INTRODUCTION TO THE CRACKING WITH .INTRODUCTION TO THE CRACKING WITH OLLYDBG FROM CRACKLATINOS (_kienmanowar_)

Embed Size (px)

Text of INTRODUCTION TO THE CRACKING WITH .INTRODUCTION TO THE CRACKING WITH OLLYDBG FROM CRACKLATINOS...

  • INTRODUCTION TO THE CRACKING WITH OLLYDBG

    FROM CRACKLATINOS

    (_kienmanowar_)

    Mt ci u lnh vng vng, mt tri tim la yu v lm vic ht mnh!

    I. Gii thiu chung

    Vy l chng ta tri qua tm bi vit trong lot bi vit v OllyDbg, trong tm bi vit ny ti

    hon thnh phn vic u tin l gii thiu v gii thch s b v cc lnh asm thng c s

    dng nht khi chng ta lm vic vi OllyDbg. Trong cc phn tip theo ti y chng ta s dn

    dn tip cn nhng kin thc mi m hn, s c nhiu t cho chng ta tm ti, hc hi v thc

    hnh. Chng ta s tm hiu dn dn tng phn mt mt cch chm ri, song song vi vic c l

    thuyt th chng ta s thc hnh lun nhng g chng ta tm hiu c v t b sung nhng

    mng m chng ta cn khim khuyt. Bi vit ny ti s trnh by ti cc bn mt s thut ng c

    bn, cch thc lm vic vi cc hm APIs, cch patch thng qua cc c v cui cng l cc edit

    trc tip code ca chng trnh. N0w.L3ts G0!!!!!!!!!

    II. Thut ng c bn, lm vic vi APIs v patch thng qua c

    Trong phn 9 ny chng ta vn tip tc s dng crackme ca CRUEHEAD demo, Load

    crackme vo trong Olly chng ta dng li ti entrypoint ca Crackme. Vy entrypoint n l ci g?

    C kh nhiu cu hi ca cc bn lin quan n n, ti khng phi l dn lp trnh chnh gc nn

    ti hiu th no s gii thch cho cc bn.

    V c bn thut ng EntryPoint (EP) m ch im bt u ca mt chng trnh ni m ti tr

    i chng trnh s c thc thi mt cch bnh thng. Khng nn b nhm ln gia EP v OEP

    (Original Entry Point), OEP l mt thut ng khc m chng ta s tm hiu cc phn tip theo

    sau ca b tuts ny. Sau khi chng open mt chng trnh trong Olly, i cho qu trnh phn

    tch kt thc th Olly s a chng ta dng li ti EntryPoint ca chng trnh .

  • C th trong trng hp ca chng ta, crackme ny c EP l 0x401000 v Olly cng ch cho

    chng ta thy sau khi analyze crackme trn n ang dng li ti EP nh hnh minh ha m cc bn

    thy trn. Hu ht tt c cc chng trnh (tc l khong 99% cc trng hp) khi chng ta

    load n bng Olly th u dng li ti EP ca chng trnh , ngoi tr mt s trng hp c

    bit c s can thip khin cho sau khi load chn trnh vo Olly ta li khng dng li ti EP, y

    cng l m th thut c bit m chng ta c th s c dp tm hiu sau ny. Cn trong lc ny n

    mi ch l khi nim m thi , chng ta cn nhiu thi gian m mm lm!

    Tip theo l mt khi nim khc na m chng ta cng cn xem xt n chnh l cc hm

    Application Programming Interface (APIs) v th vin DLL.

    L thuyt cng nh kin thc v API v DLL cc bn c th tham kho quyn PE File Format m

    ti dch hoc cc ngun t Internet. Theo nh hnh minh ha trn cc bn thy ch khoanh

    chnh l mt li gi ti hm API .

    CALL LoadIconA

    C th ni nm na v API nh sau, h iu hnh Windows xy dng nn mt tp hp rt nhiu cc

    hm/th tc, nhng hm/th tc ny s gip bn thc hin nhng cng vic m bn phi lp i lp

    li hng ngy, rt nhm chn trong qu trnh coding. Tp hp nhng hm/th tc m Windows xy

    dng c t cho ci tn chung l API, vi s c mt ca API cc lp trnh vin khng phi ph

    cng sc cho nhng cng vic vn c xy dng sn. Cc API ny tuy theo nhm cng vic,

    mc ch thc hin s c tp hp vo trong mt file th vin DLL khi cn n ngi lp

    trnh ch cn tra t th vin xem hm c nm trong th vin khng, nu c th ch vic

    gi ra v s dng m thi.

    Nhn vo hnh minh ha trn, cc bn thy Olly ch cho ta thy hm LoadIconA nm trong

    Dll l User32.dll.

    Ta ly mt v d n gin vi hm MessageBoxA nh sau, ti khng h bit hm ny nm th

    vin dll no v cng chng bit a ch ca n l g? Vy ti lm th no y c c thng tin

    v hm ny, rt n gin Olly h tr cho chng ta kh nng tm kim a ch theo tn hm. Ti

    ch Command Bar ca Olly ta g tn hm vo nh sau :

  • Wow, ngay lp tc Olly tm cho ta ngay a ch ca hm MessageBoxA, by gi ta i ti a ch

    ny xem hm m chng ta tm nm trong th vin no. Ti Olly, nhn chut phi v chn Go to

    > Expression :

    Nhp a ch tm c vo textbox v nhn OK :

    Olly s a ta ti a ch ca hm MessageBoxA :

    Theo nh hnh trn th ta thy ngay rng hm MessageBoxA thuc v th vin Dll l User32.dll.

    Hm ny bt u ti 0x7e45058a v kt thc bng lnh Retn 10 ti 0x7e4505d0.

  • Cng c mt cch khc na gip cho chng ta tm thy hm MessageBoxA, cch tng t nh

    trn nhng thay v g a ch hm th ta g thng tn ca hm vo v nhn OK :

    Nh bn thy trn vic tm ra hm MessageBoxA c v rt d dng, tuy nhin khng phi lc

    ny cng n gin nh th. Vi 2 phng php trn bt buc bn phi nh chnh xc tng ch ci

    cng nh c php ch hoa ch thng trong tn hm . Vy trong trng hp ta ch nh mang

    mng tn hm v khng nh vit ng tn hm theo ng form th th no, Olly h tr cho ta

    mt cch khc tm n hm . Ok, thc hin, ta quay li ch EP ca chng trnh (n gin

    bng cch bm phm trn bn phm v lc ny bn ang ti /c ca MessageBoxA), sau

    thc hin nh hnh di (phm tt l Ctrl + N) :

    Ngay lp tc mt lot cc hm c s dng trong module hin ti c lit k ra nh cc bn

    thy hnh sau :

  • Nhn nh trn th ri qu ta khng bit phi m ra MessageBoxA u trong mt rng tn nh th

    ny, tm kim c ng hm cn tm trc tin ti chnh ca s trn ta g ch ci u ca tn

    hm m c th y l ch M. Olly s a chng ta n v tr ca nhng hm bt u bng ch M

    Tip tc g nhng ch ci tip theo trong tn hm Olly s a ta n ng v tr cn tm :

  • Ti hm tm c ta nhn chut phi v chn Follow import in Disassembler :

    Ok, vy l chng ta tri qua mt s phng php khc nhau tm kim thng tin v mt hm

    API, by gi chng ta tip tc tr li vi phn tip theo ca bi vit. Sau khi tm kim c thng

    tin v hm MessageBoxA nh hnh minh ha trn, ta tin hnh t mt im ngt hay cn gi

    vi mt thut ng l Break Point (BP) . Ta lm nh sau :

    Vic thit lp BP nh trn cng tng t vi cch lm khc nh sau, ti ca s Command Bar ta

    g vo : Bp MessageBoxA

  • Ok ta va mi t BP, gi ta kim tra xem kt qu ta t nh th no. Chuyn qua ca s BP bng

    cch nhn phm tt (Alt + B) :

    Nh bn thy trn, ti t mt BP ti a ch bt u ca hm MessageBoxA, by gi khi ti

    cho thc thi crackme ny trong Olly nu nh c bt k mt thng bo no bn ra th ta s dng li

    ti v tr m ta t BP. kim nghim iu ny, ta tin hnh thc thi crackme bng cch nhn

    F9 :

    Vo menu Help v chn Register, ca s yu cu nhp User Name v Serial hin ra :

    Ta nhp th Fake info vo nhng text box, sau nhn Ok. Ngay lp tc Olly s dng li v dng

    ng ch m chng ta t BP :

  • Vy ta on ngay lc ta nhn Ok s c mt thng bo bn ra, tuy nhin ta cho Olly bt hnh

    ng ny nn Olly dng li ti u hm. By gi ta chuyn qua ca s Stack ta s c c

    nhng thng tin sau :

    Theo thng tin m hnh cung cp cc bn c th thy rng mi hm Api trc khi chun b c

    gi th cc tham s ca hm s c y ln Stack. Cc tham s ny bn c th tham kho ti file

    Help l Win32.hlp. Ok gi ti ca s Stack ta chn nh sau :

    Ta s quay li ca s code ca chng trnh v dng ti v tr sau :

  • Theo nh l thuyt v hai lnh CALL v RET m ti gii thiu phn trc th chng ta s

    khng ngc nhin lm khi ta Follow theo a ch trn th Olly li a ta n lnh Ret m khng

    phi l lnh Call.

    Ok vy l nh cc bn thy, khi thng tin v User name v Serial m chng ta nhp vo khng

    ng th chng ta s nhn c mt thng bo vi ni dung nh sau :

    004013AD |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL

    004013AF |. 68 60214000 push 00402160 ; |Title = "No luck!" 004013B4 |. 68 69214000 push 00402169 ; |Text = "No luck there, mate!" 004013B9 |. FF75 08 push dword ptr [ebp+8] ; |hOwner 004013BC |. E8 79000000 call ; \MessageBoxA

    Gi ta quay tr li ch t BP kim chng thng tin m ta va ni trn.

    Ta t mt BP ti lnh Ret 10 :

    Sau nhn F9 thc thi chng trnh, chng ta nhn c thng bo xong :

  • Kh kh ng nh thng tin m ta c c trn, gi ta nhn OK ngay lp tc s dng li ti lnh

    Ret 10 :

    Lnh Ret 10 ny cho ta bit ta ang im kt thc ca hm API MessageBoxA, khi lnh ny

    c thc th thi ta s quay tr li on code chnh ca chng trnh. Nhng trc khi thc hin

    lnh ny, ta nhn qua ca s Stack s c c thng tin a ch m khi thc hin lnh Ret 10 ta s

    quay v :

    a ch m ti khoanh trn chnh l a ch ca lnh bn di li gi ti hm MessageBoxA.

    Ta nhn F7 trace qua lnh Retn 10, khi ta s tr v a ch 0x004013C1 nhng ng

    thi khi ta thc hin lnh ny th thanh ghi Esp cng t ng c cng thm 0x10 vo, tc l

    ESP =ESP + 0x10 = 0x0013FE90 + 0x10 = 0x0013FEA0. Ok, sau khi nhn F7

    nh ni ta s ti y :

    ca s Stack :

    Nh hnh trn ta ang 0x004013C1, bn trn n l mt li gi ti hm MessageBoxA, hnh

    ny cho chng ta bit c chng ta nhp thng tin v Name v Serial b sai cho nn thng bo

    No luck s bn ra!! By gi ta tip tc nhn F9 thm mt ln na :

  • Bmta li break ti MessageBoxA, tip tc dm qua ca s Stack :

    Chut phi ti dng u tin v chn Follow in Disassembler :

    Olly a ta n a ch 0x0040137D, bn trn ti 0x00401378 tip tc l mt li gi ti hm

    MessageBoxA :

    Nh vy, tng kt li chng ta thy rng c hai on code u Show ra ci Nag l No luck,

    vy ta phng on rng vy chng ta s c hai on check lin quan n UserName v Serial nhp

  • vo. C th ci Nag u tin m chng ta nhn l ci Nag lin quan ti vic Check Name, cn ci

    Nag tip theo m chng ta thy trn hnh l ci Nag lin quan n check Serial . Ch ch c v

    mt y!!

    Ti v tr trn, dch ln mt cht bn s thy c thm mt li gi ti hm MessageBoxA na :

    Hnh trn s cho ta bit c 2 Nag lin quan n vic nhp Serial, nu ta nhp ng th hin thng

    bo ch c t vng, nu nhp sai th s hin thng bo ch c t xanh. trong hnh

    trn ta thy c c du $, du ny thng bo cho chng ta bit ta ang trong thn ca mt li

    gi hm/th tc, vy bit c li gi ny xut pht u chng ta ch vic chn dng c cha

    du $ v nhn xung ca s bn di :

    Vy l Olly gip chng ta bit c a ch ni m c li gi gi ti on code trn chnh l

    ti 0x00401245, nhn chut phi ti dng t mu xanh trn v chn Go to Call from

    00401245 :

  • Hmm, c v nh chng ta ang ng ti v tr cha o