INTRODUCTION TO THE CRACKING WITH ?· INTRODUCTION TO THE CRACKING WITH OLLYDBG FROM CRACKLATINOS (_kienmanowar_)…

  • Published on
    29-Aug-2018

  • View
    212

  • Download
    0

Embed Size (px)

Transcript

<ul><li><p>INTRODUCTION TO THE CRACKING WITH OLLYDBG </p><p>FROM CRACKLATINOS </p><p>(_kienmanowar_) </p><p>Mt ci u lnh vng vng, mt tri tim la yu v lm vic ht mnh! </p><p>I. Gii thiu chung </p><p>Vy l chng ta tri qua tm bi vit trong lot bi vit v OllyDbg, trong tm bi vit ny ti </p><p> hon thnh phn vic u tin l gii thiu v gii thch s b v cc lnh asm thng c s </p><p>dng nht khi chng ta lm vic vi OllyDbg. Trong cc phn tip theo ti y chng ta s dn </p><p>dn tip cn nhng kin thc mi m hn, s c nhiu t cho chng ta tm ti, hc hi v thc </p><p>hnh. Chng ta s tm hiu dn dn tng phn mt mt cch chm ri, song song vi vic c l </p><p>thuyt th chng ta s thc hnh lun nhng g chng ta tm hiu c v t b sung nhng </p><p>mng m chng ta cn khim khuyt. Bi vit ny ti s trnh by ti cc bn mt s thut ng c </p><p>bn, cch thc lm vic vi cc hm APIs, cch patch thng qua cc c v cui cng l cc edit </p><p>trc tip code ca chng trnh. N0w.L3ts G0!!!!!!!!! </p><p>II. Thut ng c bn, lm vic vi APIs v patch thng qua c </p><p>Trong phn 9 ny chng ta vn tip tc s dng crackme ca CRUEHEAD demo, Load </p><p>crackme vo trong Olly chng ta dng li ti entrypoint ca Crackme. Vy entrypoint n l ci g? </p><p>C kh nhiu cu hi ca cc bn lin quan n n, ti khng phi l dn lp trnh chnh gc nn </p><p>ti hiu th no s gii thch cho cc bn. </p><p>V c bn thut ng EntryPoint (EP) m ch im bt u ca mt chng trnh ni m ti tr </p><p>i chng trnh s c thc thi mt cch bnh thng. Khng nn b nhm ln gia EP v OEP </p><p>(Original Entry Point), OEP l mt thut ng khc m chng ta s tm hiu cc phn tip theo </p><p>sau ca b tuts ny. Sau khi chng open mt chng trnh trong Olly, i cho qu trnh phn </p><p>tch kt thc th Olly s a chng ta dng li ti EntryPoint ca chng trnh . </p></li><li><p>C th trong trng hp ca chng ta, crackme ny c EP l 0x401000 v Olly cng ch cho </p><p>chng ta thy sau khi analyze crackme trn n ang dng li ti EP nh hnh minh ha m cc bn </p><p> thy trn. Hu ht tt c cc chng trnh (tc l khong 99% cc trng hp) khi chng ta </p><p>load n bng Olly th u dng li ti EP ca chng trnh , ngoi tr mt s trng hp c </p><p>bit c s can thip khin cho sau khi load chn trnh vo Olly ta li khng dng li ti EP, y </p><p>cng l m th thut c bit m chng ta c th s c dp tm hiu sau ny. Cn trong lc ny n </p><p>mi ch l khi nim m thi , chng ta cn nhiu thi gian m mm lm! </p><p>Tip theo l mt khi nim khc na m chng ta cng cn xem xt n chnh l cc hm </p><p>Application Programming Interface (APIs) v th vin DLL. </p><p>L thuyt cng nh kin thc v API v DLL cc bn c th tham kho quyn PE File Format m </p><p>ti dch hoc cc ngun t Internet. Theo nh hnh minh ha trn cc bn thy ch khoanh </p><p>chnh l mt li gi ti hm API . </p><p> CALL LoadIconA </p><p>C th ni nm na v API nh sau, h iu hnh Windows xy dng nn mt tp hp rt nhiu cc </p><p>hm/th tc, nhng hm/th tc ny s gip bn thc hin nhng cng vic m bn phi lp i lp </p><p>li hng ngy, rt nhm chn trong qu trnh coding. Tp hp nhng hm/th tc m Windows xy </p><p>dng c t cho ci tn chung l API, vi s c mt ca API cc lp trnh vin khng phi ph </p><p>cng sc cho nhng cng vic vn c xy dng sn. Cc API ny tuy theo nhm cng vic, </p><p>mc ch thc hin s c tp hp vo trong mt file th vin DLL khi cn n ngi lp </p><p>trnh ch cn tra t th vin xem hm c nm trong th vin khng, nu c th ch vic </p><p>gi ra v s dng m thi. </p><p>Nhn vo hnh minh ha trn, cc bn thy Olly ch cho ta thy hm LoadIconA nm trong </p><p>Dll l User32.dll. </p><p>Ta ly mt v d n gin vi hm MessageBoxA nh sau, ti khng h bit hm ny nm th </p><p>vin dll no v cng chng bit a ch ca n l g? Vy ti lm th no y c c thng tin </p><p>v hm ny, rt n gin Olly h tr cho chng ta kh nng tm kim a ch theo tn hm. Ti </p><p>ch Command Bar ca Olly ta g tn hm vo nh sau : </p></li><li><p>Wow, ngay lp tc Olly tm cho ta ngay a ch ca hm MessageBoxA, by gi ta i ti a ch </p><p>ny xem hm m chng ta tm nm trong th vin no. Ti Olly, nhn chut phi v chn Go to </p><p>&gt; Expression : </p><p>Nhp a ch tm c vo textbox v nhn OK : </p><p>Olly s a ta ti a ch ca hm MessageBoxA : </p><p>Theo nh hnh trn th ta thy ngay rng hm MessageBoxA thuc v th vin Dll l User32.dll. </p><p>Hm ny bt u ti 0x7e45058a v kt thc bng lnh Retn 10 ti 0x7e4505d0. </p></li><li><p>Cng c mt cch khc na gip cho chng ta tm thy hm MessageBoxA, cch tng t nh </p><p>trn nhng thay v g a ch hm th ta g thng tn ca hm vo v nhn OK : </p><p>Nh bn thy trn vic tm ra hm MessageBoxA c v rt d dng, tuy nhin khng phi lc </p><p>ny cng n gin nh th. Vi 2 phng php trn bt buc bn phi nh chnh xc tng ch ci </p><p>cng nh c php ch hoa ch thng trong tn hm . Vy trong trng hp ta ch nh mang </p><p>mng tn hm v khng nh vit ng tn hm theo ng form th th no, Olly h tr cho ta </p><p>mt cch khc tm n hm . Ok, thc hin, ta quay li ch EP ca chng trnh (n gin </p><p>bng cch bm phm trn bn phm v lc ny bn ang ti /c ca MessageBoxA), sau </p><p>thc hin nh hnh di (phm tt l Ctrl + N) : </p><p>Ngay lp tc mt lot cc hm c s dng trong module hin ti c lit k ra nh cc bn </p><p>thy hnh sau : </p></li><li><p>Nhn nh trn th ri qu ta khng bit phi m ra MessageBoxA u trong mt rng tn nh th </p><p>ny, tm kim c ng hm cn tm trc tin ti chnh ca s trn ta g ch ci u ca tn </p><p>hm m c th y l ch M. Olly s a chng ta n v tr ca nhng hm bt u bng ch M </p><p>Tip tc g nhng ch ci tip theo trong tn hm Olly s a ta n ng v tr cn tm : </p></li><li><p>Ti hm tm c ta nhn chut phi v chn Follow import in Disassembler : </p><p>Ok, vy l chng ta tri qua mt s phng php khc nhau tm kim thng tin v mt hm </p><p>API, by gi chng ta tip tc tr li vi phn tip theo ca bi vit. Sau khi tm kim c thng </p><p>tin v hm MessageBoxA nh hnh minh ha trn, ta tin hnh t mt im ngt hay cn gi </p><p>vi mt thut ng l Break Point (BP) . Ta lm nh sau : </p><p>Vic thit lp BP nh trn cng tng t vi cch lm khc nh sau, ti ca s Command Bar ta </p><p>g vo : Bp MessageBoxA </p></li><li><p>Ok ta va mi t BP, gi ta kim tra xem kt qu ta t nh th no. Chuyn qua ca s BP bng </p><p>cch nhn phm tt (Alt + B) : </p><p>Nh bn thy trn, ti t mt BP ti a ch bt u ca hm MessageBoxA, by gi khi ti </p><p>cho thc thi crackme ny trong Olly nu nh c bt k mt thng bo no bn ra th ta s dng li </p><p>ti v tr m ta t BP. kim nghim iu ny, ta tin hnh thc thi crackme bng cch nhn </p><p>F9 : </p><p>Vo menu Help v chn Register, ca s yu cu nhp User Name v Serial hin ra : </p><p>Ta nhp th Fake info vo nhng text box, sau nhn Ok. Ngay lp tc Olly s dng li v dng </p><p>ng ch m chng ta t BP : </p></li><li><p>Vy ta on ngay lc ta nhn Ok s c mt thng bo bn ra, tuy nhin ta cho Olly bt hnh </p><p>ng ny nn Olly dng li ti u hm. By gi ta chuyn qua ca s Stack ta s c c </p><p>nhng thng tin sau : </p><p>Theo thng tin m hnh cung cp cc bn c th thy rng mi hm Api trc khi chun b c </p><p>gi th cc tham s ca hm s c y ln Stack. Cc tham s ny bn c th tham kho ti file </p><p>Help l Win32.hlp. Ok gi ti ca s Stack ta chn nh sau : </p><p>Ta s quay li ca s code ca chng trnh v dng ti v tr sau : </p></li><li><p>Theo nh l thuyt v hai lnh CALL v RET m ti gii thiu phn trc th chng ta s </p><p>khng ngc nhin lm khi ta Follow theo a ch trn th Olly li a ta n lnh Ret m khng </p><p>phi l lnh Call. </p><p>Ok vy l nh cc bn thy, khi thng tin v User name v Serial m chng ta nhp vo khng </p><p>ng th chng ta s nhn c mt thng bo vi ni dung nh sau : </p><p> 004013AD |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL </p><p>004013AF |. 68 60214000 push 00402160 ; |Title = "No luck!" 004013B4 |. 68 69214000 push 00402169 ; |Text = "No luck there, mate!" 004013B9 |. FF75 08 push dword ptr [ebp+8] ; |hOwner 004013BC |. E8 79000000 call ; \MessageBoxA </p><p>Gi ta quay tr li ch t BP kim chng thng tin m ta va ni trn. </p><p>Ta t mt BP ti lnh Ret 10 : </p><p>Sau nhn F9 thc thi chng trnh, chng ta nhn c thng bo xong : </p></li><li><p>Kh kh ng nh thng tin m ta c c trn, gi ta nhn OK ngay lp tc s dng li ti lnh </p><p>Ret 10 : </p><p>Lnh Ret 10 ny cho ta bit ta ang im kt thc ca hm API MessageBoxA, khi lnh ny </p><p>c thc th thi ta s quay tr li on code chnh ca chng trnh. Nhng trc khi thc hin </p><p>lnh ny, ta nhn qua ca s Stack s c c thng tin a ch m khi thc hin lnh Ret 10 ta s </p><p>quay v : </p><p>a ch m ti khoanh trn chnh l a ch ca lnh bn di li gi ti hm MessageBoxA. </p><p>Ta nhn F7 trace qua lnh Retn 10, khi ta s tr v a ch 0x004013C1 nhng ng </p><p>thi khi ta thc hin lnh ny th thanh ghi Esp cng t ng c cng thm 0x10 vo, tc l </p><p>ESP =ESP + 0x10 = 0x0013FE90 + 0x10 = 0x0013FEA0. Ok, sau khi nhn F7 </p><p>nh ni ta s ti y : </p><p> ca s Stack : </p><p>Nh hnh trn ta ang 0x004013C1, bn trn n l mt li gi ti hm MessageBoxA, hnh </p><p>ny cho chng ta bit c chng ta nhp thng tin v Name v Serial b sai cho nn thng bo </p><p>No luck s bn ra!! By gi ta tip tc nhn F9 thm mt ln na : </p></li><li><p> Bmta li break ti MessageBoxA, tip tc dm qua ca s Stack : </p><p>Chut phi ti dng u tin v chn Follow in Disassembler : </p><p>Olly a ta n a ch 0x0040137D, bn trn ti 0x00401378 tip tc l mt li gi ti hm </p><p>MessageBoxA : </p><p>Nh vy, tng kt li chng ta thy rng c hai on code u Show ra ci Nag l No luck, </p><p>vy ta phng on rng vy chng ta s c hai on check lin quan n UserName v Serial nhp </p></li><li><p>vo. C th ci Nag u tin m chng ta nhn l ci Nag lin quan ti vic Check Name, cn ci </p><p>Nag tip theo m chng ta thy trn hnh l ci Nag lin quan n check Serial . Ch ch c v </p><p>mt y!! </p><p>Ti v tr trn, dch ln mt cht bn s thy c thm mt li gi ti hm MessageBoxA na : </p><p>Hnh trn s cho ta bit c 2 Nag lin quan n vic nhp Serial, nu ta nhp ng th hin thng </p><p>bo ch c t vng, nu nhp sai th s hin thng bo ch c t xanh. trong hnh </p><p>trn ta thy c c du $, du ny thng bo cho chng ta bit ta ang trong thn ca mt li </p><p>gi hm/th tc, vy bit c li gi ny xut pht u chng ta ch vic chn dng c cha </p><p>du $ v nhn xung ca s bn di : </p><p>Vy l Olly gip chng ta bit c a ch ni m c li gi gi ti on code trn chnh l </p><p>ti 0x00401245, nhn chut phi ti dng t mu xanh trn v chn Go to Call from </p><p>00401245 : </p></li><li><p>Hmm, c v nh chng ta ang ng ti v tr cha on code so snh. Vy ta lp lun nh sau, </p><p>nu kt qu so snh l ng th chng ta s nhy ti a ch 0x0040124C v thc hin li gi </p><p>hm ti a ch ny, m theo hnh trn th li gi ny s hin thng bo Greate work, cn </p><p>ngc li nu kt qu so snh l sai th ta s i ti li gi ti 0x00101245 v thc hin li gi </p><p>hm hin thng bo No luck . Ta t th mt BP ti lnh JE : </p><p>Xa ht cc BP lin quan n API MessageBoxA i, m ca s Break Point (Alt + B) : </p><p>Ta loi b hai BP m ta t ti Module User32 i ch li BP m ta t ti lnh JE, loi b </p><p>mt BP th ch vic nhn chut phi ti BP v chn Remove hoc nhn phm tt Del. </p><p>Sau khi remove BP ch li mt BP duy nht nh hnh trn, ta nhn F9 thc thi chng trnh. </p><p>Lc ny ci Nag No luck s xut hin, l do l v lc trc ta set BP ti MessageBoxA nhng </p><p>ta va b i ri nn nhn ci Nag l ng thi . Nhn Ok, sau tin hnh nhp li thng tin </p><p>v Name v Serial, ln ny ta nhp th mt ci name khc th xem : </p></li><li><p>Nhn OK, ta s dng li ti BP. Oh nh vy kt lun s b ban u ca ti v vic crackme ny </p><p>c ti hai ch check lin quan ti Name v Serial l ng. V nu nh bn nhp Name