Ollydbg entry series (III)-function reference

Title: [original] ollydbg
Entry series (III)-function reference
Author: ccdebuger
Time:
2006-02-14,23: 34: 59
Link:
Http://bbs.pediy.com/showthread.php? T = 21330

Ollydbg entry series (III)-function reference

Author: ccdebuger

Now go to the third article. This article focuses on how to use the function reference (Name Reference) function in ollydbg. Still select a crackme named crackhead in the crackmes.cjb.net image package. Run this command first. Program Let's see:

Oh, I couldn't find the place to enter the registration code! Click the "shit" menu on the program. Select "Try it" from the drop-down menu and the following interface will be displayed:

Let's click the "check it" button and try it. Oh, no response! I try again "78787878", but I still don't respond. Try again and enter letters or other characters. This determines that the registration code should be a number. Only the correct registration code can be entered. Peid is used to check whether the result is masm32/tasm32. No wonder the program is small. Information collection is almost done. Now we turn off this program. We load it with ollydbg, press the F9 key to run it directly, and click the menu shown above in sequence, display the program to the second figure above. The "Check it" button is retained. Now we don't have any strings for reference. We just need to break down the API function to interrupt the debugging program where we want it to be. In the Disassembly window of ollydbg, right-click and choose search> name (TAG) in the current module in the pop-up menu ), or we can achieve the same effect by pressing the CTR + n key combination (note that the ollydbg must ensure that it is in the airspace of the currently debugged program, I have introduced the concept of airspace in the first article. For example, when I debug this program, the title bar of ollydbg displays "[CPU-main thread, module-crackhea]". this indicates that we are currently in the airspace of the program being debugged ). After the preceding operations, a dialog box is displayed,

For a program that enters the registration code in such an editing box, we need to set the preferred API function for the breakpoint to getdlgitemtext and getwindowtext. Each function has two versions. One is the ASCII version, and the other is the Unicode version. For example, getdlgitemtextw. Programs compiled into the uncode version may not run under Win98, because Win98 is not a system that fully supports Unicode. The NT system supports Unicode from the underlying layer. It can convert strings in the operating system and support calling functions of ASCII and Unicode versions. Generally, the programs we open are called ASCII functions, ending with ". I ran the question again. Now let's go back to the program we are debugging. Now we are looking for information about whether the program we are debugging has called the getdlgitemtexta or getwindowtexta function. Fortunately, find a getwindowtexta. Right-click the function and select "Set breakpoint on each reference" in the pop-up menu. We will see "2 breakpoints have been set" in the bottom status bar of the ollydbg window ". Another method is to right-click the getwindowtexta function and select "Search for input function reference" (or press Enter) in the pop-up menu. The following dialog box is displayed:

You can set both of them to a breakpoint. This program only needs to set a breakpoint in the first command. Okay. Now, the first method we mentioned above is to set a breakpoint for each reference. In this way, the two Commands will set a breakpoint. After the breakpoint is set, we go to the program we are debugging. Now we click the "check it" button on the program we are debugging and it is broken by ollydbg:

00401323 |. E8 4c010000 call <JMP. & user32.getwindowtexta>; getwindowtexta
00401328 |. E8 a5000000 call crackhea.004013d2; key: Press F7.
0040132d |. 3bc6 CMP eax, ESI; Comparison
0040132f |. 75 42 jnz short crackhea.00401373; wait until it is finished
00401331 |. EB 2C JMP short crackhea.0040135f
00401333 |. 4e 6f 77 20 7> ASCII "Now write a keyg"
00401343 |. 65 6e 20 61 6> ASCII "EN and tut and Y"
00401353 |. 6f 75 27 72 6> ASCII "ou're done.", 0
0040135f |> 6a 00 push 0; style = mb_ OK | mb_applmodal
00401361 |. 68 0f304000 push crackhea.0040300f; Title = "crudd's crack head"
00401366 |. 68 33134000 push crackhea.0040133; text = "Now write a keygen and tut and you're done ."
0040136b |. ff75 08 push dword ptr ss: [EBP + 8]; howner
0040136e |. E8 19010000 call <JMP. & user32.messageboxa>; messageboxa

From aboveCodeWe can easily see that the call crackhea.004013d2 at the 00401328 address is critical and must be tracked carefully. After successful registration, a dialog box with the title "crudd's crack head" is displayed. the dialog box displays "Now write a keygen and tut and you're done. now I will press F8 to prepare the call crackhea.004013d2 command that is directed to the address 00401328 and then press F7. Wait, what's going on? How to press the F8 key to run here:

00401474 $-ff25 2c204000 jmp dword ptr ds: [<& user32.getwindowtext>; user32.getwindowtexta
0040147a $-ff25 30204000 jmp dword ptr ds: [<& user32.loadcursora>]; user32.loadcursora
00401480 $-ff25 1c204000 jmp dword ptr ds: [<& user32.loadicona>]; user32.loadicona
00401486 $-ff25 20204000 jmp dword ptr ds: [<& user32.loadmenua>]; user32.loadmenua
0040148c $-ff25 24204000 jmp dword ptr ds: [<& user32.messageboxa>]; user32.messageboxa

It turns out that it has jumped to another breakpoint. We don't need this breakpoint. Press f2 to delete it. After deleting the breakpoint at the 00401474 address, I press the F8 key again. After that, I ran to the airspace of user32.dll. Let's take a look at the title bar of ollydbg: "[CPU-main thread, module-USER32], and ran to system airspace. The code shown in the ollydbg Disassembly window is as follows:

77d3213c 6a 0C push 0c
77d3213e 68 a021d377 push user32.77d321a0
77d32143 E8 7864 feff call user32.77d185c0

What should I do? Don't worry. Let's press Alt + F9:

00401328 |. E8 a5000000 call crackhea.004013d2; key: Press F7.
0040132d |. 3bc6 CMP eax, ESI; Comparison
0040132f |. 75 42 jnz short crackhea.00401373; wait until it is finished

The cursor stops at the command at the 00401328 address. Now we press F7 to follow up:

004013d2/$56 push ESI; ESI into Stack
004013d3 |. 33c0 XOR eax, eax; eax cleared
004013d5 |. 8d35 c4334000 Lea ESI, dword ptr ds: [4033c4]; send the value in the registration code box to ESI
004013db |. 33c9 XOR ECx, ECx; ECx cleared
004013dd |. 33d2 XOR edX, EDX, and EDX are cleared.
004013df |. 8a06 mov Al, byte ptr ds: [esi]; send each character in the registration code to Al
004013e1 |. 46 Inc ESI; pointer plus 1, pointing to the next character
004013e2 |. 3C 2D CMP Al, 2D; compares the obtained character with a hexadecimal value of 2D (that is, "-"). It is mainly used to determine whether the input is negative.
004013e4 |. 75 08 jnz short crackhea.004013ee; Skip
004013e6 |. Ba ffffffff mov edX,-1; if the input is a negative number,-1 is sent to edX, that is, hexadecimal ffffffff
004013eb |. 8a06 mov Al, byte ptr ds: [esi]; first character after "-"
004013ed |. 46 Inc ESI; pointer plus 1, pointing to the next character
004013ee |> EB 0b JMP short crackhea.004013fb
004013f0 |> 2C 30 sub Al, 30; each character minus the hexadecimal value of 30, because it is a number, for example, the ASCII Code of 1 is "31h", after 30 h is reduced to 1, that is, the value we usually see
004013f2 |. 8d0c89 Lea ECx, dword ptr ds: [ECx + ECx * 4]; multiply the results saved in ECx before sending them to ECx
004013f5 |. 8d0c48 Lea ECx, dword ptr ds: [eax + ECx * 2]; values after each character operation are added to values after the previous character operation and then sent to ECx
004013f8 |. 8a06 mov Al, byte ptr ds: [esi]; next character
004013fa |. 46 Inc ESI; pointer plus 1, pointing to the next character
004013fb |> 0ac0 or Al, Al
004013fd |. ^ 75 F1 jnz short crackhea.004013f0; the preceding and preceding commands are mainly used to determine whether the entered registration code has been calculated.
004013ff |. 8d040a Lea eax, dword ptr ds: [edX + ECx]; Add the value in EDX and the value in ECx after calculation to eax
00401402 |. 33c2 XOR eax, EDX; The eax and EDX are different or. If we enter a negative number, the function here is to reverse the value in eax.
00401404 |. 5E pop ESI; ESI output stack. When we see this and next commands, we need to consider where the ESI value is calculated?
00401405 |. 81f6 53757a79 xor esi, 797a7553; the values in ESI are different from those in 797a7553h or
0040140b \. C3 retn

There is a question: where does the value in the ESI register come from? No matter where it is, we press F8 to go down, the retn command at the 0040140b address (you can change the display mode of the returned command by checking "use RET instead of retn" in the "command" tab of the debugging option ), press F8, and we will go out of the call at address 00401328. Now we are back here:

0040132d |. 3bc6 CMP eax, ESI; Comparison
0040132f |. 75 42 jnz short crackhea.00401373; wait until it is finished

The cursor stops at the instruction at the 0040132d address. According to the previous analysis, we know that eax stores the calculated value of the entered registration code. Let's take a look at the information window:

ESI = e6b5f2f9
Eax = ff439ebe

In the left-click window, select ESI = e6b5f2f9, right-click it, and select "Modify register" from the pop-up menu. We will see a window like this:

Maybe your display is different from mine, because the serial numbers of each machine are different in this crackme. Close the window above, and then perform the same operation on eax = ff439ebe in the information window:

We know that the result of processing the entered Registration Code previously analyzed is to convert the character format to the digit format. The original input is the string "12345666", and is now converted to the number 12345666. This is quite clear. Copy one in the signed or unsigned edit box shown in the above modified ESI diagram and paste it into the edit box of our debugging program to try it out:

Haha, it succeeded. Sorry, this crackme requires a registration server. We do not need to write the registration machine first, but the registeredAlgorithmWe need to figure it out. Do you still remember the ESI register value I mentioned earlier? Now let's look at the above analysis, in fact, it does not help much for registration machines. To find out the registration algorithm, you must know how the above ESI register value is generated, so that you can understand the crackme algorithm. Let's talk about this today. I will keep the next ollydbg entry series (4)-memory breakpoint for how to get the value of the ESI register.

--------------------------------------------------------------------------------
[Copyright notice] This article is purely a technical exchange. repost it and keep it confidential.ArticleComplete, thank you!

Attachment download