Cracking Voi Ollydbg

  • Published on
    25-Jun-2015

  • View
    64

  • Download
    7

Embed Size (px)

Transcript

<p>INTRODUCTION TO THE CRACKING WITH OLLYDBG FROM CRACKLATINOS(_kienmanowar_)</p> <p>I. L i ni u : M t l n n a g i l i cho t i ton th anh em trong REA. Tnh c qua bn site c a lo Ricardo Narvaja th y c b tut ny kh hay v r t c b n cho t t c nh ng ai mu n tm hi u v cracking thng qua s tr gip c a chng trnh debugger tr nn qu n i ti ng, chnh l Ollydbg. Ti r t khoi cc tut bn Cracklatinos nhng ng t n i ton l ti ng TBN, nhng th y b tut ny hay nn mu qu , quy t nh trans t TBN qua English, r i t Eng l i h h c vi t l i theo cch mnh hi u truy n t nh ng g mnh bi t cho anh em. t ng chnh c a lo t tut ny theo nh tc gi c a n ni l nh m cung c p nh ng ki n th c c b n nh t cho t t c nh ng ai chu n b b t u b c vo tm hi u ngh thu t cracking v i s tr gip c a Ollydbg. M c d tiu c a tut l Introduction (t c l ch gi i thi u thi) nhng th c ch t b tuts ny s cung c p cho chng ta m t ki n th c n n t ng v ng ch c c th c v hi u c cc tuts dnh cho nh ng ng i c trnh advanced v c bi t l nh ng tut s p c gi i thi u trn Cracklatinos (hehe tc gi c a n qu ng co c qu), ng th i thng qua lo t tuts ny n cn gip chng ta c kh nng p d ng cc k thu t m i trong vi c cracking. II. T i sao l i l Ollydbg ? Tham gia vo REA i u u tin c l chng ta th y nhi u nh t l s xu t hi n c a Ollydbg, v y t i sao l i l Ollydbg m khng ph i l m t cng c no khc. y chng ta s khng bn lu n n vi c t o ra m t cng c khc hay hn, m nh hn Ollydbg cng nh khng c p t i vi c ch nh s a l i m t chng trnh qu n i ti ng t lu l SoftIce, ch n gi n l nh ng tn cu ng tn c a SoftIce ang d n d n chuy n qua xi Ollydbg b i tnh d dng, khng gy crash my b t thnh lnh nh SoftIce, c h tr b i nhi u teams trn th gi i thng qua cc Plugins cng nh cc b n Ollydbg c mod l i nh m ch ng l i cc c ch anti-debug cng nh anti-Ollydbg, v v m t l do n gi n khc n a l lo t tuts ny dnh ring ni v Ollydbg . III. Nhi m v u tin</p> <p>H nhi m v u tin c a chng ta by gi l g ? Do y l tut vi t v Olly nn vi c chng ta ph i lm l i tm Olly u cn load v m xi. Th nh t b n c th ln home site c a Olly l ollydbg.de download, cn khng th trong REA c a r t nhi u link download Ollydbg. Ring b n thn ti cng su t m c c l g n ch c b n Olly khc nhau, hic hic c l l i ver 2.0 c a Olly thi </p> <p>1</p> <p>Khi download c Olly v r i th r t n gi n ch vi c extract n ra r i s d ng, ti khuyn b n nn chung t t c cng c lin quan n RE, Cracking vo 1 th m c, v d nh c a ti trn hnh minh h a, nh th ta d dng qu n l hn. Okie coi nh b n c Ollydbg, chng ta ch vi c Run ci file OLLYDBG.exe l Olly ho t ng li n, khng ph c t p v m t ci t cng nh s d ng nh SoftIce. Giao di n c a Ollydbg nh sau :</p> <p>y l b n Ollydbg c a ti, c ch nh s a cng nh c u hnh l i. N u nh cc b n download b n Ollydbg trn home site ho c t cc ngu n khc c th s khc c a ti, v c th hi n th menu Plugins th cc b n lm nh sau :</p> <p>2</p> <p>Ch n nh hnh trn ho c vo Options &gt; Appearance , ch n tab Directories v ch nh l i ng d n t i th m c Plugins v th m c UDD.