OllyDBG, follow Call Function

StackOverflow https://stackoverflow.com/questions/21957547

  •  15-10-2022
  •  | 
  •  

Question

I recently started learning reversing again, and I encountered a problem using my OllyDBG. When debugging an EXE which has buttons that every button does a different thing, I can't seem to find a way to follow a specific button's code.

For example: I have a KeygenMe with 3 buttons: "Login", "About", "Exit". I want OllyDbg to follow what happens when I press the "Login" button.

How do I do that? I know it is possible as I've done it before.

No correct solution

OTHER TIPS

You can follow a button by asking for olly to stop when the program returns from a funcion. Do this:

  1. Start debugging your KeygenMe.
  2. Focus on ollydbg window and press Ctrol+F9
  3. Focus on the KeygenMe and click on the button.

Olly will stop on the return of the button function.

Some times olly may stop a little bit far from where you want to go like in user32.dll, so you'll need to trace back your way.

you can do this using two tectiques(that i know):

(Use one after you landed on the return)

Use trace back:

  1. Run your program normally and then hit trace over Ctrol+F11
  2. Then go back using - (Minus Key from numeric keyboard)

or Use Breakpoints

  1. Put breakpoints till you find from were this function is called
  2. Using Right click on the code find the references for the struction that you find on the first step.
  3. keep doint step 1 and 2 till you find your function

(i use both but some times the first one don't work)

The way described above I think is the general one,and it should work on the majority of cases. However, if you already know in which compiler the app was built, you can use a specific approach for it and eventually you can reach faster and more precise what you are looking for.

Supposing the worse case that your exe wasn't built with .NET and you can't decompile it easily. There are some tricks. For instance Delphi/C++ builder apps make a table in the binary with public object event and addresses, it is extremely easy to decode it, in fact there are some Olly scripts to do that. On the other hand, if it was made with Visual C using MFC or something like that you can easily reach it if you know how MFC is called.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top