Lena's Tuts: 04. Basic + aesthetic patching

[why06]

Lena's Tuts Summaries
04. Basic + aesthetic patching

"Welcome to Lena's Tut's Summaries numero quatro! Be excited because I believe that tutorial #4 is the first introduction to a real program. So prepare to be astonished by the amount of data to sort through. Luckily a Lena did a fine job selecting a target. If you made it through the first three you should breeze through this and learn some interesting techniques along the way."- why06

<< Previous: #3 Nag Removal

Introduction:

The target will be PixtopianBook.exe, an address book application for managing contact information. The objective is to get rid of all the limitations in this application so that it will act like the registered version.This tutorial starts off with encountering an exception. Personally I did not encounter this so I won't give any explanation further then this. Next we examine the application. Then upon finding the restrictions we locate and patch them to open up the full functionality of the program.

What is Covered:

• Alt+F9 (new)
• Binary Search (new)
• Basic ASM
• Basic Debugger Usage

Alt-F9: Or "Execute till User Code" is a Olly global shorcut introduced in this tutorial.

Alt+F9 - execute till user code, traces program without entering function calls or updating CPU and stops when next encountered command belongs to module that doesn't reside in system directory. As program is executed step-by-step, this may take some time. Press Esc to stop tracing.

For non-programmers this may be difficult. I recommend reading a little about Windows Architecture. After all we are reversers. It's crucial you know at least the basics about the Operating System since it controls the execution of all code. I also recommend at least the introduction from Windows Internals Fifth Ed.

Basically when Pixtopian displays the message boxes an API is being called. This API is called MessageBox. If you have yet to encounter this API refer to the previous tutorials.

Now when MessageBox is called, it in turn will call a kernel function to display the message.

This is because only the kernel has access to the hardware components of the computer such as the display screen. Therefore when you pause Olly and Hit Alt-F9 your telling Olly to break after you hit Ok on the Message Box. Because you paused Olly once you hit Ok the kernel returns to Pixtopian and breaks just after the call to MessageBox.

For more Shortcuts always refer to the Olly Helpfile.

Conclusion:

Okay. I admit it, this summary was rather on the short side, but that's because most of this tutorial is pretty self explanatory, and very little else was covered that was not covered in previous tutorials. The only other things covered in this tutorial were binary searching (already covered) and the Find References command, but since Lena wanted to save that one for later I don't think I should address it either. I think #4 was just to expose reversers to real applications. Don't worry if #4 was to get your feet wet, #5 is to get you knee deep in it, so enjoy this one while you can. and bring your game face for #5. Oh and congratulation on cracking your first real application!

And as always I include a copy of the files to decrease the load on Tuts4you and provide a backup.

[[MPGH]NextGen1]

Nice and Thanks

[258456]

i am always getting an access violation even though i put the correct settings in the exceptions window. I have win 7 x64. What's the problem.

[258456]

Nm it works now and btw this one was really easy the only thing is that alt f9 doesnt work for me I have the newest version

[[MPGH]master131]

Nice bump and double post?

[258456]

lol, this section is dead, you should thank me.

[why06]

Yeh there's no such thing as a bump in this section. In anycase I heard Olly2 was still in beta so I haven't tried it yet. How is it?

[258456]

idk, i have the newest version and i can't seem to add plugins, but a few minutes of googling should do it, lol. btw, loving these tuts. And also btw, how do you "Back to User" in the new version of olly 2.01?