INTRODUCTION TO THE CRACKING WITH .INTRODUCTION TO THE CRACKING WITH OLLYDBG FROM CRACKLATINOS (_kienmanowar_)

Embed Size (px)

Text of INTRODUCTION TO THE CRACKING WITH .INTRODUCTION TO THE CRACKING WITH OLLYDBG FROM CRACKLATINOS...

 • INTRODUCTION TO THE CRACKING WITH OLLYDBG

  FROM CRACKLATINOS

  (_kienmanowar_)

  Mt ci u lnh vng vng, mt tri tim la yu v lm vic ht mnh!

  I. Gii thiu chung

  Vy l chng ta tri qua tm bi vit trong lot bi vit v OllyDbg, trong tm bi vit ny ti

  hon thnh phn vic u tin l gii thiu v gii thch s b v cc lnh asm thng c s

  dng nht khi chng ta lm vic vi OllyDbg. Trong cc phn tip theo ti y chng ta s dn

  dn tip cn nhng kin thc mi m hn, s c nhiu t cho chng ta tm ti, hc hi v thc

  hnh. Chng ta s tm hiu dn dn tng phn mt mt cch chm ri, song song vi vic c l

  thuyt th chng ta s thc hnh lun nhng g chng ta tm hiu c v t b sung nhng

  mng m chng ta cn khim khuyt. Bi vit ny ti s trnh by ti cc bn mt s thut ng c

  bn, cch thc lm vic vi cc hm APIs, cch patch thng qua cc c v cui cng l cc edit

  trc tip code ca chng trnh. N0w.L3ts G0!!!!!!!!!

  II. Thut ng c bn, lm vic vi APIs v patch thng qua c

  Trong phn 9 ny chng ta vn tip tc s dng crackme ca CRUEHEAD demo, Load

  crackme vo trong Olly chng ta dng li ti entrypoint ca Crackme. Vy entrypoint n l ci g?

  C kh nhiu cu hi ca cc bn lin quan n n, ti khng phi l dn lp trnh chnh gc nn

  ti hiu th no s gii thch cho cc bn.

  V c bn thut ng EntryPoint (EP) m ch im bt u ca mt chng trnh ni m ti tr

  i chng trnh s c thc thi mt cch bnh thng. Khng nn b nhm ln gia EP v OEP

  (Original Entry Point), OEP l mt thut ng khc m chng ta s tm hiu cc phn tip theo

  sau ca b tuts ny. Sau khi chng open mt chng trnh trong Olly, i cho qu trnh phn

  tch kt thc th Olly s a chng ta dng li ti EntryPoint ca chng trnh .

 • C th trong trng hp ca chng ta, crackme ny c EP l 0x401000 v Olly cng ch cho

  chng ta thy sau khi analyze crackme trn n ang dng li ti EP nh hnh minh ha m cc bn

  thy trn. Hu ht tt c cc chng trnh (tc l khong 99% cc trng hp) khi chng ta

  load n bng Olly th u dng li ti EP ca chng trnh , ngoi tr mt s trng hp c

  bit c s can thip khin cho sau khi load chn trnh vo Olly ta li khng dng li ti EP, y

  cng l m th thut c bit m chng ta c th s c dp tm hiu sau ny. Cn trong lc ny n

  mi ch l khi nim m thi , chng ta cn nhiu thi gian m mm lm!

  Tip theo l mt khi nim khc na m chng ta cng cn xem xt n chnh l cc hm

  Application Programming Interface (APIs) v th vin DLL.

  L thuyt cng nh kin thc v API v DLL cc bn c th tham kho quyn PE File Format m

  ti dch hoc cc ngun t Internet. Theo nh hnh minh ha trn cc bn thy ch khoanh

  chnh l mt li gi ti hm API .

  CALL LoadIconA

  C th ni nm na v API nh sau, h iu hnh Windows xy dng nn mt tp hp rt nhiu cc

  hm/th tc, nhng hm/th tc ny s gip bn thc hin nhng cng vic m bn phi lp i lp

  li hng ngy, rt nhm chn trong qu trnh coding. Tp hp nhng hm/th tc m Windows xy

  dng c t cho ci tn chung l API, vi s c mt ca API cc lp trnh vin khng phi ph

  cng sc cho nhng cng vic vn c xy dng sn. Cc API ny tuy theo nhm cng vic,

  mc ch thc hin s c tp hp vo trong mt file th vin DLL khi cn n ngi lp

  trnh ch cn tra t th vin xem hm c nm trong th vin khng, nu c th ch vic

  gi ra v s dng m thi.

  Nhn vo hnh minh ha trn, cc bn thy Olly ch cho ta thy hm LoadIconA nm trong

  Dll l User32.dll.

  Ta ly mt v d n gin vi hm MessageBoxA nh sau, ti khng h bit hm ny nm th

  vin dll no v cng chng bit a ch ca n l g? Vy ti lm th no y c c thng tin

  v hm ny, rt n gin Olly h tr cho chng ta kh nng tm kim a ch theo tn hm. Ti

  ch Command Bar ca Olly ta g tn hm vo nh sau :

 • Wow, ngay lp tc Olly tm cho ta ngay a ch ca hm MessageBoxA, by gi ta i ti a ch

  ny xem hm m chng ta tm nm trong th vin no. Ti Olly, nhn chut phi v chn Go to

  > Expression :

  Nhp a ch tm c vo textbox v nhn OK :

  Olly s a ta ti a ch ca hm MessageBoxA :

  Theo nh hnh trn th ta thy ngay rng hm MessageBoxA thuc v th vin Dll l User32.dll.

  Hm ny bt u ti 0x7e45058a v kt thc bng lnh Retn 10 ti 0x7e4505d0.

 • Cng c mt cch khc na gip cho chng ta tm thy hm MessageBoxA, cch tng t nh

  trn nhng thay v g a ch hm th ta g thng tn ca hm vo v nhn OK :

  Nh bn thy trn vic tm ra hm MessageBoxA c v rt d dng, tuy nhin khng phi lc

  ny cng n gin nh th. Vi 2 phng php trn bt buc bn phi nh chnh xc tng ch ci

  cng nh c php ch hoa ch thng trong tn hm . Vy trong trng hp ta ch nh mang

  mng tn hm v khng nh vit ng tn hm theo ng form th th no, Olly h tr cho ta

  mt cch khc tm n hm . Ok, thc hin, ta quay li ch EP ca chng trnh (n gin

  bng cch bm phm trn bn phm v lc ny bn ang ti /c ca MessageBoxA), sau

  thc hin nh hnh di (phm tt l Ctrl + N) :

  Ngay lp tc mt lot cc hm c s dng trong module hin ti c lit k ra nh cc bn

  thy hnh sau :

 • Nhn nh trn th ri qu ta khng bit phi m ra MessageBoxA u trong mt rng tn nh th

  ny, tm kim c ng hm cn tm trc tin ti chnh ca s trn ta g ch ci u ca tn

  hm m c th y l ch M. Olly s a chng ta n v tr ca nhng hm bt u bng ch M

  Tip tc g nhng ch ci tip theo trong tn hm Olly s a ta n ng v tr cn tm :

 • Ti hm tm c ta nhn chut phi v chn Follow import in Disassembler :

  Ok, vy l chng ta tri qua mt s phng php khc nhau tm kim thng tin v mt hm

  API, by gi chng ta tip tc tr li vi phn tip theo ca bi vit. Sau khi tm kim c thng

  tin v hm MessageBoxA nh hnh minh ha trn, ta tin hnh t mt im ngt hay cn gi

  vi mt thut ng l Break Point (BP) . Ta lm nh sau :

  Vic thit lp BP nh trn cng tng t vi cch lm khc nh sau, ti ca s Command Bar ta

  g vo : Bp MessageBoxA

 • Ok ta va mi t BP, gi ta kim tra xem kt qu ta t nh th no. Chuyn qua ca s BP bng

  cch nhn phm tt (Alt + B) :

  Nh bn thy trn, ti t mt BP ti a ch bt u ca hm MessageBoxA, by gi khi ti

  cho thc thi crackme ny trong Olly nu nh c bt k mt thng bo no bn ra th ta s dng li

  ti v tr m ta t BP. kim nghim iu ny, ta tin hnh thc thi crackme bng cch nhn

  F9 :

  Vo menu Help v chn Register, ca s yu cu nhp User Name v Serial hin ra :

  Ta nhp th Fake info vo nhng text box, sau nhn Ok. Ngay lp tc Olly s dng li v dng

  ng ch m chng ta t BP :

 • Vy ta on ngay lc ta nhn Ok s c mt thng bo bn ra, tuy nhin ta cho Olly bt hnh

  ng ny nn Olly dng li ti u hm. By gi ta chuyn qua ca s Stack ta s c c

  nhng thng tin sau :

  Theo thng tin m hnh cung cp cc bn c th thy rng mi hm Api trc khi chun b c

  gi th cc tham s ca hm s c y ln Stack. Cc tham s ny bn c th tham kho ti file

  Help l Win32.hlp. Ok gi ti ca s Stack ta chn nh sau :

  Ta s quay li ca s code ca chng trnh v dng ti v tr sau :

 • Theo nh l thuyt v hai lnh CALL v RET m ti gii thiu phn trc th chng ta s

  khng ngc nhin lm khi ta Follow theo a ch trn th Olly li a ta n lnh Ret m khng

  phi l lnh Call.

  Ok vy l nh cc bn thy, khi thng tin v User name v Serial m chng ta nhp vo khng

  ng th chng ta s nhn c mt thng bo vi ni dung nh sau :

  004013AD |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL

  004013AF |. 68 60214000 push 00402160 ; |Title = "No luck!" 004013B4 |. 68 69214000 push 00402169 ; |Text = "No luck there, mate!" 004013B9 |. FF75 08 push dword ptr [ebp+8] ; |hOwner 004013BC |. E8 79000000 call ; \MessageBoxA

  Gi ta quay tr li ch t BP kim chng thng tin m ta va ni trn.

  Ta t mt BP ti lnh Ret 10 :

  Sau nhn F9 thc thi chng trnh, chng ta nhn c thng bo xong :

 • Kh kh ng nh thng tin m ta c c trn, gi ta nhn OK ngay lp tc s dng li ti lnh

  Ret 10 :

  Lnh Ret 10 ny cho ta bit ta ang im kt thc ca hm API MessageBoxA, khi lnh ny

  c thc th thi ta s quay tr li on code chnh ca chng trnh. Nhng trc khi thc hin

  lnh ny, ta nhn qua ca s Stack s c c thng tin a ch m khi thc hin lnh Ret 10 ta s

  quay v :

  a ch m ti khoanh trn chnh l a ch ca lnh bn di li gi ti hm MessageBoxA.

  Ta nhn F7 trace qua lnh Retn 10, khi ta s tr v a ch 0x004013C1 nhng ng

  thi khi ta thc hin lnh ny th thanh ghi Esp cng t ng c cng thm 0x10 vo, tc l

  ESP =ESP + 0x10 = 0x0013FE90 + 0x10 = 0x0013FEA0. Ok, sau khi nhn F7

  nh ni ta s ti y :

  ca s Stack :

  Nh hnh trn ta ang 0x004013C1, bn trn n l mt li gi ti hm MessageBoxA, hnh

  ny cho chng ta bit c chng ta nhp thng tin v Name v Serial b sai cho nn thng bo

  No luck s bn ra!! By gi ta tip tc nhn F9 thm mt ln na :

 • Bmta li break ti MessageBoxA, tip tc dm qua ca s Stack :

  Chut phi ti dng u tin v chn Follow in Disassembler :

  Olly a ta n a ch 0x0040137D, bn trn ti 0x00401378 tip tc l mt li gi ti hm

  MessageBoxA :

  Nh vy, tng kt li chng ta thy rng c hai on code u Show ra ci Nag l No luck,

  vy ta phng on rng vy chng ta s c hai on check lin quan n UserName v Serial nhp

 • vo. C th ci Nag u tin m chng ta nhn l ci Nag lin quan ti vic Check Name, cn ci

  Nag tip theo m chng ta thy trn hnh l ci Nag lin quan n check Serial . Ch ch c v

  mt y!!

  Ti v tr trn, dch ln mt cht bn s thy c thm mt li gi ti hm MessageBoxA na :

  Hnh trn s cho ta bit c 2 Nag lin quan n vic nhp Serial, nu ta nhp ng th hin thng

  bo ch c t vng, nu nhp sai th s hin thng bo ch c t xanh. trong hnh

  trn ta thy c c du $, du ny thng bo cho chng ta bit ta ang trong thn ca mt li

  gi hm/th tc, vy bit c li gi ny xut pht u chng ta ch vic chn dng c cha

  du $ v nhn xung ca s bn di :

  Vy l Olly gip chng ta bit c a ch ni m c li gi gi ti on code trn chnh l

  ti 0x00401245, nhn chut phi ti dng t mu xanh trn v chn Go to Call from

  00401245 :

 • Hmm, c v nh chng ta ang ng ti v tr cha o