[Excerpt] OllyICE instructions and Examples

OllyICE instructions and Examples

Posted on jigong reading (10113) Comments (8) edit the category of reference to the favorite: Crack 1. install and configure OllyDBG

The released version of OllyDBG 1.10 Is a ZIP package. You only need to extract the package to a directory and run OllyDBG.exe. The released version of the Chinese version is a RAR compressed package. You only need to extract the package to a directory and run OllyDBG.exe:

The functions of various windows in OllyDBG are as follows. Briefly explain the functions of each window. For more details, refer to the help of the TT translation team in Chinese:

Disassembly window: displays the disassembly code of the program to be debugged, you can right-click the address, HEX data, disassembly, and comment in the title bar and choose "Hide title" or "show title" from the shortcut menu. Click the comment tab with the left mouse button to switch the comment display mode.

Register window: displays the CPU register content of the currently selected thread. You can also click the label register (FPU) to switch the display register mode.

Information Window: displays the parameters of the First Command selected in the Disassembly window, as well as some jump destination addresses and strings.

Data window: displays the memory or file content. You can right-click a menu to change the display mode.

Stack window: displays the stack of the current thread.

To adjust the size of each window above, you only need to left-click and hold down the border and drag it. After the adjustment, restart the OllyDBG to take effect.

After the plug-in is started, we need to set the directory of the plug-in and UDD to an absolute path. Click Options> interface on the menu to display a dialog box for Interface Options. Click the directory label in the dialog box:

Because I decompress the OllyDBG in the F: \ OllyDBG directory, the corresponding UDD directory and plug-in directory are configured on the graph. Another commonly used label is the font behind it. Here you can change the font displayed in OllyDBG. Other options can be retained as default, and can be modified as needed. After the modification, click OK. A dialog box is displayed, indicating that we have changed the plug-in path and want to restart OllyDBG. In this dialog box, click OK and restart OllyDBG. We can check the options on the interface to find that all the paths we have set have been saved. Some people may know the role of the plug-in, but they are not clear about the UDD directory. Here is a simple explanation: the role of this UDD directory is to save your debugging work. For example, if you debug a software, set a breakpoint, add a comment, and do not finish it at once, then OllyDBG will save your work to this UDD directory, so that you can continue the previous work during the next debugging. If you do not set this UDD directory, OllyDBG saves the files with the suffix udd in its installation directory by default, which will be messy after a long time, therefore, we recommend that you set a directory to save these files.

Another important option is debugging. You can choose Menu Options> debugging settings to configure it:
 
You do not need to change the options here. The options are configured by default and can be used directly. We recommend that you configure the OllyDBG when you are familiar with it. The options in the above exception label are often used in shelling. We recommend that you configure the options here when learning to shelling after a certain debugging basis.

In addition to directly starting the OllyDBG for debugging, we can also add the OllyDBG to the resource manager right-click menu, so that we can directly in. exe and. right-click the dll file and select the "open with Ollydbg" menu for debugging. To add the OllyDBG to the resource manager right-click the menu, just click the menu option-> Add to the browser, a dialog box will appear, first click "add Ollydbg to system resource manager menu ", click "finish. It is also very easy to delete from the right-click menu. In this dialog box, click "delete Ollydbg from system resource manager menu" and then click "finish.

OllyDBG supports the plug-in function. You only need to copy the downloaded plug-in (usually a DLL file) to the plug-in directory under the OllyDBG installation directory, the OllyDBG is automatically recognized when it is started. Note that OllyDBG 1.10 has a limit on the number of plug-ins. A maximum of 32 plug-ins are allowed. Otherwise, an error occurs. We recommend that you do not add too many plug-ins.

Now the basic configuration is complete. OllyDBG stores all the configurations in the ollydbg. ini file under the installation directory.

Ii. Basic debugging methods

OllyDBG has three methods to load the program for debugging. One is to click the menu File> open (the shortcut key is F3) to open an executable file for debugging, click the menu File> attach to a running process for debugging. Note that the program to be appended must be running. The third is to load the program using the right-click menu (I don't know if this calculation is true ). In general, we select the first method. For example, we select test.exe for debugging and load the program through the menu File> open. The content displayed in OllyDBG will be as follows:
 
The following shortcut keys are frequently used during debugging:

F2: Set the breakpoint. You only need to press F2 at the cursor position (in gray). Then press F2 to delete the breakpoint. (Equivalent to F9 in SoftICE)