</p> <p>Sau nh n Ok v ch y l i Olly th s th y c menu Plugins. Ph n ti p theo, ti s gi i thi u t i cc b n chi ti t cc c a s chnh trong Ollydbg v minh h a cho cc ph n sau c a bi vi t, ti s s d ng m t Crackme r t n i ti ng l : CRACKME.EXE c a tc gi CRUEHEAD. load crackme ny vo trong Olly ta nh n chu t vo bi u t ng sau ho c vo File &gt; Open (or F3) :</p> <p>Sau chng ta s ch n chnh xc crackme m chng ta dng minh h a cho bi vi t ny.</p> <p>K t qu sau khi load vo Olly chng ta c c nh sau :</p> <p>3</p> <p>Ch c cc b n nhn vo s c m th y chong ng p, khng bi t ph i b t u t u. Hic ngy u tin khi ti load m t target vo trong Olly, nhn ng c nhn xui cng khng hi u g h t lun hehe, c ng i ng m mi v ch ng bi t lm g hn. Nhng khng sao m i th u c cch gi i quy t, khi cha bi t th ph i tm ti li u m c, khi c m khng hi u lc y h ng i h i. Nhng h i cng ph i bi t ng m h i, n u khng s ch ng bao gi b n nh n c cu tr l i m c khi cn khi n ng i khc c m th y b c mnh. Ti s cng cc b n tm hi u t ng c a s m t c a Olly. Nh cc b n nhn th y trn mn hnh chnh c a Olly c phn ra lm 5 c a s chnh, m i c a s c m t nhi m v v m t tn ring :</p> <p>4</p> <p>y chng ta th y c 4 c a s -</p> <p>l n:</p> <p>The Disassembler Window : c a s ny cc b n c th nhn th y cc o n code c a chng trnh d ng ngn ng asm, v ng th i t i c a s ny cc b n cng c th ch thch cho t ng t ng dng m asm . The Registers Window : y l c a s ch a thng tin chi ti t v cc thanh ghi nh eax, ebx, ecx v.v..Cc c tr ng thi cng c qu n l t i c a s ny The Dump Window : T i c a s ny b n c th xem ho c ch nh s a theo 2 d ng l hex v Ascii b nh c a chng trnh m b n mu n debug The Stack Window : M t c a s khng km ph n quan tr ng , m i th tr c khi c th c hi n ph i c n p vo Stack.</p> <p>-</p> <p>-</p> <p>-</p> <p>Cu i cng c m t c a s n m bn d i c a s Disassembler Window : Chng ta g i n l The Tip Window . y khng ph i l tn g i c a n nhng v i ti, ti thch g i nh v y .Khi b n ang t i m t dng code no trong qu trnh debug , Olly s cho b n th y thng tin chi ti t v dng code . L y v d n gi n nh sau : n u b n debug t i dng l nh mov eax , dword ptr [123] . Th c a s ny s cho b n bi t c gi tr hay con s no ang c lu gi t i [123] . V cn nhi u i u th v khc n a m c a s ny s mang l i cho chng ta . Trn y l nh ng g t ng quan nh t m cc b n nn bi t. Ph n d i y ti s i vo gi i thi u v ch c nng c a t ng c a s m t thng qua cc hnh minh h a, t t nhin khng th gi i thi u chi ti t h t c, chng ta s tm hi u d n d n trong t ng tr ng h p c th</p> <p>5</p> <p>cc lo t tuts sau thm vo cc b n cng nn ch ng t l thu c vo bi vi t ny. 1. The DISASSEMBLER Window :</p> <p>mnh tm hi u, ng nn qu</p> <p>y l c a s chnh u tin c a Olly v l c a s r t quan tr ng, chng ta s lm vi c r t nhi u trn c a s ny. Khi b n mu n debug m t chng trnh, b n load file th c thi c a chng trnh vo trong Olly.Cc chng trnh m b n load vo Olly l nh ng chng trnh c th c code b ng nh ng ngn ng khc nhau nh : VB, VC++, Borland Delphi hay MASM nhng t i c a s ny ton b code c a chng trnh s c list ra d i d ng cc m ASM. Theo m c nh c a Olly th b t c chng trnh no m b n load vo Olly s c Olly ti n hnh phn tch ton b