x64dbg: How to find caller of function

Поділитися
Вставка
  • Опубліковано 4 гру 2024

КОМЕНТАРІ • 101

  • @gqqnbig
    @gqqnbig Рік тому +18

    Hi Paul, it's time to do the dishes!

    • @justineandreiparong589
      @justineandreiparong589 14 днів тому

      hahahaha i can't understand what he's saying i know it's debugging tool.
      but please can we elaborate the meaning.

  • @viet.khoaiegg
    @viet.khoaiegg 4 роки тому +3

    Your video is the best in youtube about how to using ollydbg. Very easy to understand. Thanks

    • @PaulChin20
      @PaulChin20  4 роки тому +1

      Wow, thanks!

    • @gqqnbig
      @gqqnbig Рік тому +3

      Jeez, he's not using olly at all

  • @balaadam639
    @balaadam639 3 роки тому +2

    God bless you Mr Paul

  • @Teo97b
    @Teo97b Рік тому +1

    You can also put a breakpoint to the start of the subroutine, execute "manually" (step into/over) until RET to see where the caller was I guess.

  • @Bonnie39
    @Bonnie39 Рік тому +2

    What if I'm trying to search for a string that shows up in a message box when verification fails but there are no references to that string in the debugger? I've already tried searching for it in all modules as well, still finding nothing.

    • @PaulChin20
      @PaulChin20  Рік тому +1

      You could use the Call Stack method to locate the function that shows the message box, or, use inter-modular call method to do it. The CSL and CSP course teaches how to do it: crackinglessons.com/learn

  • @compinerd732
    @compinerd732 Місяць тому

    thank you so much for this video, i wanted to get into this for a long time and with the pervious experience this all made a lot of sense to me i'm trying the same now and will report back if i suceed :D

    • @compinerd732
      @compinerd732 Місяць тому

      well i failed because the adress you showed in 2:31 doesn't lead anywhere you have "byte ptr [esp+4]=[address]=0", i have "byte ptr ds:[r15+52]=[52 'R']=???". i put a breakpoint on it but it seems to never get executed in the first place so im thinking that my "check" for if its registered or not is somewhere else... right? for now i'll watch some more videos - do you have any other idea if the checkpoint is not referenced with "unregistred" how i can find it? maybe by a routine the program is using internally where it checks if its registered, the button says "translate" which in the end leads to the message "file is too big 10mb max, it has 11mb - consider patreon for no limit" in the program. i can probably find it through there no? can you maybe recommend me a video or similar to progress on this?

  • @techytools5668
    @techytools5668 Рік тому +2

    hi i am learning revrese engineering to patch software can you help me in this

    • @PaulChin20
      @PaulChin20  Рік тому

      Take my CSL and CSP course here: crackinglessons.com/learn

  • @HongKongTamilan
    @HongKongTamilan 4 роки тому +2

    Good teacher

  • @abbasradmard1574
    @abbasradmard1574 3 роки тому +1

    very nice and informative video. Thanks a lot.

    • @PaulChin20
      @PaulChin20  3 роки тому

      Welcome Abbas. Thanks for watching my videos!

  • @Wan_Destroyer
    @Wan_Destroyer Рік тому +1

    Hello what if i dont see the strings? It's on a console application

    • @PaulChin20
      @PaulChin20  Рік тому

      Try using Resource Hacker to open the exe file.

  • @AmeyahOfficialTV
    @AmeyahOfficialTV 3 роки тому +1

    What would u do if there is no string, aka the string is created on the run, but is not presaved in the binary.

    • @PaulChin20
      @PaulChin20  3 роки тому

      It depends. If we suspect the strings are encrypted, we try to put breakpoints on the decryption API's. Or, if they are stack strings, we then need to trace the stack to identify those strings. My MALDEV1 and MALDEV2 courses teaches how to evade Anti-virus by string encryption. You can check it out here: crackinglessons.com/learn

  • @vincentvidal3305
    @vincentvidal3305 4 роки тому +3

    Hi Paul, interesting topic. Thanks for the video. In this example, it is easier because the string of characters is visible in the code and therefore easy to find. How would you proceed if the strings are invisible in the code? (The messages appear in the warning windows, but not in the code). Thank you.

    • @PaulChin20
      @PaulChin20  4 роки тому +6

      Another method is called the "Call Stack Method". In this method, you examine the Call Stack to identify the address where the software makes a call to show the Bad Message. For example, if after entering a serial key, if you get a MessageBox which says "Wrong Serial Key". Don't close the Message Box. Instead, click on the Pause button to pause the debugger. Then click on the Call Stack button. You will then see the Call Stack where you can examine the history of function calls since the software started. Look for the most recent function call originating from User Module space and going to the System. Then, goto that address and put a break point.

    • @vincentvidal3305
      @vincentvidal3305 4 роки тому +3

      Hi Paul, I tried using this example program downloadable here: xtx.free.fr/archives/liens/xtx%20cracking%20progressif/Pack/Chapitre%2001/4%20-%20CrackMe2/CrackMe2 .rar using x86dbg after loading I execute it then enter ID + Pwd (any) and I get the window. I put on Pause then I click on "Call Stack", in the list which appears that it is the most recent? The one above or below? There are "Party" System and User rather in User? Thank you for your help.

