Cracking Voi Ollydbg

Embed Size (px)

Text of Cracking Voi Ollydbg

INTRODUCTION TO THE CRACKING WITH OLLYDBG FROM CRACKLATINOS(_kienmanowar_)

I. L i ni u : M t l n n a g i l i cho t i ton th anh em trong REA. Tnh c qua bn site c a lo Ricardo Narvaja th y c b tut ny kh hay v r t c b n cho t t c nh ng ai mu n tm hi u v cracking thng qua s tr gip c a chng trnh debugger tr nn qu n i ti ng, chnh l Ollydbg. Ti r t khoi cc tut bn Cracklatinos nhng ng t n i ton l ti ng TBN, nhng th y b tut ny hay nn mu qu , quy t nh trans t TBN qua English, r i t Eng l i h h c vi t l i theo cch mnh hi u truy n t nh ng g mnh bi t cho anh em. t ng chnh c a lo t tut ny theo nh tc gi c a n ni l nh m cung c p nh ng ki n th c c b n nh t cho t t c nh ng ai chu n b b t u b c vo tm hi u ngh thu t cracking v i s tr gip c a Ollydbg. M c d tiu c a tut l Introduction (t c l ch gi i thi u thi) nhng th c ch t b tuts ny s cung c p cho chng ta m t ki n th c n n t ng v ng ch c c th c v hi u c cc tuts dnh cho nh ng ng i c trnh advanced v c bi t l nh ng tut s p c gi i thi u trn Cracklatinos (hehe tc gi c a n qu ng co c qu), ng th i thng qua lo t tuts ny n cn gip chng ta c kh nng p d ng cc k thu t m i trong vi c cracking. II. T i sao l i l Ollydbg ? Tham gia vo REA i u u tin c l chng ta th y nhi u nh t l s xu t hi n c a Ollydbg, v y t i sao l i l Ollydbg m khng ph i l m t cng c no khc. y chng ta s khng bn lu n n vi c t o ra m t cng c khc hay hn, m nh hn Ollydbg cng nh khng c p t i vi c ch nh s a l i m t chng trnh qu n i ti ng t lu l SoftIce, ch n gi n l nh ng tn cu ng tn c a SoftIce ang d n d n chuy n qua xi Ollydbg b i tnh d dng, khng gy crash my b t thnh lnh nh SoftIce, c h tr b i nhi u teams trn th gi i thng qua cc Plugins cng nh cc b n Ollydbg c mod l i nh m ch ng l i cc c ch anti-debug cng nh anti-Ollydbg, v v m t l do n gi n khc n a l lo t tuts ny dnh ring ni v Ollydbg . III. Nhi m v u tin

H nhi m v u tin c a chng ta by gi l g ? Do y l tut vi t v Olly nn vi c chng ta ph i lm l i tm Olly u cn load v m xi. Th nh t b n c th ln home site c a Olly l ollydbg.de download, cn khng th trong REA c a r t nhi u link download Ollydbg. Ring b n thn ti cng su t m c c l g n ch c b n Olly khc nhau, hic hic c l l i ver 2.0 c a Olly thi

1

Khi download c Olly v r i th r t n gi n ch vi c extract n ra r i s d ng, ti khuyn b n nn chung t t c cng c lin quan n RE, Cracking vo 1 th m c, v d nh c a ti trn hnh minh h a, nh th ta d dng qu n l hn. Okie coi nh b n c Ollydbg, chng ta ch vi c Run ci file OLLYDBG.exe l Olly ho t ng li n, khng ph c t p v m t ci t cng nh s d ng nh SoftIce. Giao di n c a Ollydbg nh sau :

y l b n Ollydbg c a ti, c ch nh s a cng nh c u hnh l i. N u nh cc b n download b n Ollydbg trn home site ho c t cc ngu n khc c th s khc c a ti, v c th hi n th menu Plugins th cc b n lm nh sau :

2

Ch n nh hnh trn ho c vo Options > Appearance , ch n tab Directories v ch nh l i ng d n t i th m c Plugins v th m c UDD.

Sau nh n Ok v ch y l i Olly th s th y c menu Plugins. Ph n ti p theo, ti s gi i thi u t i cc b n chi ti t cc c a s chnh trong Ollydbg v minh h a cho cc ph n sau c a bi vi t, ti s s d ng m t Crackme r t n i ti ng l : CRACKME.EXE c a tc gi CRUEHEAD. load crackme ny vo trong Olly ta nh n chu t vo bi u t ng sau ho c vo File > Open (or F3) :

Sau chng ta s ch n chnh xc crackme m chng ta dng minh h a cho bi vi t ny.