code chnh c a chng trnh v a ra cc comment thch h p. B n c th ty bi n ch c nng ny thng qua hnh minh h a d i y :</p> <p>N u nh b n ch n s d ng ch c nng ny c a Olly th nh ng g xu t hi n trn c a s b n s gi ng v i nh ng hnh minh h a tr c. Cn n u nh b n khng ch n, chng ta s th y ngay c s khc bi t, Olly s khng t ng phn tch chng trnh n a cng vi c phn tch ny chng ta s ph i th c hi n m t cch manual sau khi chng trnh c load vo trong Olly. Okie, ti th b ch n v load l i Crackme vo trong Olly, ta s c nh sau :</p> <p>6</p> <p>Nh cc b n th y trn hnh trn, n u nh chng ta khng ch n ch c nng t ng phn tch c a Olly th s th y cc thng tin trong ph n Comment b l c b i kh nhi u, i u ny d n n vi c kh khn trong qu trnh debug chng trnh. Tuy nhin khng ph i lc no ch c nng ny cng ho t ng m t cch hi u qu, nhi u khi chng ta cho Olly t ng phn tch s l i d n n m t k t qu hon ton ng c l i, o n code c phn tch v th hi n ra khng c chnh xc, v d nh tr ng h p d i y chng ta s nh n c o n code ton ch a DB :</p> <p>Trong tr ng h p nh th ny chng ta c th th c hin m t cch manual remove nh ng g m Olly ti n hnh phn tch ch n gi n b ng cch nh n chu t ph i t i mn hnh ny v ch n Analysis &gt; Remove analysis from module</p> <p>7</p> <p>V k t qu l chng ta c c o n code chnh xc nh sau :</p> <p>Do trong qu trnh lm vi c v i Olly cc b n nn linh ho t trong qu trnh s d ng ch c nng ny. Ngoi ra cn m t ph n khc cng khng km ph n quan tr ng, nh cc b n th y trn hnh minh h a Olly c a ti cc cu l nh c phn bi t mu s c m t cch r rng, c th cc b n khng ch tr ng n v n ny nhng theo ti vi c chng ta phn bi t cng nh tinh ch nh l i mu s c trong Olly s khi n cho chng ta nh n bi t cc cu l nh d dng hn cng nh ph n no th hi n nng khi u th m m c a b n . tinh ch nh l i mu s c trong Olly cc b n vo cc Tabs sau :</p> <p>8</p> <p>2. The REGISTERs Window : M t c a s quan tr ng ti p theo, chnh l c a s Register. Nh ni y l c a s ch a thng tin chi ti t v cc thanh ghi nh eax, ebx, ecx vv Cc c tr ng thi cng c qu n l t i c a s ny.</p> <p>C a s ny s cung c p cho chng ta r t nhi u thng tin trong qu trnh chng ta lm vi c cng Olly. N u nh ch nhn vo hnh minh h a trn cc b n ch c cng s nh ti c m th y r ng n s khng c ngha nhi u l m, nhng k th c y l ni cung c p nhi u thng tin r t h u ch. 3. The STACK Window : Tr c tin chng ta s i tm hi u s qua v Stack. y l ni lu tr t m th i cc d li u v a ch , n l m t c u trc d li u m t chi u. Cc ph n t c c t vo v l y ra t m t u c a c u trc ny, t c l n c x l theo phng th c vo tr c, ra sau (LIFO : Last In First Out). Ph n t c c t vo cu i cng g i l nh c a Stack. Cc b n c th hnh dung Stack nh l m t ch ng a, chi c a c t ln cu i cng s n m trn nh v ch c n m i c th c l y ra u tin. Hai thanh ghi chnh lm vi c v i Stack l ESP v EBP. Theo m c nh trong Olly, Stack c bi u di n theo thanh ghi ESP tuy nhin chng ta c th lun chuy n qua l i gi a ESP v EBP b ng cch nh n chu t ph i v ch n nh hnh sau :</p> <p>9</p> <p>4. The DUMP Window : y l c a s hi n th n i dung c a b nh ho c file. Ta c th ch n nhi u nh d ng khc nhau bi u di n n i dung c a memory trong c a s ny : byte, text, integer, float, address, disassembly ho c PE Header. C a s ny cho php chng ta tm ki m cng nh th c hi n cc ch c nng ch nh s a, thi t l p cc Break points v..v...