYDBG.Modifico since we before made the value of EAX to
7FFFFFFF that it is the maximum possible positive.

Now it will add 1 to him, which will exceed the possibility EAX of showing a positive result since
80000000 already correspond to a negative number

For that apreto the espaciadora bar that allows me to write instructions.

It leaves that window to me where I write ADD EAX, 1.


When tightening button ASSEMBLE we see that it changes the instruction that was before in
401000 by that I wrote.

ADD EAX, 1 (already we will see it when we enumerate and we explain the instructions) serious
one to add to EAX value to him 1, and keeping the result in he himself EAX.

I see that before executing the line with F7 flag Or this in zero If I execute the instruction with F7 to
see that it is what it happens, when making this operation I see that EAX when adding to him 1 is
overflowed and it shows 80000000 to me which transfers the line of the change of sign.

The FLAG Or activates putting itself to 1 indicating me that the operation exceeded the maximum
possible result and that is its function to indicate when an instruction happens overflowing when
executing.

The FLAG To or HELPING

It has a similar function but for when operations with other formats are made that so far do not
interest to us.

The FLAG P or PARITY

Said flag one activates when we executed an instruction and its result is a value, that happened to
I number binary has an even amount of, like for example 1010, or 1100 or 1111000 that results
have whose amount of a total is even.

In order to prove this since we have in written OLLYDBG ADD EAX, 1 and as already we executed
that line to prove flag previous, because we marked it again and we make CLICK DERECHO-NEW
ORIGIN HERE which again took EIP to 401000 (we return back) and that if apreto F7 executes the
instruction again which we wrote ADD EAX, 1.

There we have then again just before executing the sum, with EAX being worth 00000000 and flag
P being worth 1, because I am the previous operation that, we see that it happens when we added
1 to him to EAX again.

We tightened F7 Vemos that P marks 0 to us because the result that shows EAX=00000001 that in
binary is 1 and has single a 1 that is I number odd number of for that reason it does not activate.

And I return to straight do now click in our ADD EAX, 1 and CLICK DERECHO-NEW ORIGIN
HERE to return again to add 1 and apreto F7.

We see that EAX that was worth one, when adding to him one is worth 2 again, now that is 10 in
binary and thus follows the result having single a one flag active P not, if I repeat the procedure
once again, returning back and tightening F7 to add 1 to him to EAX again.
Now EAX is worth 3 that in BINARY is 11 that is the result has I number pair of thus active FLAG P
or of parity.

With that we see as the aforesaid FLAG works, when executing a single operation watches the
result and if he himself in BINARY has even amount of, one activates.

FLAG Z or FLAG ZERO

One of the most known and used in cracking is the FLAG ZERO he himself activates when we
executed an instruction and the result is zero.
We can return with CLICK DERECHO-NEW ORIGIN HERE to our ADD EAX, 1 of 401000, but we
now change the value of EAX to FFFFFFFF that is - 1 decimal, of form of which when we tighten
F7 and we execute ADD EAX, 1, we add - 1 +1 the result is zero to see if FLAG Z activates.

We see that when tightening F7, EAX I am in zero and as the result is zero, active FLAG Z putting
itself one.

I believe that it is clear that this flag, activates when the result of an instruction is zero already we
see diverse forms to activate it ahead but.

FLAG S or FLAG OF SIGN

One activates when the result of an operation is negative, that is if I want to prove it change EAX to
FFFFFFF8 that are - 8 decimal
And I return with NEW ORIGIN HERE to my ADD EAX, 1 when tightening F7 and to execute it, I
am adding to - 8 value 1, the result is FFFFFFF9 that are - 7 decimal, which is negative thus would
even have to activate flag of SIGN we prove in OLLY.

We see that when tightening F7 and making the sum flag S of sign being to 1 activates, is clear as
it works, negative result of an instruction activates FLAG S.

FLAG C or CARRY FLAG

One activates when the maximum possible value exceeds that it is possible to be shown, if we put
EAX to FFFFFFFF and we added 1 to him since we made the times previous we see activate
CARRY FLAG putting itself to 1.

ELFLAGT, DeI

We will not explain them so far because complexes are enough, if we do it ahead but, does not
have greater interest so far, since we are going to explain the simple instructions but, so we will
leave them for but ahead.

Good with this we have an idea that it is each registry and in which case activates each FLAG, with
that information already we will be able in the third part to study instruction by instruction since so
far single we saw instruction ADD to help us to include/understand when each FLAG activated.

That this part and the one that comes are but the indigestas ones of all so they read it with
patience, our ADD EAX, 1 practices with the OLLY to activate the FLAGS when executing and we
see ourselves in part 3 of this INTRODUCTION. It is very important that engravings have left all
these basic concepts well, I recommend to read to practice and to reread until there are not doubts.
Until part 4 Ricardo Narvaja 10 of November of 2005

You might also like