K t qu sau khi load vo Olly chng ta c c nh sau :

3

Ch c cc b n nhn vo s c m th y chong ng p, khng bi t ph i b t u t u. Hic ngy u tin khi ti load m t target vo trong Olly, nhn ng c nhn xui cng khng hi u g h t lun hehe, c ng i ng m mi v ch ng bi t lm g hn. Nhng khng sao m i th u c cch gi i quy t, khi cha bi t th ph i tm ti li u m c, khi c m khng hi u lc y h ng i h i. Nhng h i cng ph i bi t ng m h i, n u khng s ch ng bao gi b n nh n c cu tr l i m c khi cn khi n ng i khc c m th y b c mnh. Ti s cng cc b n tm hi u t ng c a s m t c a Olly. Nh cc b n nhn th y trn mn hnh chnh c a Olly c phn ra lm 5 c a s chnh, m i c a s c m t nhi m v v m t tn ring :

4

y chng ta th y c 4 c a s -

l n:

The Disassembler Window : c a s ny cc b n c th nhn th y cc o n code c a chng trnh d ng ngn ng asm, v ng th i t i c a s ny cc b n cng c th ch thch cho t ng t ng dng m asm . The Registers Window : y l c a s ch a thng tin chi ti t v cc thanh ghi nh eax, ebx, ecx v.v..Cc c tr ng thi cng c qu n l t i c a s ny The Dump Window : T i c a s ny b n c th xem ho c ch nh s a theo 2 d ng l hex v Ascii b nh c a chng trnh m b n mu n debug The Stack Window : M t c a s khng km ph n quan tr ng , m i th tr c khi c th c hi n ph i c n p vo Stack.

-

-

-

Cu i cng c m t c a s n m bn d i c a s Disassembler Window : Chng ta g i n l The Tip Window . y khng ph i l tn g i c a n nhng v i ti, ti thch g i nh v y .Khi b n ang t i m t dng code no trong qu trnh debug , Olly s cho b n th y thng tin chi ti t v dng code . L y v d n gi n nh sau : n u b n debug t i dng l nh mov eax , dword ptr [123] . Th c a s ny s cho b n bi t c gi tr hay con s no ang c lu gi t i [123] . V cn nhi u i u th v khc n a m c a s ny s mang l i cho chng ta . Trn y l nh ng g t ng quan nh t m cc b n nn bi t. Ph n d i y ti s i vo gi i thi u v ch c nng c a t ng c a s m t thng qua cc hnh minh h a, t t nhin khng th gi i thi u chi ti t h t c, chng ta s tm hi u d n d n trong t ng tr ng h p c th

5

cc lo t tuts sau thm vo cc b n cng nn ch ng t l thu c vo bi vi t ny. 1. The DISASSEMBLER Window :

mnh tm hi u, ng nn qu

y l c a s chnh u tin c a Olly v l c a s r t quan tr ng, chng ta s lm vi c r t nhi u trn c a s ny. Khi b n mu n debug m t chng trnh, b n load file th c thi c a chng trnh vo trong Olly.Cc chng trnh m b n load vo Olly l nh ng chng trnh c th c code b ng nh ng ngn ng khc nhau nh : VB, VC++, Borland Delphi hay MASM nhng t i c a s ny ton b code c a chng trnh s c list ra d i d ng cc m ASM. Theo m c nh c a Olly th b t c chng trnh no m b n load vo Olly s c Olly ti n hnh phn tch ton b code chnh c a chng trnh v a ra cc comment thch h p. B n c th ty bi n ch c nng ny thng qua hnh minh h a d i y :

N u nh b n ch n s d ng ch c nng ny c a Olly th nh ng g xu t hi n trn c a s b n s gi ng v i nh ng hnh minh h a tr c. Cn n u nh b n khng ch n, chng ta s th y ngay c s khc bi t, Olly s khng t ng phn tch chng trnh n a cng vi c phn tch ny chng ta s ph i th c hi n m t cch manual sau khi chng trnh c load vo trong Olly. Okie, ti th b ch n v load l i Crackme vo trong Olly, ta s c nh sau :