F8: step by step. Every time you press this key to execute an instruction in the Disassembly window, the CALL and other subprograms do not enter the code. (Equivalent to F10 in SoftICE)

F7: step by step. The function is similar to a step-by-step (F8) process. The difference is that when a CALL or another subprogram is entered, it first stays on the first instruction of the subprogram. (Equivalent to F8 in SoftICE)

F4: run to the selected location. The function is to directly run to the position where the cursor is located and pause. (Equivalent to F7 in SoftICE)

F9: Run. Press this key. If no breakpoint is set, the program to be debugged will start running directly. (Equivalent to F5 in SoftICE)

CTR + F9: execution to return. This command is paused when executed to a ret (return command) command. It is often used to return from the system airspace to the program airspace we debug. (Equivalent to F12 in SoftICE)

ALT + F9: run the user code. It can be used to quickly return from system airspace to the procedural airspace we debug. (Equivalent to F11 in SoftICE)

Now we are officially launching the attack. Today's target program is to watch the CFF Crackme #3 in the crackmes.cjb.net image package included in the first version of "encryption and decryption", using the username/serial number protection method. The original version has an UPX shell. At the beginning, no shell is involved in cracking. We are mainly familiar with the general method of using OllyDBG to crack. I will take off the shell for analysis. The attachment is a file after shelling and can be used directly. Let's first talk about the general software cracking process: Do not use OllyDBG to debug a software first, and run it first. It is best to take a look at the help documentation to familiarize yourself with the use of the software, let's look at the registration method. If the serial number method is used, you can take a false one and try it to see how it works. It also leaves some useful clues for us to crack it. If the registration code is not entered, consider whether to read the registry or Key file (generally referred to as keyfile, that is, the program reads the content of a file to determine whether to register ), other tools can be used for analysis. If none of these are, the original program is only a trial version with incomplete functions. To register it as the official version, you must complete the code by yourself. A little out of question, huh, huh. After obtaining some basic information about the program, we also need to use the shell check tool to check whether the program has been shelled. If there is no shell, let's see what compiler the program is compiled, such as VC, Delphi, and VB. Such shell checking tools include PEiD and FI. If there is shell, we should try to take off the shell and then use OllyDBG for debugging. In special cases, we can also debug with shell. Enter the subject below:
Let's first run this crackme (detected by PEiD, It is compiled by Delphi). The interface

This crackme has already lost both the user name and registration code, saving us the trouble of getting started. We are at the "Register now !" Click the button to bring up a dialog box:

 

Now, we will display "Wrong Serial, try again!" In this error dialog box today !" . Start OllyDBG, select the menu File> open the CrackMe3.exe file, and we will stop here:

 

In the Disassembly window, right-click a menu and choose search> all reference text strings and click:

Of course, it is more convenient to use the above super string reference + plug-in. However, our goal is to be familiar with some OllyDBG operations. I will try to use the built-in functions of OllyDBG with less plug-ins. Now, in another dialog box, right-click it, select the "Search Text" menu item, and enter "Wrong Serial, try again !" The start WORD "Wrong" (note that the search content is case-sensitive) to find one:

 

Right-click the string we found, and click "follow in the Disassembly window" in the menu. We are here:

See. To see if there are other references, you can right-click the menu to find references-> immediate count. A dialog box is displayed:

Double-click the two addresses marked above, and we will go to the corresponding location:

00366f79 |. BA 8c0000400 mov edx, crackme3.0044450c; ASCII "Wrong Serial, try again! "
00366f7e |. A1 442C4400 mov eax, dword ptr ds: [442C44]
00366f83 |. 8B00 mov eax, dword ptr ds: [EAX]
00366f85 |. E8 DEC0FFFF CALL CrackMe3.0043D068
00366f8a |. EB 18 jmp short crackme3.0020.fa4
000000f8c |> 6A 00 PUSH 0
0010000f8e |. B9 80104400 mov ecx, CrackMe3.00441080; ASCII "Beggar off! "
00366f93 |. BA 8c0000400 mov edx, crackme3.0044450c; ASCII "Wrong Serial, try again! "
00366f98 |. A1 442C4400 mov eax, dword ptr ds: [442C44]
00366f9d |. 8B00 mov eax, dword ptr ds: [EAX]
00366f9f |. E8 C4C0FFFF CALL CrackMe3.0043D068

In the Disassembly window, scroll up to see the following:

00366f2c |. 8B45 fc mov eax, dword ptr ss: [EBP-4]
00366f2f |. BA 14104400 mov edx, CrackMe3.00441014; ASCII "Registered User"
00366f34 |. E8 F32BFCFF CALL CrackMe3.00403B2C; key: Follow F7
00366f39 |. 75 51 jnz short crackme3.0020.f8c; Skip here and it will be finished.
00366f3b |. 8D55 fc lea edx, dword ptr ss: [EBP-4]
00366f3e |. 8B83 C8020000 mov eax, dword ptr ds: [EBX + 2C8]
00366f44 |. E8 D7FEFDFF CALL CrackMe3.00420E20
00366f49 |. 8B45 fc mov eax, dword ptr ss: [EBP-4]
00366f4c |. BA 2c0000400 mov edx, CrackMe3.0044102C; ASCII "GFX-754-IER-954"
00366f51 |. E8 D62BFCFF CALL CrackMe3.00403B2C; key: Follow F7
00366f56 |. 75 1A jnz short crackme3.0020.f72; Skip here and it will be finished.
00366f58 |. 6A 00 PUSH 0
00366f5a |. B9 3c0000400 mov ecx, CrackMe3.0044103C; ASCII "CrackMe cracked successfully"
00366f5f |. BA 5c0000400 mov edx, CrackMe3.0044105C; ASCII "Congrats! You cracked this CrackMe! "
00366f64 |. A1 442C4400 mov eax, dword ptr ds: [442C44]
00366f69 |. 8B00 mov eax, dword ptr ds: [EAX]
00366f6b |. E8 F8C0FFFF CALL CrackMe3.0043D068
00366f70 |. EB 32 jmp short crackme3.0020.fa4
00366f72 |> 6A 00 PUSH 0
00366f74 |. B9 80104400 mov ecx, CrackMe3.00441080; ASCII "Beggar off! "
00366f79 |. BA 8c0000400 mov edx, crackme3.0044450c; ASCII "Wrong Serial, try again! "
00366f7e |. A1 442C4400 mov eax, dword ptr ds: [442C44]
00366f83 |. 8B00 mov eax, dword ptr ds: [EAX]
00366f85 |. E8 DEC0FFFF CALL CrackMe3.0043D068
00366f8a |. EB 18 jmp short crackme3.0020.fa4
000000f8c |> 6A 00 PUSH 0
0010000f8e |. B9 80104400 mov ecx, CrackMe3.00441080; ASCII "Beggar off! "
00366f93 |. BA 8c0000400 mov edx, crackme3.0044450c; ASCII "Wrong Serial, try again! "
00366f98 |. A1 442C4400 mov eax, dword ptr ds: [442C44]
00366f9d |. 8B00 mov eax, dword ptr ds: [EAX]
00366f9f |. E8 C4C0FFFF CALL CrackMe3.0043D068

Note that I have marked two key points on the above annotations. Some may ask, how do you know the two are the key points? In fact, it is very simple. I decided to jump to the command corresponding to the string "wrong serial, try again. If you choose "debug option"> "CPU tag", "show Jump path" and the two "show Gray path if the jump is not implemented" and "show the path to jump to the selected command "if selected, you will see the jump from where to where the error string is:

We set a breakpoint at the address 0020.f2c by pressing the F2 key. Now we press the F9 key and the program is running. In the above edit box, enter it casually, for example, CCDebuger. The edit box below is still the original "754-GFX-IER-954". Let's click the "Register now !" Button, oh, OllyDBG jumped out and paused at our breakpoint. Let's take a look at the information window. You should have found the content you just entered? It is shown as follows:

Stack SS: [0012F9AC] = 00D44DB4, (ASCII "CCDebuger ")
Eax= 00000009

The above memory address 00D44DB4 is the content we just entered. Here I am CCDebuger. You can choose stack SS: [0012F9AC] = 00D44DB4, (ASCII "CCDebuger"), right click, select "value following in the data window" in the pop-up menu, and you will see the content you just entered in the data window below. While EAX = 00000009 refers to the length of the input content. For example, the CCDebuger I entered is 9 characters long. As shown in:

 
Press the F8 key to analyze it step by step:

00366f2c |. 8B45 fc mov eax, dword ptr ss: [EBP-4]; send the content we entered to EAX, I am "CCDebuger"
00366f2f |. BA 14104400 mov edx, CrackMe3.00441014; ASCII "Registered User"
00366f34 |. E8 F32BFCFF CALL CrackMe3.00403B2C; key: Follow F7
00366f39 |. 75 51 jnz short crackme3.0020.f8c; Skip here and it will be finished.