nh ti </p><p>nhp ln u trn th khi chng ta nhn Ok chng ta s nhn Nag No luck trc khi chng ta </p><p>break ti im t BP. Sau khi chng ta nhn Ok ti Nag th chng ta mi dng li ti BP m ta </p><p>set : </p><p>Chng ta thy rng da theo kt qu so snh lnh CMP, nu nh gi tr ca eax khng bng gi </p><p>tr ca ebx th lnh nhy s khng c thc hin. Khi lnh nhy khng c thc hin th lnh </p><p>Call bn di n ti a ch 0x00401245 s c thc hin tip theo, v chng ta bit rng lnh </p><p>CALL 401362 chnh l hm show ra Nag l No luck.., nu nh bn khng nh th bn chn </p><p>lnh Call v nhn Enter Follow : </p><p>Nh chng ta thy lnh JE khng c thc hin v Serial m chng ta nhp vo l sai. Ngoi ra ta </p><p>bit rng lnh nhy JE ny ph thuc vo c Z, vy mun cho lnh ny thc hin th ta c mt </p><p>mo nh l thay i gi tr ca c bng cch nhp p vo c Z : </p></li><li><p>Theo hnh trn th c Z chuyn thnh 1, iu ny ng ngha vi vic l gi tr ca thanh ghi </p><p>eax bng gi tr ca thanh ghi ebx, cng ng ngha vi nu nh thc hin lnh Cmp th lnh ny </p><p>s thc hin php tr hai ton hng bng nhau cho ra kt qu l 0. M khi kt qu bng 0 th c Z </p><p>c bt ln v chng ta cng nhy lolz nh hnh minh ha di y : </p><p>Vy l nu ta nhn F8 trace th lnh JE s a chng ta ti lnh tip theo ti a ch </p><p>0x0040124C. Ta bit rng lnh Call ti a ch ny chnh l show Nag Great work , nu bn </p><p>khng nh hy th Follow ti lnh Call ny bng cch nhn Enter : </p><p>No ta cng th xem c ng khng nh, nhn F9 run v bm : </p><p>Vy ti y chng ta c th khng nh lnh Cmp eax, ebx chnh l lnh so snh lin quan n </p><p>Serial, ph thuc vo kt qu u ra tc l (eax = ebx?) m lnh nhy s quyt nh vic show Bad </p><p>boy hay Show good boy. Cng t y ta kt lun crackme ny c hai on check ring bit, mt </p><p>on lin quan n Name v mt on lin quan n Serial. V nu chng ta nhp Name m trong </p><p>Name nhp vo c s th chng ta s nhn Nag lun. Ok ta kim tra th nh : </p></li><li><p>Nhn Ok xc nhn thng tin nhp vo v : </p><p>Ta nhn Ok mt ln na v ln ny ta mi dng li ti BP m ta thit lp trn : </p><p>Nu nh ta bypass nt on check trn th mi vt qua c Nag cui cng ca Crackme ny, </p><p>tc l khc ny s check serial, ng th s hin Greate work m sai th tip tc hin No </p><p>luck... Ok, gi ta quay li khc m ta break khi ta t BP ti hm api MessageBoxA : </p></li><li><p>Quan st ta thy a ch tr v l 0x004013C1, follow theo a ch ny </p><p>Ti y, chng ta thy rng Olly ch cho ta bit on routine ny bt u t 0x0040137E v kt </p><p>thc ti 0x004013C1. mt cht chng ta cng thy rng ti a ch 0x004013AC c mt </p><p>du &gt;. K hiu ny s ch cho ta bit lnh nhy v tr no nhy ti n, bit chi tit ta ch vic </p><p>chn v tr c du trn v quan st ca s Tip Window : </p></li><li><p>Li mt ln na chng ta thy rng c mt lnh so snh v mt lnh nhy ph thuc vo kt </p><p>qu so snh, vy ta t mt BP ti lnh nhy ti a ch 0x0040138B : </p><p>Ok nhn F9 run chng trnh v nhp thng tin nh lc trc ta