6

Nh cc b n th y trn hnh trn, n u nh chng ta khng ch n ch c nng t ng phn tch c a Olly th s th y cc thng tin trong ph n Comment b l c b i kh nhi u, i u ny d n n vi c kh khn trong qu trnh debug chng trnh. Tuy nhin khng ph i lc no ch c nng ny cng ho t ng m t cch hi u qu, nhi u khi chng ta cho Olly t ng phn tch s l i d n n m t k t qu hon ton ng c l i, o n code c phn tch v th hi n ra khng c chnh xc, v d nh tr ng h p d i y chng ta s nh n c o n code ton ch a DB :

Trong tr ng h p nh th ny chng ta c th th c hin m t cch manual remove nh ng g m Olly ti n hnh phn tch ch n gi n b ng cch nh n chu t ph i t i mn hnh ny v ch n Analysis > Remove analysis from module

7

V k t qu l chng ta c c o n code chnh xc nh sau :

Do trong qu trnh lm vi c v i Olly cc b n nn linh ho t trong qu trnh s d ng ch c nng ny. Ngoi ra cn m t ph n khc cng khng km ph n quan tr ng, nh cc b n th y trn hnh minh h a Olly c a ti cc cu l nh c phn bi t mu s c m t cch r rng, c th cc b n khng ch tr ng n v n ny nhng theo ti vi c chng ta phn bi t cng nh tinh ch nh l i mu s c trong Olly s khi n cho chng ta nh n bi t cc cu l nh d dng hn cng nh ph n no th hi n nng khi u th m m c a b n . tinh ch nh l i mu s c trong Olly cc b n vo cc Tabs sau :

8

2. The REGISTERs Window : M t c a s quan tr ng ti p theo, chnh l c a s Register. Nh ni y l c a s ch a thng tin chi ti t v cc thanh ghi nh eax, ebx, ecx vv Cc c tr ng thi cng c qu n l t i c a s ny.

C a s ny s cung c p cho chng ta r t nhi u thng tin trong qu trnh chng ta lm vi c cng Olly. N u nh ch nhn vo hnh minh h a trn cc b n ch c cng s nh ti c m th y r ng n s khng c ngha nhi u l m, nhng k th c y l ni cung c p nhi u thng tin r t h u ch. 3. The STACK Window : Tr c tin chng ta s i tm hi u s qua v Stack. y l ni lu tr t m th i cc d li u v a ch , n l m t c u trc d li u m t chi u. Cc ph n t c c t vo v l y ra t m t u c a c u trc ny, t c l n c x l theo phng th c vo tr c, ra sau (LIFO : Last In First Out). Ph n t c c t vo cu i cng g i l nh c a Stack. Cc b n c th hnh dung Stack nh l m t ch ng a, chi c a c t ln cu i cng s n m trn nh v ch c n m i c th c l y ra u tin. Hai thanh ghi chnh lm vi c v i Stack l ESP v EBP. Theo m c nh trong Olly, Stack c bi u di n theo thanh ghi ESP tuy nhin chng ta c th lun chuy n qua l i gi a ESP v EBP b ng cch nh n chu t ph i v ch n nh hnh sau :

9

4. The DUMP Window : y l c a s hi n th n i dung c a b nh ho c file. Ta c th ch n nhi u nh d ng khc nhau bi u di n n i dung c a memory trong c a s ny : byte, text, integer, float, address, disassembly ho c PE Header. C a s ny cho php chng ta tm ki m cng nh th c hi n cc ch c nng ch nh s a, thi t l p cc Break points v..v...

V y l chng ta d o qua 1 vng cc c a s chnh c a Olly, tuy nhin bn c nh Olly cn c r t nhi u c a s khc m chng ta khng nhn th y m t cch tr c ti p nh cc c a s trn c.Chng ta ph i truy c p vo cc c a s thng qua Menu nh hnh minh h a d i y :

Chng ta s l t qua ch c nng c a t ng c a s m t. _ Nt L dng m c a s Log c a Olly, c a s ny cho chng ta th y nh ng thng tin m Olly ghi l i. Theo m c nh th c a s ny s lu cc thng tin v cc module, import library ho c cc Plugins c load cng chng trnh t i th i i m u tin khi ta load chng trnh vo Olly. Bn c nh c a s ny cng ghi l i cc thng tin v cc Break points m chng ta t trong chng trnh. Trong tr ng h p crackme c a chng ta, ta c c thng t