</p> <p>V y l chng ta d o qua 1 vng cc c a s chnh c a Olly, tuy nhin bn c nh Olly cn c r t nhi u c a s khc m chng ta khng nhn th y m t cch tr c ti p nh cc c a s trn c.Chng ta ph i truy c p vo cc c a s thng qua Menu nh hnh minh h a d i y :</p> <p>Chng ta s l t qua ch c nng c a t ng c a s m t. _ Nt L dng m c a s Log c a Olly, c a s ny cho chng ta th y nh ng thng tin m Olly ghi l i. Theo m c nh th c a s ny s lu cc thng tin v cc module, import library ho c cc Plugins c load cng chng trnh t i th i i m u tin khi ta load chng trnh vo Olly. Bn c nh c a s ny cng ghi l i cc thng tin v cc Break points m chng ta t trong chng trnh. Trong tr ng h p crackme c a chng ta, ta c c thng tin nh sau :</p> <p>10</p> <p>M t tnh nng n a c a c a s ny l khi chng ta mu n lu l i nhng thng tin v Log c a s ny cng cung c p cho chng ta kh nng ghi ra file.</p> <p>_ Nt E dng m c a s Executables, c a s ny s a ra danh sch nh ng file c kh nng th c thi c chng trnh s d ng nh file exe, dlls, ocxs , v..v..</p> <p>T i c a s ny n u nh b n click chu t ph i s th y c r t nhi u ty ch n khc nhau, trong khun kh c h n c a bi vi t khng th ni h t c. S c nh ng ph n ti p theo c p n chng. _ Nt M dng m c a s Memory, c a s ny s cho chng ta thng tin v b nh ang c s d ng b i chng trnh c a chng ta v cn nhi u thng tin b ch khc n a :</p> <p>11</p> <p>T i c a s ny chng ta cng c th s d ng tnh nng Search tm ki m thng tin v cc strings, cc o n hexa c th hay unicode v..v.. thm vo n cn cung c p cho chng ta nh ng ki u thi t l p Break points khc nhau t i cc Sections. Vi c thi t l p cc BPs l ty thu c vo yu c u v m c ch c a chng ta. _ Nt T dng m c a s Threads, c a s ny li t k cc Threads c a chng trnh :</p> <p>_ Nt W dng m c a s Windows _ Nt H dng m c a s Handles</p> <p>_ Nt C th kh i ni , b n c</p> <p>nh n vo l kh c bi t ngay </p> <p>_ Nt / m c a s Patches, c a s ny s cho chng ta cc thng tin v nh ng g m chng ta edit trong chng trnh.</p> <p>_Nt K m c a s Call Stack, hi n th m t danh sch cc l nh call m chng trnh c a chng ta th c hi n khi chng ta Run b ng F9 v dng F12 t m d ng chng trnh.</p> <p>_ Nt B m c a s Break Points, c a s ny s hi n th t t c cc BPs m chng ta t trong chng trnh. Tuy nhin n ch hi n th cc BPs c set b ng cch nh n F2 thi, cn cc d ng BPs khc nh : hardware breakpoint ho c memory breakpoints th khng c li t k ra y:</p> <p>_ Nt R m c a s References, c a s ny l k t qu cho nh ng g chng ta th c hi n ch c nng Search trong Olly, k t qu s c hi n ra y :</p> <p>12</p> <p>Ph kh nhi u c a s ph i khng cc b n, ti s khng i vo chi ti t thm n a b i v chng ta s cn g p l i trong cc tuts ti p theo, 1 yu c u r t quan tr ng ngoi vi c b n bi t s d ng Olly ra th b n cn ph i bi t v Asm language, n u khng bi t v n th hii cc b n nn dnh th i gian tm hi u m t s ki n th c c b n tr c khi c ti p cc ph n sau c a bi vi t. Ngoi ra cc b n d lm quen hn trong cc ph n sau ti s c g ng h th ng l i . IV. C u hnh Olly thnh JIT (Just-in-time debugging) Khi m t s chng trnh th c thi v n t o ra Exception, Windows c th g i Registered Debugger (cc debuggers c c u hnh thnh JIT) v attach n vo chng trnh. Tnh nng ny c g i l Just-in-time debugging. M t vi JIT debuggers d ng l i t i System breakpoint. Ollydbg th ti p t c th c thi cho n khi n i n cu l nh t o ra Exception. c u hnh Ollydbg tr thnh 1 JIT b n lm nh sau :</p> <p>N u nh b n khng mu n s</p> <p>d ng tnh nng ny th b n c th Restore l i.