Scribd
Upload
52 views

Lab16A: Using Ollydbg To Analyze Lab09-01.Exe: Finding The Main Entry Point

This document provides instructions for using OllyDbg to analyze the Lab09-01.exe file. It describes using OllyDbg to step through the program and view the entry point, parameters, and code execution. Key steps include pressing F8 40 times to step over code, setting breakpoints, and using F7 to step through a subroutine. The goal is to observe the program testing for a registry key and building a string to delete the executable file.

Uploaded by

Pham Minh Hieu Nhan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
52 views

Lab16A: Using Ollydbg To Analyze Lab09-01.Exe: Finding The Main Entry Point

This document provides instructions for using OllyDbg to analyze the Lab09-01.exe file. It describes using OllyDbg to step through the program and view the entry point, parameters, and code execution. Key steps include pressing F8 40 times to step over code, setting breakpoints, and using F7 to step through a subroutine. The goal is to observe the program testing for a registry key and building a string to delete the executable file.

Uploaded by

Pham Minh Hieu Nhan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

LAB16a: Using OllyDbg to Analyze Lab09-

01.exe
Finding the Main Entry Point
Open the Lab09-01.exe file in IDA Pro.

Click Options, General. Check "Line Prefixes", as shown below.


Click OK.
Click Windows, "Reset Desktop".
IDA Pro shows that main starts at 0x402AF0, as shown below:
Using OllyDbg to Walk Through Quickly
First you can get OllyDbg 1.10 here:
http://www.ollydbg.de/download.htm
##Don't waste your time on OllyDbg 2.00 or 2.01. They are both broken

Open Lab09-01.exe in OllyDbg.


You start at a preamble, which comes before the entry point you saw in IDA Pro, as
shown below
Press F8 forty times, to step over until address 0x403933. In the upper left pane of
OllyDbg, scroll down a few lines to show the code that sets the arguments and calls
main, as highlighted below.
Press F7 five times to load parameters and call main from 0x403945, showing a new
section of code starting at 0x402AF0, as shown below

Press F7 twenty-one times to call a short subroutine and get to 0x402AFD, as shown
below.
This CMP operation is testing to see if the number of command-line arguments is 1.
Press F7 three times to pass the test and jump to 0x00401000, as shown below.

Now we are in the routine starting at 0x401000.


It calls RegOpenKeyExA at 0x40101B.
Left-click the line starting with 0x401021 and press F2 to put a breakpoint there. That
address turns red, as shown below.
Left-click the line starting with 0x401000. Press F9 to run to the breakpoint.

Look at the upper right to see the registers. EAX now contains 2, as shown below.
This is a "non-zero error code", as explained here:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724897(v=vs.85).aspx
That means the test failed--it did not find the registry key it was looking for.
Press F7 three times to get to ___location 0x401027.
Press F7 to execute the JMP.
Press F7 three times to step through the subroutine and get to 0x402B08.

Press F7 three times to get to ___location 0x402410, as shown below:


This function uses GetModuleFilename to get the path to the current executable and
builds the ASCII string
/c del path-to-executable >> NUL
To see that, place a breakpoint just after GetShortPathNameA, so its address turns red,
as shown below.

Click the line starting with 0x402410 to highlight it.


Press F9 to run to the breakpoint.
You should now be at the line ending with "ASCII "/c del ", as shown below.
By holding F7 down or tapping it many times, you can play the code forward like a
movie in slow motion.
Watch as the code slowly steps through a long path name in EDI. Then the path name
flips quickly through several registers, ending up in EDX.
Stop when you see a string in EDX, starting with
ASCII "/c del C:\
as shown below:

You might also like