INTRODUCTION TO THE CRACKING WITH OLLYDBG FROM CRACKLATINOS

(_kienmanowar_)

I. Li ni u : Mt ln na gi li cho ti ton th anh em trong REA. Tnh c qua bn site ca lo Ricardo Narvaja thy c b tut ny kh hay v rt c bn cho tt c nhng ai mun tm hiu v cracking thng qua s tr gip ca chng trnh debugger tr nn qu ni ting, chnh l Ollydbg. Ti rt khoi cc tut bn Cracklatinos nhng ngt ni ton l ting TBN, nhng thy b tut ny hay nn mu qu , quyt nh trans t TBN qua English, ri t Eng li h hc vit li theo cch mnh hiu truyn t nhng g mnh bit cho anh em. tng chnh ca lot tut ny theo nh tc gi ca n ni l nhm cung cp nhng kin thc c bn nht cho tt c nhng ai chun b bt u bc vo tm hiu ngh thut cracking vi s tr gip ca Ollydbg. Mc d tiu ca tut l Introduction (tc l ch gii thiu thi) nhng thc cht b tuts ny s cung cp cho chng ta mt kin thc nn tng vng chc c th c v hiu c cc tuts dnh cho nhng ngi c trnh advanced v c bit l nhng tut sp c gii thiu trn C racklatinos (hehe tc gi ca n qung co c qu), ng thi thng qua lot tuts ny n cn gip chng ta c kh nng p dng cc k thut mi trong vic cracking. II. Ti sao li l Ollydbg ? Tham gia vo REA iu u tin c l chng ta thy nhiu nht l s xut hin ca Ollydbg , vy ti sao li l Ollydbg m khng phi l mt cng c no khc. y chng ta s khng bn lun n vic to ra mt cng c khc hay hn, mnh hn Ollydbg cng nh khng cp ti vic chnh sa li mt chng trnh qu ni ting t lu l SoftIce, ch n gin l nhng tn cung tn ca SoftIce ang dn dn chuyn qua xi Ollydbg bi tnh d dng, khng gy crash my bt thnh lnh nh SoftIce, c h tr bi nhiu teams trn th gii thng qua cc Plugins cng nh cc bn Ollydbg c mod li nhm chng li cc c ch anti-debug cng nh anti-Ollydbg, v v mt l do n gin khc na l lot tuts ny dnh ring ni v Ollydbg . III. Nhim v u tin H nhim v u tin ca chng ta by gi l g ? Do y l tut vit v Olly nn vic chng ta phi lm l i tm Olly u cn load v m xi. Th nht bn c th ln home site ca Olly l ollydbg.de download, cn khng th trong REA c a rt nhiu link download Ollydbg. Ring bn thn ti cng su tm c c l gn chc bn Olly khc nhau, hic hic c l l i ver 2.0 ca Olly thi

Khi download c Olly v ri th rt n gin ch vic extract n ra ri s dng, ti khuyn bn nn chung tt c cng c lin quan n RE, Cracking vo 1 th mc, v d nh ca ti trn hnh minh ha, nh th ta d dng qun l hn. Okie coi nh bn c Ollydbg, chng ta ch vic Run ci file OLLYDBG.exe l Olly hot ng lin, khng phc tp v mt ci t cng nh s dng nh SoftIce. Giao din ca Ollydbg nh sau :

y l bn Ollydbg ca ti, c chnh sa cng nh cu hnh li. Nu nh cc bn download bn Ollydbg trn home site hoc t cc ngun khc c th s khc ca ti, v c th hin th menu Plugins th cc bn lm nh sau :

C hn nh hnh trn hoc vo Options > Appearance , chn tab Directories v chnh li ng dn ti th mc Plugins v th mc UDD.

