A simple and detailed od hack tutorial

2007-08-04 15:46ccdebuger
Note: I saw this article on the Internet yesterday, but the lack of illustrations, from another article also saw a similar tutorial article, the quality of the illustrations inside is not flattering. In a forum just download the article described in the crack software CRACKME3, so you want to step-by-step experience of the OD function, but also improve this article, attached to their own capture of the corresponding screen pictures, to do reference learning. At the same time because in the practice process encountered a little difference, some content slightly changed. If you have a friend who would like to try to hack the software yourself, try http://download.csdn.net/source/1112519 to download it (you may need to be a CSDN member to download it later) or "" od hack tutorial "ollydbg Primer Series (ii)-string reference " search for the search term, you can see the original article, you can also download to the attachment.

The previous article was used to get started, and now we are beginning to formally enter the hack. Today's target program is to see snow brother "encryption and decryption," the first version of the CD-ROM included in the crackmes.cjb.net image packaging of the CFF Crackme #3, using the user name/serial number protection method. The original was added with a UPX shell. Just started to learn to solve the problem before the shell, we are mainly familiar with ollydbg to crack the general method. I take off the shell here to analyze, the attachment is shelled after the document, directly can be used. First of all, the general software to crack the process: Get a software do not go immediately with ollydbg debugging, first run, have the best help document first look at the help, familiar with the use of software, and then see the way to register. If it is a serial number method can first lose a fake to try, see what reaction, also give us a crack left some useful clues. If you do not enter a registration code place, to consider whether to read the registry or Key file (generally called KeyFile, is the program to read the contents of a file to determine whether to register), these can be used to assist the analysis of other tools. If these are not, the original program is only a functional trial version, it is necessary to register as the official version of the code to write their own perfect. A bit off the topic, hehe. To obtain some basic information of the program, but also to check the shell tool to check if the program is added shell, if not shell to see what the program is compiled, such as VC, Delphi, VB and so on. The case-checking tool has Peid and FI. If there is a shell, we should try to remove the shell and then to use ollydbg debugging, special cases can also be with Shell debugging. Below to get to the chase:
Let's go ahead and run this crackme (with the Peid test display is Delphi), the interface

This crackme already has the user name and the registration code all to lose, saves us to do ^_^. Such as

We're in that "Register now!" Click on the button to jump out of a dialog box:

Well, today we're going to show this in the error dialog box "wrong Serial, try again!" To start. Launch ollydbg, select Menu file--Open load CrackMe3.exe file, we will stop here:

We right-click in the Disassembly window and come out a menu where we click on the Find all reference text string on the left:

Of course, it would be more convenient to use the above super-string reference + plugin.

But our goal is to be familiar with the ollydbg of some operations, I will try to use the ollydbg comes with features, less use plug-ins. Okay, now come out another dialog box, such as

We right click in this dialog, select "Find Text" menu item, enter "Wrong Serial, try again!" The beginning of the word "wrong" (note here to find the contents to be case sensitive) to find, (but I tried, only select the following "entire range", the system began to find, and found all eligible items). Such as

Find two places:

Right-click on the string we found, then click "Follow in Disassembly Window" on the menu that came out, we came here:

See, in order to see if there are other references, you can select the right-click menu to find the immediate number, will come out a dialog box:

Double-click on the two addresses listed above, we will come to the corresponding location:

Let's scroll up in the Disassembly window and look at:
00440f2c |. 8b45 FC MOV eax,dword PTR ss:[ebp-4]
00440f2f |. BA 14104400 MOV edx,crackme3.00441014; ASCII "Registered User"
00440f34 |. E8 F32BFCFF call crackme3.00403b2c; The key is to go with F7.
00440f39 |. JNZ short crackme3.00440f8c; This is the end of the jump.
00440f3b |. 8d55 FC LEA edx,dword PTR ss:[ebp-4]
00440f3e |. 8b83 C8020000 MOV eax,dword PTR Ds:[ebx+2c8]
00440f44 |. E8 D7FEFDFF Call Crackme3.00420e20
00440f49 |. 8b45 FC MOV eax,dword PTR ss:[ebp-4]
00440f4c |. BA 2c104400 MOV edx,crackme3.0044102c; ASCII "gfx-754-ier-954"
00440f51 |. E8 D62BFCFF call crackme3.00403b2c; The key is to go with F7.
00440f56 |. 1 a jnz short crackme3.00440f72; This is the end of the jump.
00440f58 |. 6A PUSH 0
00440f5a |. B9 3c104400 MOV ecx,crackme3.0044103c; ASCII "Crackme cracked successfully"
00440f5f |. BA 5c104400 MOV edx,crackme3.0044105c; ASCII "congrats! You cracked this crackme! "
00440f64 |. A1 442c4400 MOV eax,dword PTR ds:[442c44]
00440f69 |. 8b00 MOV Eax,dword PTR Ds:[eax]
00440f6b |. E8 F8C0FFFF Call crackme3.0043d068
00440f70 |. EB + JMP Short crackme3.00440fa4
00440f72 |> 6A PUSH 0
00440f74 |. B9 80104400 MOV ecx,crackme3.00441080; ASCII "Beggar off!"
00440f79 |. BA 8c104400 MOV edx,crackme3.0044108c; ASCII "Wrong Serial,try again!"
00440f7e |. A1 442c4400 MOV eax,dword PTR ds:[442c44]
00440f83 |. 8b00 MOV Eax,dword PTR Ds:[eax]
00440f85 |. E8 DEC0FFFF Call crackme3.0043d068
00440f8a |. EB JMP Short Crackme3.00440fa4
00440f8c |> 6A PUSH 0
00440f8e |. B9 80104400 MOV ecx,crackme3.00441080; ASCII "Beggar off!"
00440f93 |. BA 8c104400 MOV edx,crackme3.0044108c; ASCII "Wrong Serial,try again!"
00440f98 |. A1 442c4400 MOV eax,dword PTR ds:[442c44]
00440f9d |. 8b00 MOV Eax,dword PTR Ds:[eax]
00440f9f |. E8 C4C0FFFF Call crackme3.0043d068

Let's take a look at the notes above and I've labeled two key points above. One might ask, how do you know that two places are the key point? In fact, it is very simple, I am based on the view of which instruction jumps to "wrong serial,try again" this string corresponding to the instructions to determine. If you select "Show Jump Path" and the following two "show gray path if jump is not implemented" and "Show path to selected command" in the Debug Options->cpu tab, you will see where you jump to a typo string:

The key code diagram is as follows:

We set a breakpoint in the address 00440f2c at the F2 key, and now we press the F9 key, the program has been run up. I entered in the above edit box, such as Ccdebuger, the following edit box I still remain as the original "754-gfx-ier-954", we click the "Register now!" button, uh, ollydbg jumped out and paused at the breakpoint below us. Let's look at the information window, you should have found the content you just entered? Here's what I'm showing:
Stack ss:[0012f9ac]=00957f84, (ASCII "Ccdebuger")
eax=00000009

The above memory address 00957f84 is what we just entered, and here I am ccdebuger. You can click on the Stack ss:[0012f9ac]=00957f84, (ASCII "Ccdebuger") this content to select a bit, then right-click, in the Pop-up menu select "Data window follow value", you will see in the following data window you just entered. And eax=00000009 refers to the length of the content you enter. As I entered the Ccdebuger is 9 characters. As shown in the following:

Now let's press the F8 key to analyze it one step at a time:
00440f2c |. 8b45 fc              mov Eax,dword PTR ss:[ebp-4]       ; Send the contents of our input to eax, here I Am "Ccdebuger"
00440f2f |. BA 14104400         mov edx,crackme3.00441014           ; ASCII "Registered User"
00440f34 |. E8 F32bfcff         call crackme3.00403b2c              ; The key is to follow up with F7 to
00440f39 |. 51                JNZ Short crackme3.00440f8c        ; This is the end of the jump.
    When we press F8 to go to 00440f34 |. E8 F32bfcff         call crackme3.00403b2c This sentence, we press the F7 key to enter this call, After entering, the cursor stops at this sentence:

We see that the push EBX, push ESI, etc. are called subroutines to save the stack with the instructions, do not control it, press F8 step by step, we only care about the key parts:
00403B2C/$-PUSH EBX
00403b2d |. All-in-PUSH ESI
00403b2e |. $ PUSH EDI
00403b2f |. 89c6 MOV Esi,eax; Send the user name we entered in the EAX to ESI
00403b31 |. 89d7 MOV Edi,edx; Send the data "registered User" in edx to the EDI
00403b33 |. 39d0 CMP Eax,edx; Compare the "registered user" with the users ' masterpieces we entered
00403b35 |. 0f84 8f000000 JE CRACKME3.00403BCA; The same jumps
00403b3b |. 85f6 TEST Esi,esi; See if there is data in ESI, mainly to see if we have entered a username
00403b3d |. JE short Crackme3.00403ba7; Skip if user name is empty
00403b3f |. 85FF TEST Edi,edi
00403b41 |. 6B JE Short Crackme3.00403bae
00403b43 |. 8b46 FC MOV Eax,dword PTR ds:[esi-4]; User name length send eax
00403b46 |. 8b57 FC MOV Edx,dword PTR ds:[edi-4]; Length of "Registered User" string send edx
00403b49 |. 29d0 SUB Eax,edx; Subtract the length of the user name from the "registered user" string
00403b4b |. crackme3.00403b4f JA Short; User name length is greater than "registered user" length jumps
00403b4d |. 01C2 ADD Edx,eax; Add the minus value to the "registered user" length, which is the length of the user name
00403b4f |>-PUSH EDX
00403b50 |. C1ea edx,2 SHR; The user name length value is shifted right by 2 bits, which is equivalent to length divided by 4
00403b53 |. JE short crackme3.00403b7b; The above instruction and this instruction is to determine the user name length can not be less than 4
00403b55 |> 8b0e MOV ecx,dword PTR Ds:[esi]; Send the username we entered to ECX
00403b57 |. 8B1F MOV Ebx,dword PTR Ds:[edi]; Send "Registered User" to EBX
00403b59 |. 39D9 CMP ecx,ebx; Comparison
00403b5b |. JNZ short crackme3.00403bb5; No, it's finished.
Based on the above analysis, we know that the username must be "registered user". We press F9 button to run the program, error dialog box, click OK, re-enter "registered User" in the first edit box, click the "Register now!" again. button, was ollydbg stopped. Because the address 00440f34 at the call we have analyzed clearly, this time no longer press the F7 key to go in, directly press F8 key through. We press the F8 key all the way to the second key code point:
00440f49 |. 8b45 Fc             mov EAX, DWORD PTR ss:[ebp-4]             ; Take the entered registration code
00440F4C |. BA 2c104400         mov edx,crackme3.0044102c                 ; ASCII "gfx-754-ier-954"
00440f51 |. E8 D62bfcff         call crackme3.00403b2c                    ; The key is to follow up with F7 to
00440f56 |. 1a                JNZ Short crackme3.00440f72               ; This is the end of the jump.
Attention to see, address 00440f51 at the call CRACKME3.00403B2C and above the address we analyzed 00440F34 call CRACKME3.00403B2C is not the assembly instructions are the same AH? This means that the same sub-program is used to detect the user name and the registration code. And this subroutine call we have analyzed above. We can now easily conclude that this call is to compare the registration code we have entered with the "gfx-754-ier-954" after the command at the 00440F4C address, which is equal to OK. Well, we've got enough information. Now let's click on the breakpoint on the menu view, open the breakpoint window (you can also open the breakpoint window by combining the key alt+b or tapping the "B" icon on the toolbar):

Why do you do this instead of deleting this breakpoint? Here is mainly to insure a little, in case of error analysis, we have to continue to analyze, if the breakpoint is deleted, we will do some repetitive work. or disable it first, if the actual verification proves that our analysis is correct, and then delete it later. Now let's disable the breakpoint and press F9 in ollydbg to let the program run. Enter what we have analyzed:
Username: Registered User
Registration code: gfx-754-ier-954
Click "Register Now!" button, hehe, finally succeeded:

PostScript: This is a reference string through the use of OD to obtain the user name and registration code introduction, because this software is relatively simple, and the author has removed the shell in advance, so that beginners can directly into the subject to carry out practical research. In addition, I found in an accidental operation in fact there is a simpler way to deal with this kind of software, and sometimes may let us save a lot of time (if only to get the user name and registration code, not to be familiar with the process of OD cracking software).

For example, when we came to the following window by looking up a string

The window lists all the addresses where the error message string appears, and if we right-click in the window and select "Reference-all reference text strings", the following window appears:

Look, there's something we need in there. Of course, this may be an exception, but perhaps we can take a look at, and sometimes let us achieve a multiplier effect.

A simple and detailed od hack tutorial