8. Manual Search For Text Strings

To continue experimenting with OllyDbg features, let's open another sample program, simple_IO_vc7.exe, compiled by MSVC++ version 8.0.
The text search for a particular string can be done manually as follows:
1. Click View -> Executable modules
2. Debug -> Run
3. The program runs.
4. Right-click executable module, and choose View memory
5. Double click the .rdata section of simple_I module (.rdata is the name of memory segment where all read-only constants are loaded.)
6. Right-click anywhere in the dump area, then click Search for -> Binary string. Look for the word "Please".
7. Once appropriate "Please..." text is found, write down its address.
8. Click View CPU to display the current instruction. (Clicking the EIP register in the register view usually takes you to the current instruction.)
9. Right-click the opcodes, Search for -> Binary String, and enter address in little endian format.
  - For example, if "Please" was found at 00407124, then you should search for the binary string 24 71 40 00.
10. Once the string is found, we should observe that it is used by the the PUSH command, preparing it for the console output call.
11. Right-click the PUSH command, and then Breakpoint -> Toggle.
12. Debug -> Run
13. The execution will stop at the PUSH instruction where the breakpoint was just set.
14. Debug -> Step over (or F8)
15. Debug -> Step over (or F8)
16. Click the console window. You should see "Please enter password:" prompt.
17. Go back to the CPU window (click View -> CPU.)
18. Use F8 to step until the the program begins to wait for the user input:
```
    0040102C     68 40904000    PUSH simple_I.00409040
    00401031     E8 24000000    CALL simple_I.0040105A
    00401036     83C4 04        ADD ESP,4
```
19. Right-click the address 00401036 and Toggle breakpoint there (you can do this while the program is still waiting for user input.)
20. Type a single character, for example, 'A' (hexadecimal 41), and hit the Enter key.
21. The program returns back to the instruction
```
    00401036     83C4 04        ADD ESP,4
```
22. Hit F8 once. OllyDbg moves to next line:
```
    00401039     83F8 50        CMP EAX,50
```
23. The console input call returns the entered character code in EAX register. Apparently, the program is ready to examine the EAX value.
24. Double click the EAX register, and change it's value to hexadecimal 00000050.
25. What ASCII character corresponds to hex 50?
26. Use F8 a few more times to step through the program. Notice that it prints "password is correct, goodbye!"
27. Thus, the fragment
```
    0040102C     68 40904000    PUSH simple_I.00409040
    00401031     E8 24000000    CALL simple_I.0040105A
    00401036     83C4 04        ADD ESP,4
```
  is responsible for the input of the user password.
28. Since we know at this point that x50 is the correct password, we can permanently disable the above fragment by replacing it with
```
    0040102C     B8 50000000    MOV EAX,50
```
  However, since the instruction MOV EAX,50 takes only 5 bytes of memory, the rest of the fragment must be patched by a series of NOP instructions.
29. Right click
```
    0040102C     68 40904000    PUSH simple_I.00409040
```
  and then Assemble. Enter MOV EAX,50.
30. Right click
```
    00401031     E8 24000000    CALL simple_I.0040105A
```
  and then Assemble. Enter NOP. Make sure Fill with NOP's option is checked.
31. Right click
```
    00401036     83C4 04        ADD ESP,4
```
  and then Assemble. Enter NOP. Make sure Fill with NOP's option is checked.
32. The resulting changes now look like this:
```
    0040102C     B8 50000000    MOV EAX,50
    00401031     90             NOP
    00401032     90             NOP
    00401033     90             NOP
    00401034     90             NOP
    00401035     90             NOP
    00401036     90             NOP
    00401037     90             NOP
    00401038     90             NOP
```
33. Click View menu -> Breakpoints, then right-click on each breakpoint and choose Remove. Since code changed, we no longer need those breakpoints.
34. Go back to the CPU window, right-click the code fragment containing the changes, and choose Copy to executable -> All modifications.
35. Click Copy All.
36. New D-window (disassembly window) opens. Close this window. The File changed prompt appears, indicating that the EXE indeed differs from the original.
37. Click YES and answer positively that you wish to overwrite the original executable.
38. Try to run the modified program from a command prompt. How does it behave now?

<<< Searching For Referenced Text Strings

Index

Simple_IO Source >>>