Sau nhn Ok v chy li Olly th s thy c menu Plugins. Phn tip theo, ti s gii thiu ti cc bn chi tit cc ca s chnh trong Ollydbg v minh ha cho cc phn sau ca bi vit, ti s s dng mt Crackme rt ni ting l : CRACKME.EXE ca tc gi CRUEHEAD. load crackme ny vo trong Olly ta nhn chut vo biu tng sau hoc vo File > Open (or F3) :

Sau chng ta s chn chnh xc crackme m chng ta dng minh ha cho bi vit ny.

Kt qu sau khi load vo Olly chng ta c c nh sau :

C hc cc bn nhn vo s cm thy chong ngp, khng bit phi bt u t u. Hic ngy u tin khi ti load mt target vo trong Olly, nhn ngc nhn xui cng khng hiu g ht lun hehe, c ngi ngm mi v chng bit lm g hn. Nhng khng sao mi th u c cch gii quyt, khi cha bit th phi tm ti liu m c, khi c m khng hiu lc y hng i hi. Nhng hi cng phi bit ng m hi, nu khng s chng bao gi bn nhn c cu tr li m c khi cn khin ngi khc cm thy bc mnh. Ti s cng cc bn tm hiu tng ca s mt ca Olly. Nh cc bn nhn thy trn mn hnh chnh ca Olly c phn ra lm 5 ca s chnh, mi ca s c mt nhim v v mt tn ring :

 y chng ta thy c 4 ca s ln : The Disassembler Window : ca s ny cc bn c th nhn thy cc on code ca chng trnh dng ngn ng asm, v ng thi ti ca s ny cc bn cng c th ch thch cho tng tng dng m asm . The Registers Window : y l ca s cha thng tin chi tit v cc thanh ghi nh eax, ebx, ecx v.v..Cc c trng thi cng c qun l ti ca s ny The Dump Window : Ti ca s ny bn c th xem hoc chnh sa theo 2 dng l hex v Ascii b nh ca chng trnh m bn mun debug The Stack Window : Mt ca s khng km phn quan trng , mi th trc khi c thc hin phi c np vo Stack.

C ui cng c mt ca s nm bn di ca s Disassembler Window : C hng ta gi n l The Tip Window . y khng phi l tn gi ca n nhng vi ti, ti thch gi nh vy .Khi bn ang ti mt dng code no trong qu trnh debug , Olly s cho bn thy thng tin chi tit v dng code . Ly v d n gin nh sau : nu bn debug ti dng lnh mov eax , dword ptr [123] . Th ca s ny s cho bn bit c gi tr hay con s no ang c lu gi ti [123] . V cn nhiu iu th v khc na m ca s ny s mang li cho chng ta . Trn y l nhng g tng quan nht m cc bn nn bit. Phn di y ti s i vo gii thiu v chc nng ca tng ca s mt thng qua cc hnh minh ha, tt nhin khng th gii thiu chi tit ht c, chng ta s tm hiu dn dn trong tng trng hp c th

cc lot tuts sau thm vo cc bn cng nn ch ng t mnh tm hiu, ng nn qu l thuc vo bi vit ny. 1. The DISASSEMBLER Window : y l ca s chnh u tin ca Olly v l ca s rt quan trng, chng ta s lm vic rt nhiu trn ca s ny. Khi bn mun debug mt chng trnh, bn load file thc thi ca chng trnh vo trong Olly.Cc chng trnh m bn load vo Olly l nhng chng trnh c th c code bng nhng ngn ng khc nhau nh : VB, VC++, Borland Delphi hay MASM nhng ti ca s ny ton b code ca chng trnh s c list ra di dng cc m ASM. Theo mc nh ca Olly th bt c chng trnh no m bn load vo Olly s c Olly tin hnh phn tch ton b code chnh ca chng trnh v a ra cc comment thch hp. Bn c th ty bin chc nng ny thng qua hnh minh ha di y :

Nu nh bn chn s dng chc nng ny ca Olly th nhng g xut hin trn ca s bn s ging vi nhng hnh minh ha trc. C n nu nh bn khng chn, chng ta s thy ngay c s khc bit, Olly s khng t ng phn tch chng trnh na cng vic phn tch ny chng ta s phi thc hin mt cch manual sau khi chng trnh c load vo trong Olly. Okie, ti th b chn v load li C rackme vo trong Olly, ta s c nh sau :

Nh cc bn thy trn hnh trn, nu nh chng ta khng chn chc nng t ng phn tch ca Olly th s thy cc thng tin trong phn Comment b lc b i kh nhiu, iu ny dn n vic kh khn trong qu trnh debug chng trnh. Tuy nhin khng phi lc no chc nng ny cng hot ng mt cch hiu qu, nhiu khi chng ta cho Olly t ng phn tch s li dn n mt kt qu hon ton ngc li, on code c phn tch v th hin ra khng c chnh xc, v d nh trng hp di y chng ta s nhn c on code ton cha DB :

Trong trng hp nh th ny chng ta c th thc hin mt cch manual remove nhng g m Olly tin hnh phn tch ch n gin bng cch nhn chut phi ti mn hnh ny v chn Analysis > Remove analysis from module

V kt qu l chng ta c c on code chnh xc nh sau :

Do trong qu trnh lm vic vi Olly cc bn nn linh hot trong qu trnh s dng chc nng ny. Ngoi ra cn mt phn khc cng khng km phn quan trng, nh cc bn thy trn hnh minh ha Olly ca ti cc cu lnh c phn bit mu sc mt cch r rng, c th cc bn khng ch trng n vn ny nhng theo ti vic chng ta phn bit cng nh tinh chnh li mu sc trong Olly s khin cho chng ta nhn bit cc cu lnh d dng hn cng nh phn no th hin nng khiu thm m ca bn . tinh chnh li mu sc trong Olly cc bn vo cc Tabs sau :

2. The REGISTERs Window : Mt ca s quan trng tip theo, chnh l ca s Register. Nh ni y l ca s cha thng tin chi tit v cc thanh ghi nh eax, ebx, ecx vv Cc c trng thi cng c qun l ti ca s ny.

C a s ny s cung cp cho chng ta rt nhiu thng tin trong qu trnh chng ta lm vic cng Olly. Nu nh ch nhn vo hnh minh ha trn cc bn chc cng s nh ti cm thy rng n s khng c ngha nhiu lm, nhng k thc y l ni cung cp nhiu thng tin rt hu ch. 3. The STACK Window : Trc tin chng ta s i tm hiu s qua v Stack. y l ni lu tr tm thi cc d liu v a ch, n l mt cu trc d liu mt chiu. C c phn t c ct vo v ly ra t mt u ca cu trc ny, tc l n c x l theo phng thc vo trc, ra sau (LIFO : Last In First Out). Phn t c ct vo cui cng gi l nh ca Stack. Cc bn c th hnh dung Stack nh l mt chng a, chic a c t ln cui cng s nm trn nh v ch c n mi c th c ly ra u tin. Hai thanh ghi chnh lm vic vi Stack l ESP v EBP. Theo mc nh trong Olly, Stack c biu din theo thanh ghi ESP tuy nhin chng ta c th lun chuyn qua li gia ESP v EBP bng cch nhn chut phi v chn nh hnh sau :

4. The DUMP Window : y l ca s hin th ni dung ca b nh hoc file. Ta c th chn nhiu nh dng khc nhau biu din ni dung ca memory trong ca s ny : byte, text, integer, float, address, disassembly hoc PE Header. C a s ny cho php chng ta tm kim cng nh thc hin cc chc nng chnh sa, thit lp cc Break points v..v...

