Quick OllyDbg Question

Hello everyone! I'm using OllyDbg 1.10 to crack "Mail Server Pro v1.5" and I have a quick question:

Code:

004B0454  /. 55             PUSH EBP
004B0455  |. 8BEC           MOV EBP,ESP
004B0457  |. 83C4 E0        ADD ESP,-20
004B045A  |. 53             PUSH EBX
004B045B  |. 33C9           XOR ECX,ECX
004B045D  |. 894D E0        MOV DWORD PTR SS:[EBP-20],ECX
004B0460  |. 894D E8        MOV DWORD PTR SS:[EBP-18],ECX
004B0463  |. 894D E4        MOV DWORD PTR SS:[EBP-1C],ECX
004B0466  |. 8955 F8        MOV DWORD PTR SS:[EBP-8],EDX
004B0469  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
004B046C  |. 33C0           XOR EAX,EAX
004B046E  |. 55             PUSH EBP
004B046F  |. 68 4C054B00    PUSH SMTP_ser.004B054C
004B0474  |. 64:FF30        PUSH DWORD PTR FS:[EAX]
004B0477  |. 64:8920        MOV DWORD PTR FS:[EAX],ESP
004B047A  |. B8 60054B00    MOV EAX,SMTP_ser.004B0560                ;  ASCII "<!>"
004B047F  |. 8945 EC        MOV DWORD PTR SS:[EBP-14],EAX
004B0482  |. B8 6C054B00    MOV EAX,SMTP_ser.004B056C                ;  ASCII "CMD=Register"

The above code is called when a valid key is not found in the registry, However I cannot figure out where in the hell the code is Jumped or Returned from.
For example, after it goes through all the serial checking etc, it's either got to Jump to that code or Return to the code. Is there a way of tracing back?

[gabri3l]

If you set a BP on

Code:

004B0454  /. 55             PUSH EBP

And run until you break, Then the address that called this function "should" be on the top of the stack.

I have also found that sometimes w32dasm can find the referenced calls or jumps to functions that sometimes Olly cannot.

[ricnar456]

or mark 4b0454 and right click FIND REFERENCES TO-SELECTED COMMAND, and show you the direct references (if was called from CALL EAX o JMP EDI or similar by example, only with a method of Grabiel, putting a BP and looking in the top of the stack you can get the reference)

Ricardo Narvaja

[SLV]

> sometimes w32dasm can find the referenced calls or jumps to functions
or IDA may make x-refs...

[codeX]

Hi lilmeanman,

I'm not sure that i've understand you well.

But put bp on 004B0454 and when it breaks change the PUSH EBP to RETN to goback to the CALL.

Regards...

[Naides]

One Possibility is that the call to your code is generated dynamically at runtime, something like:

call [EAX +50]

under those circumnstances disassembly listings from WDASM or IDA cannot cross reference the caller code. You need to see it in live tracing. . .

One very useful resource is the call stack window. In SoftIce type: WS. In Olly: View -> Call Stack (Alt-K)

You will see a list of addresses with modules: A called B that Called C that Called D that called your code. The actual addresses you see in the list are the return address, which is the next instruction after the call was made.

By placing breakpoints or examining the code around each call you will be able to locate, at each deeper layer, the chain of events that resulted on calling your "bad boy" "key not found" routine.

One problem: If there is one or more Structured Exception Handlers (SEH) frames set up during the chain of calls (CALL STACK) the order of call and return may change, depending on an exception being generated and handled, so the flow of the code stack is not as linear as I described, but it "branches".

Hope I did not confuse you more.

[hosiminh]

in CPU Window right click -> Search for -> All commands -> call 004B0454

[MaRKuS-DJM]

maybe it's worth to mention: a jump in the form of [XXXXXXXX*X*EAX] can't be found the way you described.

[Naides]

Quote:

Originally Posted by MaRKuS-DJM

maybe it's worth to mention: a jump in the form of [XXXXXXXX*X*EAX] can't be found the way you described.

That is correct Markus, jump instructions do not leave a "trail" in the stack, so there is no simple way to backtrace them, only forward tracing will do, EXCEPT if you use a debugging tool whose link was posted by, I think Nikola. this debugger allows forward and backward LIVE tracing.
It apparently keeps a record track of the instruction path taking by the code, allowing you to backtrace to an arbitrary number of instructions.