Home/ Questions/Q 6049263
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T07:33:22+00:00

I am new to reverse engineering, and I have been looking at a simple

  • 0

I am new to reverse engineering, and I have been looking at a simple program:

char* a = "hello world";
printf(a);

However, when I open this in ollydbg, I am not taken right to the assembly as I would have been in gdb, there are many more instructions first. I was wondering why this was happening.

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Depending how you attach to the program with olly, you’ll be take to one of two places(if no errors occurred):

    • The module entry point (aka the system glue and CRT wrapper for main/WinMain/DllMain): this occurs when you start a program with olly.
    • NtUserBreakPoint: this is when you attach to an existing process.

    To navigate to where you want you can use ctrl + e to bring up the modules window, from there, select the module you want. Then use crtl + n to bring up the symbols window for your current module (note: for non-exported symbols to be available, the pdb’s need to be available or you need to perform an object scan of your obj’s for that build).

    if your taken to the ModuleEntryPoint you can also just spelunk down the call chain (generally you want the second call/jmp), this gets you to the crt entrypoint, from there just look for a call with 3/5/4 args, this will be main/WinMain/DllMain:

    from here:

    Blackene.<ModuleEntryPoint> 004029C3                                   E8 FC030000                                             CALL Blackene.__security_init_cookie
004029C8                                                             ^ E9 D7FCFFFF                                             JMP Blackene.__tmainCRTStartup

    we goto here:

    Blackene.__tmainCRTStartup 004026A4                                    6A 58                                                   PUSH 58
004026A6                                                               68 48474000                                             PUSH Blackene.00404748
004026AB                                                               E8 1C060000                                             CALL Blackene.__SEH_prolog4
004026B0                                                               33DB                                                    XOR EBX,EBX

    then scroll down here:

    004027D3                                                               6A 0A                                                   PUSH 0A
004027D5                                                               58                                                      POP EAX
004027D6                                                               50                                                      PUSH EAX
004027D7                                                               56                                                      PUSH ESI
004027D8                                                               6A 00                                                   PUSH 0
004027DA                                                               68 00004000                                             PUSH Blackene.00400000
004027DF                                                               E8 2CF2FFFF                                             CALL Blackene.WinMain

    I’m assuming ollydbg 1.10 is being used.

    • 0