nhp : </p><p>Sau nhn Ok, ta s break ti ch ta va set BP : </p><p>Sau khi break, ta quan st thy rng ln u tin break lnh nhy ny s khng nhy. L do l v n </p><p>s kim tra dn dn tng k t ca chui Name ta nhp vo, nu c cha ch s th n mi nhy. </p><p>Gi ta nhn F9 thm 4 ln na lc ny ta quan st thy rng n kim tra n k t th 5, v tr ny </p><p>chnh l s 4 cho nn lnh nhy s c thc thi : </p><p>Quan st cc gi tr ca cc c ta thy rng c C c bt ln : </p></li><li><p>Chn gi tr ca c C v nhn p set v gi tr 0, quan st sang ca s CPU ta thy lnh nhy </p><p>khng cn hiu lc na : </p><p> Ta tip tc nhn F9 v bypass tng t cho hai s tip theo. Sau khi vt qua on check ny </p><p>chng ta s break ti y : </p><p>Tip tc s dng tiu xo active lnh nhy bng cch nhp p chut ti c Z : </p></li><li><p>Cui cng ta nhn F9 thm mt ln na v ln ny l nhng g chng ta mong i : </p><p>Nh cc bn thy rng n c ci thng bo Greate work nh trn chng ta thc hin bng </p><p>cch thay i cc c, tuy nhin cc bn bit rng cc c ny thay i lin tc do ta khng c </p><p>cch no lu li nhng g chng ta lm c. V vy, c th p chng trnh ca chng ta </p><p>chp nhn bt k username v serial no m chng ta nhp vo th ta buc phi thay i code ca </p><p>chng trnh!! Ta s lm nh th no? </p><p>III. Patch bng cch sa code </p><p>u tin ta x l ci lnh nhy ch check lin quan n Name nhp vo n chp nhn trong </p><p>Name c s : </p><p>Hehe gi ta s khng thay i c na m edit li code lun, ti a ch 0x0040138B cha lnh </p><p>nhy ta nhn phm Space bar : </p><p>Thay bng lnh NOP : </p></li><li><p>Sau nhn Assemble ta c kt qu nh sau : </p><p>Ok nh vy chng ta loi b c lnh nhy ny, gi ta nhn F2 b vic thit lp BP ti v </p><p>tr trn : </p><p>Tip theo ta i ti ch lnh nhy ti ch kim tra Serial : </p><p>Ti y ta cng khng cn tc ng c Z active lnh nhy na. Ta nhn Space Bar v thay bng </p><p>lnh sau : </p><p>Thay bng jmp tc l ta p cho n lun nhy d c ng hay sai i na, ok sau khi edit ta b BP </p><p>ti v tr trn. Nhn F9 run v kim tra kt qu : </p></li><li><p>Chn Ok v kh kh : </p><p>Nh cc bn thy va ri ti hng dn cc bn cch edit lnh trc tip trong Olly, nhng nu </p><p>chng ta restart chng trnh th nhng thay i ny s khng cn tc dng c ngha l n ko lu </p><p>li nhng g ta lm. Vy lu cc thay i va ri trc khi ng Olly bn lm nh sau : </p><p>Nhn chut phi sau chn Copy to executable &gt; All modifications , mt ca s bt ra : </p></li><li><p>Ta chn Copy all lu li ton b nhng g ta thay i : </p><p>Mt ca s khc bt ra nh trn, ti y chng ta nhn chut phi v chn : Save file </p></li><li><p>t cho file m chng ta Save di mt tn mi, v d Crackme_fixed.exe v chn Save. ng </p><p>Olly li v test th kt qu bng cch run file mi : </p><p>Nhp thng tin ng k : </p></li><li><p>Nhn Ok : </p><p>Kh kh vy l file mi m ta va save hot ng rt tt!! Qu khe, gi ta nhp lon tng pho n </p><p>cng ni l Greate work </p><p>Ph lc </p><p>Phn phc lc ny ta tm h...</p></li></ul>