</p> <p>13</p> <p>V. M t s</p> <p>phm c b n </p> <p>lm vi c v i Olly :</p> <p>F7 : Khi b n nh n F7 s th c thi t ng dng l nh 1. N u trong qu trnh Trace m g p l nh Call th s i vo trong lng c a l nh Call v th c thi t ng cu l nh trong l nh Call ny cho n khi g p l nh Retn tr l i chng trnh chnh, t c l cu l nh ti p theo sau l nh Call. F8 : Cng tng t nh F7 nhng c 1 i m khc bi t l khi Trace code, n u nh g p l nh Call n b qua khng c n quan tm cc l nh bn trong l nh Call m th c thi lun l nh Call v d ng l i t i cu l nh ti p theo d i l nh Call. F2 : t m t Break point trong chng trnh. V y Break point l g , n gi n n ch l vi c chng ta t o 1 i m ng t trong chng trnh theo m t i u ki n no khi th c thi chng trnh, n u th a i u ki n m chng ta t ra th chng trnh s d ng l i t i v tr m chng ta t BP. V d , trong hnh minh h a d i y :</p> <p>By gi ti mu n t m t BP t i hm Call g i t i API: LoadIconA. T c l khi ti th c thi chng trnh, chng trnh g i t i hm ny th ngay l p t c n s d ng l i t i y.Vi c ti p theo l ti c th ty bi n l i hm ny theo m c ch c a ti, ch ng h n ti NOP n chng trnh khng cn g i n hm ny n a v..v.. lm c i u ny b n nh n chu t t i v tr c n Set BP, sau nh n F2. Ch chng ta Set BP s c nh d u mu :</p> <p> b BP m chng ta set th ch vi c ch n v tr nh d u mu v nh n F2. F9 : Cho php th c thi chng trnh trong ch Debug, tng t nh vi c chng ta nh p p chu t vo chng trnh th c thi n. Tuy nhin khc v i vi c nh p p chu t, n u chng ta nh n F9 th Olly s tm xem c BP no c Set hay khng, chng trnh c tung ra cc Exception g khng, hay n u chng trnh c c ch ch ng Debug th n s terminate ngay l p t c. N u nh khng c b t k c n tr no th chng trnh s Run hon ton v trn status bar c a Olly s bo cho chng ta bi t i u ny :</p> <p>14</p> <p>F12 : T m d ng chng trnh l i. VI. L i k t : Trn y l nh ng g t ng quan nh t v Olly, nh ni cc b n khng nn qu l thu c vo bi vi t ny c a ti, cc b n c th t mnh tm hi u thm nh ng tnh nng khc c a Olly. Cc ph n sau c a lo t tuts ny lm vi c trn Crackme c a tc gi CRUEHEAD, ti n cho cc b n m t cng tm ki m ti km lun target cng v i bi vi t ny. Hi v ng nh ng gi ti vi t trn gip cho cc b n ph n no hi u c t i sao Ollydbg ang ngy cng tr nn ph bi n.</p> <p>Best Regards _[Kienmanowar]_</p> <p>--++--==[ Greatz Thanks To ]==--++-My family, Computer_Angel, Moonbaby , Zombie_Deathman, Littleboy, Benina, QHQCrker, the_Lighthouse, Merc, Hoadongnoi, Nini ... all REAs members, TQN, HacNho, RongChauA, Deux, tlandn, light.phoenix, dqtln, ARTEAM .... all my friend, and YOU. --++--==[ Thanks To ]==--++-iamidiot, WhyNotBar, trickyboy, dzungltvn, takada, hurt_heart, haule_nth, hytkl v..v.. cc b n ng gp r t...</p>