    • @PaulChin20
      @PaulChin20  4 роки тому +4

      @@vincentvidal3305 The most recent calls appear on top. But usually the few on top are system calls, what you need to look for are the user module calls usually with lower addresses eg, 0x004xxxxx

  • @Devfinxict
    @Devfinxict 3 роки тому +1

    hi paul.in udemy tutorial if make tutorial for find How would you proceed if the strings are invisible in the code in ollydbg thanks

    • @PaulChin20
      @PaulChin20  3 роки тому

      Could be stacked strings, or, they are encrypted. If stacked strings, you need to examine the stack when the programs check for key. If it is encrypted, put breakpoints on the decryption function API's. My Maldev1 and Maldev2 course teaches how to do that. Check it out here: crackinglessons.com/learn

  • @dangerdsouza7151
    @dangerdsouza7151 4 роки тому +4

    hi, your video was helpful to learn. in some software it shows trial, free, and pro. and it has license key too for activation how can i bypass.. can you make one video on that please. or can it be cracked? software called EaseUS Todo PCTrans 11.3

    • @PaulChin20
      @PaulChin20  4 роки тому

      It is covered in the CSP course available here: crackinglessons.com/learn

  • @redchameleon613
    @redchameleon613 2 роки тому +1

    Hi Paul, thanks a lot that helps. A question though, how would I find what function is called, when a particular button on UI gets clicked?

    • @PaulChin20
      @PaulChin20  2 роки тому +1

      You can use the Message Breakpoint method: ua-cam.com/video/6iHz71lTq-s/v-deo.html The rest of the video is available in my CSL course: crackinglessons.com/learn Thanks for your interest!

    • @redchameleon613
      @redchameleon613 2 роки тому +1

      ​@@PaulChin20 Thank you Paul. Will have a look at the course. I probably don't need most of the topics, but that one is of the particular interest at the moment.

    • @PaulChin20
      @PaulChin20  2 роки тому

      @@redchameleon613 Welcome, bro!

  • @johnsonroy7233
    @johnsonroy7233 3 роки тому +1

    Can you please show how to crack or bypass Think-Cell software license key

    • @PaulChin20
      @PaulChin20  3 роки тому

      Hi Johnson, Sorry, at the moment I am unable to accept cracking requests. But you can learn how to crack software from my courses available here: crackinglessons.com/learn

  • @Teo97b
    @Teo97b Рік тому

    what if "find references to selected address" doesnt show any result? And im sure its definitely a subroutine

  • @bapakkaugaming3153
    @bapakkaugaming3153 4 роки тому +1

    why i cannt double click? to change

    • @PaulChin20
      @PaulChin20  4 роки тому

      Please provide more details. Which button did you click? And for what program?

  • @wanderingknight10
    @wanderingknight10 3 роки тому +1

    Every time I search for string references the program crashes

    • @PaulChin20
      @PaulChin20  3 роки тому

      xdbg crash or the program you are debugging crashes?

  • @seriouce4832
    @seriouce4832 4 роки тому

    Great video!

  • @whoareyou5355
    @whoareyou5355 4 роки тому +1

    Nice video.

  • @kgztn
    @kgztn 4 роки тому +1

    why cant edit when i double click??

    • @PaulChin20
      @PaulChin20  4 роки тому

      I think you need to press space bar.

  • @AGGOUNE2020
    @AGGOUNE2020 4 роки тому

    in 1:28 tel me is good or not when I change je by jne? and thank you for this good tutorial.

    • @PaulChin20
      @PaulChin20  4 роки тому

      Hi, thanks for watching, you can get the answer here in the CSP course: crackinglessons.com/learn

  • @FemtechStudio
    @FemtechStudio 4 роки тому +2

    Hi Mr. Paul thank you so much, sir could you please create a video on how to Patch plotagon story

    • @PaulChin20
      @PaulChin20  4 роки тому

      Thanks for your interest, I will take a look when free.

  • @rafaellisboa8493
    @rafaellisboa8493 11 місяців тому

    brooooooooo why the clear mode

  • @amindeli9168
    @amindeli9168 3 місяці тому

    Hey, can you help me bypass the login of a software? It is a video player that requires registration to play videos.

  • @Veto_
    @Veto_ 5 місяців тому

    Hi Paul do you have discord?

  • @gotonethatcansee
    @gotonethatcansee Місяць тому

    who is cleaning in the kitchen

  • @iamdavidtega3056
    @iamdavidtega3056 3 роки тому +1

    hello sir, can you make a tutorial on how to patch plotagon studio ??? urgent... Thanks

    • @PaulChin20
      @PaulChin20  3 роки тому

      Thanks for your interest. There is a crack request thread in the Discussion section for the CSP course : crackinglessons.com/learn You can post your crack request there. Thanks!

    • @iamdavidtega3056
      @iamdavidtega3056 3 роки тому +1

      @@PaulChin20 Sorry sir, i cant access the discussion section of the website above, please just take a look at the application plotagon studio for a sec and tell me a way to reverse engineer it, thanks

    • @PaulChin20
      @PaulChin20  3 роки тому

      @@iamdavidtega3056 You need to sign up for the CSP course - then you can access the discussion. Thanks!

  • @andersenbrown5017
    @andersenbrown5017 4 роки тому +1

    Hi, I wanted to ask a question. Would you know why my debugger does not patch the changes, it does not save the changes? I put a different name when patching the file! I would appreciate your help, thank you !!

    • @PaulChin20
      @PaulChin20  4 роки тому

      If the patch is successful you will see a message as shown here: ibb.co/mq9dr3R If it is not successfull it will say 0/2 patch applied.

  • @RixtronixLAB
    @RixtronixLAB 4 роки тому +1

    How can I reverse engineer *.exe from Delphi ? I can not see a string from my own code ?
    pasteboard.co/JpQ1qau.png
    Thanks

    • @PaulChin20
      @PaulChin20  4 роки тому

      You could try the call stack method instead. When a bad message shows, pause xdbg and click on call stack menu. Then from the list of the call stack, select the user module and select Follow From.

    • @RixtronixLAB
      @RixtronixLAB 4 роки тому +1

      @@PaulChin20 Could you make a short video capture on how to do that ? thanks

    • @RixtronixLAB
      @RixtronixLAB 4 роки тому

      @@PaulChin20 Start from there ? pasteboard.co/JpZqlth.png , then ?

    • @RixtronixLAB
      @RixtronixLAB 4 роки тому

      @@PaulChin20 I got : pasteboard.co/JpZrKuj.png , then ?

    • @RixtronixLAB
      @RixtronixLAB 4 роки тому

      The code, when executed : pasteboard.co/JpZsiIs.png, I want to know how to update the Serial from exe file.

  • @enriques7774
    @enriques7774 3 роки тому +1

    IDM not foun

    • @PaulChin20
      @PaulChin20  3 роки тому

      idm? Anyway thanks for watching my videos.

  • @karipoprinsley7041
    @karipoprinsley7041 Рік тому +1

    can you crack infinite algebra

    • @PaulChin20
      @PaulChin20  Рік тому

      Sorry Karipo, I only provide courses. You can enrol for the CSL and CSP courses here: crackinglessons.com/learn Thanks for your interest!

  • @narendratodarwal1176
    @narendratodarwal1176 4 роки тому +1

    How sir to do serial key

    • @PaulChin20
      @PaulChin20  4 роки тому

      Here's a whole cracking software series here: ua-cam.com/channels/9TkBqyRc2bQuKUOl_vJtVA.html

  • @QueenTea-j7v
    @QueenTea-j7v 19 днів тому

    100th comment!

  • @garyprieto9769
    @garyprieto9769 2 роки тому +1

    Podes ayudarme?

    • @PaulChin20
      @PaulChin20  2 роки тому

      What can I do for you?

    • @garyprieto9769
      @garyprieto9769 2 роки тому +1

      Preciso crackear un soft para trabajar

    • @garyprieto9769
      @garyprieto9769 2 роки тому

      Soy de Uruguay

    • @PaulChin20
      @PaulChin20  2 роки тому

      @@garyprieto9769 Sorry Gary, I do not provide cracking services. I only provide cracking courses: crackinglessons.com/learn Thanks!

  • @otmanedz
    @otmanedz 2 роки тому +1

    God bless you Mr Paul

    • @PaulChin20
      @PaulChin20  2 роки тому

      Thank you Techno Otmane!

    • @tahargermanni6205
      @tahargermanni6205 Рік тому +1

      ​@@PaulChin20 Hi Paul could you please help me to bypass registry in app that the manufacturer is not existing any more

    • @PaulChin20
      @PaulChin20  Рік тому

      @@tahargermanni6205 Below are a list of API's used when reading from a Registry:
      1. `RegOpenKeyEx`: This function is used to open the registry key that you want to read from. This is usually the first function called when reading from the registry, because you need a handle to the key to perform other operations.
      2. `RegQueryValueEx`: After a key has been opened with `RegOpenKeyEx`, `RegQueryValueEx` is used to retrieve the data and type of a specified value associated with the opened key.
      3. `RegEnumKeyEx`: This function is used to enumerate the subkeys of the specified open registry key. This can be useful if you need to read from multiple subkeys.
      4. `RegEnumValue`: Similar to `RegEnumKeyEx`, but used for enumerating the values for the specified open registry key.
      5. `RegQueryInfoKey`: This function retrieves information about the specified registry key, such as the number of subkeys, the number of value entries, and the last write time.
      Use x64dbg to put breakpoints on all of them and then run. When it hits those breakpoints, just Step Over each one and modify accordingly. Either reverse the logic, or reverse the jumps, or NOP some bytes.

    • @tahargermanni6205
      @tahargermanni6205 Рік тому

      @@PaulChin20 Thank you very much Paul for your return
      the error message didn't says registration key, it says invalid registration just after execute the app.

    • @PaulChin20
      @PaulChin20  Рік тому

      @@tahargermanni6205 Your orginal question asked about how to bypass registry.