When we press the F8 key to go to the "00366f34 |. E8 F32BFCFF CALL CrackMe3.00403B2C" sentence, we press the F7 key to enter the CALL. When we enter, the cursor stops at this sentence:

 
The push ebx and push esi commands we see are the commands used to call the subroutine to save the stack. Don't worry about them. Press the F8 key step by step. We only care about the key parts:

00403B2C/$53 PUSH EBX
00403B2D |. 56 PUSH ESI
00403B2E |. 57 PUSH EDI
00403B2F |. 89C6 mov esi, EAX; send the user name entered in EAX to ESI
00403B31 |. 89D7 mov edi, EDX; send the "Registered User" data in EDX to EDI
00403B33 |. 39D0 cmp eax, EDX; Use "Registered User" to compare it with the User name we entered
00403B35 |. 0F84 8F000000 JE CrackMe3.00403BCA; Skip if the same
00403B3B |. 85F6 test esi, ESI; check if data exists in ESI, mainly to see if we have entered the user name
00403B3D |. 74 68 je short CrackMe3.00403BA7; Skip if the user name is empty
00403B3F |. 85FF test edi, EDI
00403B41 |. 74 6B je short CrackMe3.00403BAE
00403B43 |. 8B46 fc mov eax, dword ptr ds: [ESI-4]; User Name Length to send EAX
00403B46 |. 8B57 fc mov edx, dword ptr ds: [EDI-4]; the length of the "Registered User" string sends EDX
00403B49 |. 29D0 sub eax, EDX; subtract the username length from the "Registered User" String Length
00403B4B |. 77 02 ja short CrackMe3.00403B4F; Skip if the User name length is greater than "Registered User"
00403B4D |. 01C2 add edx and EAX; ADD the subtracted value to the length of "Registered User", that is, the length of the User name.
00403B4F |> 52 PUSH EDX
00403B50 |. C1EA 02 shr edx, 2; the length of the user name is shifted two places to the right, which is equal to the length divided by 4
00403B53 |. 74 26 je short CrackMe3.00403B7B; the preceding command and this command determine that the username length must be at least 4
00403B55 |> 8B0E mov ecx, dword ptr ds: [ESI]; send the user name we entered to ECX
00403B57 |. 8B1F mov ebx, dword ptr ds: [EDI]; send "Registered User" to EBX
00403B59 |. 39D9 cmp ecx, EBX; Comparison
00403B5B |. 75 58 jnz short CrackMe3.00403BB5; wait until it is finished

According to the above analysis, we know that the User name must be "Registered User ". Press the F9 key to run the program. The error dialog box is displayed. Click OK. Enter "Registered User" in the first edit box and click "Register now!" again !" Button, blocked by OllyDBG. We have already analyzed the CALL at the address 00366f34. This time, we don't have to press F7 to follow up and press F8 to pass the CALL. Press the F8 key to go to the second key code:

00366f49 |. 8B45 fc mov eax, dword ptr ss: [EBP-4]; get the entered registration code
00366f4c |. BA 2c0000400 mov edx, CrackMe3.0044102C; ASCII "GFX-754-IER-954"
00366f51 |. E8 D62BFCFF CALL CrackMe3.00403B2C; key: Follow F7
00366f56 |. 75 1A jnz short crackme3.0020.f72; Skip here and it will be finished.

Please note that the CALL CrackMe3.00403B2C at address 0020.f51 is the same as the CALL CrackMe3.00403B2C at address 0020.f34 analyzed above? This indicates that the user name and registration code are detected using the same subroutine. We have analyzed the subprogram CALL above. Now we can easily draw a conclusion that this CALL is to compare the entered registration code with the "GFX-754-IER-954" command after the 0020.f4c address. If the CALL is equal, OK. Now we have enough information. Now, choose> breakpoint> open the breakpoint window (you can also press ALT + B or click the "B" icon on the toolbar to open the breakpoint window ):

Why is this step not to delete the breakpoint? This is mainly for the sake of insurance. In case of analysis errors, we need to proceed with the analysis. If the breakpoint is deleted, we need to repeat the work. Disable it first. If it turns out that our analysis is correct, it is not too late to delete it. Now we disable the breakpoint and press F9 in OllyDBG to run the program. Enter the analyzed content:
Username: Registered User
The registration code: GFX-754-IER-954
Click "Register now !" Button, haha, finally succeeded: