INTRODUCTION TO THE CRACKING WITH OLLYDBG

FROM CRACKLATINOS
(_kienmanowar_)

I. Li ni u
Cho mi ngi, sau tut u tin ca ti gii thiu ti cc bn v Ollydbg, bng i mt thi
gian do cng vic bn rn ti nh gc bt cha th vit tip c. By gi mi vic c v
n nh ri, ti s dnh cht thi gian tip tc b tut ny. Mc d c bn lm tip
cng vic ca ti l dch v vit n tut th 16, nhng ti s vn vit li theo cch vit v
phong cch ca ti. y va l nhng bi vit m ti chia s n cc bn cng ng thi l
vic ti c kt v lu tr nhng g mnh lm c. phn trc sau khi cc bn c
mt ci nhn tng quan nht v cng c Ollydbg v cc thnh phn cng nh chc nng
chnh ca n, th trong phn th hai ny ti s cp n vic s dng cc h thng s
trong Olly, thm vo l mt cht kin thc c bn v Stack. Okie, L3ts G0!!
II. Cc h thng s
C ba h thng s c s dng nhiu nht l H nh phn, H mi v cui cng l h
thp lc phn.Chng ta s i ln lt nh ngha v tng h thng ny.
H nh phn : Trong h m nh phn c s l 2 v n ch c hai ch s l 0 v 1.
H mi (thp phn) : C th ni y l mt h thng c chng ta s dng nhiu nht
trong i sng hng ngy.H ny bao gm mi ch s bt u t 0 n 9. H m ny l
h m m chng ta quen thuc nht.
H mi su : Cc s di dng nh phn thng l di v kh nh. Vic chuyn i cc
s thp phn sang nh phn thng kh. Khi chng ta vit chng trnh hp ng chng ta
thng s dng c hai h m l : nh phn v thp phn, v c mt h m th ba l h
16 hay cn gi tt l s hex. S hex cho php chng ta chuyn i mt cch d dng sang
s h nh phn v ngc li.
Note : i s hex sang s nh phn chng ta ch vic biu din cc ch s ca n di
dng nh phn. Cn i s nh phn sang s hex, th ta nhm 4 ch s ca s nh phn li
theo th t ln lt t phi qua tri. Sau chuyn thnh s hex tng ng.
H m hex l h m c c s 16 cho nn cc ch s ca n l : 0-9, A-F. (V ht cc k
hiu ch s biu din nn ngi ta dng thm cc ch ci biu din: cc ch ci t A
F tng ng biu din cc s t 10 15).
Khi bn mun lm quen vi cng vic debug trong Olly th iu u tin ti khuyn bn nn
lm quen vi cc h thng s trn, Olly ch yu s dng h 16. Bn cnh cc bn
cng phi hc cc phng php chuyn i n gin gia cc h s vi nhau tin cho
qu trnh bn lm vic. C th cc bn s cho li ti ni l tha bi v ngy nay c qu

nhiu cng c h tr cho chng ta lm vic ny, nhng theo ti y vn l nhng kin thc
tin quyt v cng c ch l h tr chng ta lm vic nhanh chng m thi, cn mun
hiu su, rng th chng ta khng nn b qua nhng chi tit d l vn vt nht.
y trong bi vit ny, ti coi nh cc bn t mnh trang b nhng kin thc c bn
ri. Do d dng hn cho chng ta khi lm vic vi cc h thng s, Windows cung
cp cho chng ta mt cng c kh mnh m i khi t ngi m thm ch c khi cn
khng bit l n h tr cho chng ta cc tnh nng lin quan n vic chuyn i ,
chnh l tin ch Calculator. C nhiu cch thc m chng trnh ny nhng cch nhanh
nht l vo menu Run v g Calc.exe (thm ch ch cn g Calc cng m c).

Nh bn thy trn hnh sau khi chng ta g Calc th ngay lp tc cng c Calculator s
hin ra di dng mt my tnh chun ht nh ci my tnh bnh thng m bn hay s
dng. c th chuyn sang s dng cc tnh nng chuyn nghip hn lin quan ti cc s
h nh phn v h 16 cng nh cc php tnh lin quan ti hai h s ny, bn lm nh trn
hnh v (View > Scientific). Ta c c nh sau :

Trong hnh minh ha bn trn, bn thy h thng s c s dng mc nh l h 10

(Dec).Ti sao n li mc nh nh vy? Mt cu tr li rt n gin l v t lc cha sinh m
chng ta ti gi chng ta s dng h 10, h m chun ca loi ngi nn chng
trnh default nh vy l hon ton hp l. Cc bn c th lun chuyn sang cc h khc
rt n gin thng qua cc ty chn. Ly mt v d, ti mun chuyn mt con s t h 10
sang h 16 th ti lm th no? Ti mn hnh Calculator bn chn Dec v g vo mt con
s bt k, v d : 1111)

chuyn sang h Hex bn ch vic nhp chn vo ty chn Hex ti ca mn hnh ca

Calculator, ngay lp tc s h 10 ca bn s c chuyn sang s h 16 mt cch
chnh xc.

Trn hnh trn bn thy khi h 10 th cc ch ci t A F u b disable. Kh bn chn

chuyn sang h hex th cc ch ci ny s c enable ln phc v cho cc bn lm vic
h hex. Vic chuyn i qua li cc h s khc cng lm tng t nh trn, qua bn
thy cng c ny n gin ha cho chng ta rt nhiu cc cng vic lin quan n vic
chuyn i bng tay.Tt c nhng g bn phi lm l g s v nhn chn kh kh .
III. S c du trong h 16
Phn cng ca my tnh cn gii hn kch thc ca cc s c th lu n trong cc
thanh ghi hay cc nh. Trong h hex vn s ny sinh khi chng ta mun biu din mt
s m v d nh -1 chng hn, chng ta khng th lm bng cch thm mt du tr pha
trc con s ging nh trong h 10 c.V nu lm th th n gin qu ri, u cn
phi cp n vn ny lm g v v h thng my tnh m chng ta ang s dng ch
lm vic vi hai s 0 v 1 m thi, cho nn biu din mt s c du phi c qui nh
khc.
Do chng ta ang lm vic vi h thng 32 bt cho nn di s ca n s c biu din
h hex l t 00000000 FFFFFFFF.Di ny s c ct na ra, mt na dng biu din
s dng v mt na dng biu din s m. Vy s dng s bt u t 00000000 v
kt thc l 7FFFFFFF, cn s m s bt u t 80000000 v kt thc l FFFFFFFF. Vy lm
th no nhn bit u l s m v u l s dng? Cc bn hy n mt bit c
bit, l bit nm tn cng bn tri hay cn c gi vi mt ci tn khc l bit c trng
s nng nht (MSB - Most significant bit). Tng t nh vy ta cng c mt bit c trng
s thp nht hay cn gi l bt nh nht l s nm tn cng bn phi (LSB Least
Significant bit).
Nu nh bit c trng s cao nht l 0 th s c hiu l s dng. Cn nu nh bt c
c trng s cao nht l 1 th s c c hiu l s m. Bng 0 hay bng 1 l khi chng ta
biu din s di dng nh phn. Cc s m trong my tnh c lu dng s b 2
(Note: s b 2 c c bng cch o bt ca mt s nguyn v cng vi 1).
Theo ta c c di biu din nh sau :
S DNG :
00000000h h 16 0 h 10
00000001h h 16 1 h 10

..
7FFFFFFFh h 16 2147483647 h 10 (S dng ln nht)
S M :
FFFFFFFFh h 16 - -1 h 10
FFFFFFFEh h 16 - -2 h 10
.
80000000h h 16 - -2147483647 h 10 (S m nh nht)
Ti s lm mt v d chuyn i sang s b 2 cc bn thy c mt cch trc quan
nht. Gi s ti c s dng l 1 , gi ti mun biu din s -1 ti s lm th no. n
gin ti ch lm mu vi s 16 bit.
_ u tin ta tm s b 1 ca 1 (c c bng cch o bt) :
1. Biu din 1 dng nh phn : 0000 0000 0000 0001
2. Tm s b 1 ca 1
: 1111 1111 1111 1110
_ Tm s b 2 ca 1 bng cch ly b 1 em cng vi 1 :
1. Theo kt qu trn, b 1 ca 1 : 1111 1111 1111 1110
2. Cng vi 1
:
+1
3. Kt qu l s b 2
: 1111 1111 1111 1111
em s b hai ny chuyn qua h Hex cc bn s c c l : FFFFh
Trong Olly chng ta c th gii quyt mi vn lin quan thng qua Plug-in : Command
Bar. s dng n cng rt n gin, bn lm nh hnh minh ha di y :

Rt trc quan v d hiu, bn khng bit gi tr h 10 ca 7FFFFFFFh l bao nhiu. Trong

Plug-in Command Bar bn ch vic g ? v theo sau l biu thc hay gi tr m bn cn
bit thng tin. Ta th thc hin php chuyn i vi gi tr 80000000h xem sao? Nh ta
bit trn, gi tr 80000000h biu din mt s m, nhng khi s dng Command Bar
chuyn i th kt qu ta c c khng nh nhng g chng ta mong i, y l mt bug
ca Plug-in Command Bar.

Chng ta c th gii quyt vn ny thng qua ca s Register. Gi s ti ca s ny ti

c gi tr thanh ghi EAX l 80000000h. Ti mun xem gi tr ca n h mi th phi lm
th no v gi tr m dng ca n ra sao?

lm c iu ny, nhn chut phi ln thanh ghi EAX v chn Modify.Nh hnh minh
ha di y :

Ca s Modify s hin ra cho php chng ta mun thay i thanh ghi EAX th no ty thch
. Trong trng hp ny kt qu ca 80000000h ng nh nhng g chng ta trng i
l -214783648.

Chng ta th sa gi tr 80000000 i v thay vo l mt gi tr khc xem th no :

Ok, sau khi chnh sa cc bn c th lu li gi tr m bn chnh hoc b bng cch

nhn Cancel.
IV. Bng m ACSII
Khng phi mi s liu m my tnh x l u l cc con s, cc thit b ngoi vi nh mn
hnh, bn phm, my in u c xu hng lm vic vi k t.Cng nh tt c mi loi d liu
khc, cc k t cn phi c biu din thnh dng nh phn my tnh c th x l
chng. Mt kiu m ha thng dng nht cho cc k t l m ASCII. Khi lm vic trong
Ollydbg bt buc bn cng phi tm hiu s qua v bng m ny. Bn phi hiu n c
th lm cc bc chuyn i gia k t dng hex sang k t cng nh nhng symbols
tng ng. Di y l bng m ACSII m bn c th tham kho :

Mt v d vi s gip ca Plug-in Command Bar s cho bn thy c kt qu trc

quan :

Ngoi ra ca s Dump trong Olly cng gip bn c c nhng thng tin quan trng trong
qu trnh bn Debug target :

V. STACK
Nh trong phn u tin ti ni s quan v STACK, n l mt vng ca b nh dng
lu tr tm thi cc d liu v a ch. Stack lm vic theo nguyn l LIFO (Last In, First
Out), tc l phn t no c ct vo cui cng trong stack s l phn t c ly ra u
tin. Bn c tng tng nh bn ang xp mt chng a, th chic a cui cng m bn
xp s nm trn cng, tc l nh ca Stack n s l chic a c ly ra u tin nu nh
bn mun ly tip chic a th hai bn di n. Cu trc d liu lm vic theo kiu LIFO
ny l tng cho vic lu tr nhng d liu tm thi, hoc nhng thng tin khng cn
thit phi c lu tr trong mt thi gian di. Stack thng l ni lu tr cc local
variables, nhng li gi hm (function calls) v cc thng tin khc c s dng dn
dp stack sau khi mt hm hay mt th tc c gi.
Mt tnh nng quan trng khc ca stack l n grows down theo khng gian a ch: c
ngha l cng nhiu d liu c thm vo trong stack, n c thm vo ti cc gi tr a
ch thp hn theo c ch tng dn. Xem hnh minh ha v s khng gian b nh :

Lm vic vi Stack c 2 thanh ghi chnh l ESP v EBP, v cc cu lnh PUSH v POP.
Trong Ollydbg bn c th quan st thy ca s Stack rt trc quan :

Okie vy l phn hai trong lot bi vit v Olly n y l ht, trong phn tip theo ti s
gii thiu ti cc bn v cc thanh ghi cng nh nhng tnh nng ca tng thanh ghi. Ti
s c gng vit xong trong thi gian sm nht!

Best Regards
_[Kienmanowar]_

--++--==[ Greatz Thanks To ]==--++-My family, Computer_Angel, Moonbaby , Zombie_Deathman, Littleboy, Benina, QHQCrker,
the_Lighthouse, Merc, Hoadongnoi, Nini ... all REAs members, TQN, HacNho, RongChauA,
Deux, tlandn, light.phoenix, dqtln, ARTEAM .... all my friend, and YOU.
--++--==[ Thanks To ]==--++-iamidiot, WhyNotBar, trickyboy, dzungltvn, takada, hurt_heart, haule_nth, hytkl v..v.. cc
bn ng gp rt nhiu cho REA. Hi vng cc bn s tip tc pht huy
I want to thank Teddy Roggers for his great site, Reversing.be folks(especially haggar),
Arteam folks(Shub-Nigurrath, MaDMAn_H3rCuL3s) and all folks on crackmes.de, thank
to all members of unpack.cn (especially fly and linhanshi). Great thanks to lena151(I like
your tutorials). And finally, thanks to RICARDO NARVAJA and all members on
CRACKSLATINOS.
>>>> If you have any suggestions, comments or corrections email me:
kienmanowar[at]reaonline.net