Vy l chng ta do qua 1 vng cc ca s chnh ca Olly, tuy nhin bn cnh Olly cn c rt nhiu ca s khc m chng ta khng nhn thy mt cch trc tip nh cc ca s trn c.C hng ta phi truy cp vo cc ca s thng qua Menu nh hnh minh ha di y :

C hng ta s lt qua chc nng ca tng ca s mt. _ Nt L dng m ca s Log ca Olly, ca s ny cho chng ta thy nhng thng tin m Olly ghi li. Theo mc nh th ca s ny s lu cc thng tin v cc module, import library hoc cc Plugins c load cng chng trnh ti thi im u tin khi ta load chng trnh vo Olly. Bn cnh ca s ny cng ghi li cc thng tin v cc Break points m chng ta t trong chng trnh. Trong trng hp crackme ca chng ta, ta c c thng tin nh sau :

10

Mt tnh nng na ca ca s ny l khi chng ta mun lu li nhng thng tin v Log ca s ny cng cung cp cho chng ta kh nng ghi ra file.

_ Nt E dng m ca s Executables, ca s ny s a ra danh sch nhng file c kh nng thc thi c chng trnh s dng nh file exe, dlls, ocxs , v..v..

Ti ca s ny nu nh bn click chut phi s thy c rt nhiu ty chn khc nhau, trong khun kh c hn ca bi vit khng th ni ht c. S c nhng phn tip theo cp n chng. _ Nt M dng m ca s Memory, ca s ny s cho chng ta thng tin v b nh ang c s dng bi chng trnh ca chng ta v cn nhiu thng tin b ch khc na :

11

Ti ca s ny chng ta cng c th s dng tnh nng Search tm kim thng tin v cc strings, cc on hexa c th hay unicode v..v.. thm vo n cn cung cp cho chng ta nhng kiu thit lp Break points khc nhau ti cc Sections. Vic thit lp cc BPs l ty thuc vo yu cu v mc ch ca chng ta. _ Nt T dng m ca s Threads, ca s ny lit k cc Threads ca chng trnh :

_ Nt W dng m ca s Windows _ Nt H dng m ca s Handles

_ Nt C th khi ni , bn c nhn vo l khc bit ngay _ Nt / m ca s Patches, ca s ny s cho chng ta cc thng tin v nhng g m chng ta edit trong chng trnh.

_Nt K m ca s Call Stack, hin th mt danh sch cc lnh call m chng trnh ca chng ta thc hin khi chng ta Run bng F9 v dng F12 tm dng chng trnh.

_ Nt B m ca s Break Points, ca s ny s hin th tt c cc BPs m chng ta t trong chng trnh. Tuy nhin n ch hin th cc BPs c set bng cch nhn F2 thi, cn cc dng BPs khc nh : hardware breakpoint hoc memory breakpoints th khng c lit k ra y:

_ Nt R m ca s References, ca s ny l kt qu cho nhng g chng ta thc hin chc nng Search trong Olly, kt qu s c hin ra y :

12

Ph kh nhiu ca s phi khng cc bn, ti s khng i vo chi tit thm na bi v chng ta s cn gp li trong cc tuts tip theo, 1 yu cu rt quan trng ngoi vic bn bit s dng Olly ra th bn cn phi bit v Asm language, nu khng bit v n th hii cc bn nn dnh thi gian tm hiu mt s kin thc c bn trc khi c tip cc phn sau ca bi vit. Ngoi ra cc bn d lm quen hn trong cc phn sau ti s c gng h thng li . IV. Cu hnh Olly thnh JIT (Just-in-time debugging) Khi mt s chng trnh thc thi v n to ra Exception, Windows c th gi Registered Debugger (cc debuggers c cu hnh thnh JIT) v attach n vo chng trnh. Tnh nng ny c gi l Just-in-time debugging. Mt vi JIT debuggers dng li ti System breakpoint. Ollydbg th tip tc thc thi cho n khi n i n cu lnh to ra Exception. cu hnh Ollydbg tr thnh 1 JIT bn lm nh sau :

Nu nh bn khng mun s dng tnh nng ny th bn c th Restore li.

13

V. Mt s phm c bn lm vic vi Olly : F7 : Khi bn nhn F7 s thc thi tng dng lnh 1. Nu trong qu trnh Trace m gp lnh Call th s i vo trong lng ca lnh Call v thc thi tng cu lnh trong lnh Call ny cho n khi gp lnh Retn tr li chng trnh chnh, tc l cu lnh tip theo sau lnh Call. F8 : C ng tng t nh F7 nhng c 1 im khc bit l khi Trace code, nu nh gp lnh Call n b qua khng cn quan tm cc lnh bn trong lnh C all m thc thi lun lnh Call v dng li ti cu lnh tip theo di lnh Call. F2 : t mt Break point trong chng trnh. Vy Break point l g , n gin n ch l vic chng ta to 1 im ngt trong chng trnh theo mt iu kin no khi thc thi chng trnh, nu tha iu kin m chng ta t ra th chng trnh s dng li ti v tr m chng ta t BP. V d, trong hnh minh ha di y :

By gi ti mun t mt BP ti hm C all gi ti API: LoadIconA . Tc l khi ti thc thi chng trnh, chng trnh gi ti hm ny th ngay lp tc n s dng li ti y.Vic tip theo l ti c th ty bin li hm ny theo mc ch ca ti, chng hn ti NOP n chng trnh khng cn gi n hm ny na v..v.. lm c iu ny bn nhn chut ti v tr cn Set BP, sau nhn F2. Ch chng ta Set BP s c nh du mu :

b BP m chng ta set th ch vic chn v tr nh du mu v nhn F2. F9 : C ho php thc thi chng trnh trong ch Debug, tng t nh vic chng ta nhp p chut vo chng trnh thc thi n. Tuy nhin khc vi vic nhp p chut, nu chng ta nhn F9 th Olly s tm xem c BP no c Set hay khng, chng trnh c tung ra cc Exception g khng, hay nu chng trnh c c ch chng Debug th n s terminate ngay lp tc. Nu nh khng c bt k cn tr no th chng trnh s Run hon ton v trn status bar ca Olly s bo cho chng ta bit iu ny :

14

F12 : Tm dng chng trnh li. VI. Li kt : Trn y l nhng g tng quan nht v Olly, nh ni cc bn khng nn qu l thuc vo bi vit ny ca ti, cc bn c th t mnh tm hiu thm nhng tnh nng khc ca Olly. Cc phn sau ca lot tuts ny lm vic trn C rackme ca tc gi CRUEHEAD, tin cho cc bn mt cng tm kim ti km lun target cng vi bi vit ny. Hi vng nhng gi ti vit trn gip cho cc bn phn no hiu c ti sao Ollydbg ang ngy cng tr nn ph bin.

Best Regards _[Kienmanowar]_ --++--==[ Greatz Thanks To ]==--++-My family, C omputer_Angel, Moonbaby , Zombie_Deathman, Littleboy, Benina, QHQC rker, the_Lighthouse, Merc, Hoadongnoi, Nini ... all REAs members, TQN, HacNho, RongC hauA, Deux, tlandn, light.phoenix, dqtln, ARTEAM .... all my friend, and YOU. --++--==[ Thanks To ]==--++-iamidiot, WhyNotBar, trickyboy, dzungltvn, takada, hurt_heart, haule_nth, hytkl v..v.. cc bn ng gp rt nhiu cho REA. Hi vng cc bn s tip tc pht huy I want to thank Teddy Roggers for his great site, Reversing.be folks(especially haggar ), Arteam folks(Shub-Nigurrath, MaDMAn_H3rCuL3s ) and all folks on crackmes.de, thank to all members of unpack.cn (especially fly and linhanshi). Great thanks to lena151(I like your tutorials). And finally, thanks to RICARDO NARVAJA and all members on CRACKSLATINOS.

>>>> If you have any suggestions, comments or corrections email me: kienbigmummy[at]gmail.com

15