Ollydbg entry series (2)-string reference

Question: [original] ollydbg entry series (2)-string reference
Author: ccdebuger
Time: 2006-02-14,13: 34
Chain: http://bbs.pediy.com/showthread.php? T = 21308

Reference:

Thanks to the feedback from chuxuezhe:

Http://bbs.pediy.com/showthread.php? S = & threadid = 24703.

After checking, we found that we used the modified ultra string reference plug-in to search for strings before writing an article. The modified plug-in automatically adds the strings to the end of the Code as a comment, all the letters are in lower case, which makes the case score in the comments of the original article unclear and confusing. This time I modified some of the articles, all of them were operated using the OD built-in function, and several images were recreated. Because of my own mistakes, I am sorry for the confusion in reading!

Ollydbg entry series (2)-string reference

Author: ccdebuger

In the previous article, we started to crack the attack. Today's target program is to watch the CFF crackme #3 in the crackmes.cjb.net image package included in the first version of "encryption and decryption", using the username/serial number protection method. The original version has an UPX shell. At the beginning, no shell is involved in cracking. We are mainly familiar with the general method of using ollydbg to crack. I will take off the shell for analysis. The attachment is a file after shelling and can be used directly. Let's first talk about the general software cracking process: Get a piece of software, don't take it immediately and use ollydbg for debugging. Run it first. It is best to take a look at the help documentation and familiarize yourself with the use of the software, let's look at the registration method. If the serial number method is used, you can take a false one and try it to see how it works. It also leaves some useful clues for us to crack it. If the registration code is not entered, consider whether to read the registry or key file (generally referred to as Keyfile, that is, the program reads the content of a file to determine whether to register ), other tools can be used for analysis. If none of these are, the original program is only a trial version with incomplete functions. To register it as the official version, you must complete the code by yourself. A little out of question, huh, huh. After obtaining some basic information about the program, we also need to use the shell check tool to check whether the program has been shelled. If there is no shell, let's see what compiler the program is compiled, such as Vc, Delphi, and VB. Such shell checking tools include peid and Fi. If there is shell, we should try to take off the shell and then use ollydbg for debugging. In special cases, we can also perform shell debugging. Enter the subject below:
Let's first run this crackme (detected by peid, It is compiled by Delphi). The interface

This crackme has already lost both the user name and registration code, saving us the trouble of getting started. We are at the "register now !" Click the button to bring up a dialog box:

 

Now, we will display "Wrong serial, try again!" In this error dialog box today !" . Start ollydbg, select the menu File> open the crackme3.exe file, and we will stop here:

 

In the Disassembly window, right-click a menu and choose search> all reference text strings and click:

Of course, it is more convenient to use the above super string reference + plug-in. However, our goal is to be familiar with some ollydbg operations. I will try to use the built-in functions of ollydbg with less plug-ins. Now, in another dialog box, right-click it, select the "Search Text" menu item, and enter "Wrong serial, try again !" The start WORD "wrong" (note that the search content is case-sensitive) to find one:

 

Right-click the string we found, and click "follow in the Disassembly window" in the menu. We are here:

See. To see if there are other references, you can right-click the menu to find references-> immediate count. A dialog box is displayed:

Double-click the two addresses marked above, and we will go to the corresponding location:

00366f79 |. Ba 8c0000400 mov edX, crackme3.0044450c; ASCII "Wrong serial, try again! "
00366f7e |. A1 442c4400 mov eax, dword ptr ds: [442c44]
00366f83 |. 8b00 mov eax, dword ptr ds: [eax]
00366f85 |. E8 dec0ffff call crackme3.0043d068
00366f8a |. EB 18 JMP short crackme3.0020.fa4
000000f8c |> 6a 00 push 0
0010000f8e |. B9 80104400 mov ECx, crackme3.00441080; ASCII "beggar off! "
00366f93 |. Ba 8c0000400 mov edX, crackme3.0044450c; ASCII "Wrong serial, try again! "
00366f98 |. A1 442c4400 mov eax, dword ptr ds: [442c44]
00366f9d |. 8b00 mov eax, dword ptr ds: [eax]
00366f9f |. E8 c4c0ffff call crackme3.0043d068

In the Disassembly window, scroll up to see the following:

00366f2c |. 8b45 FC mov eax, dword ptr ss: [EBP-4]
00366f2f |. Ba 14104400 mov edX, crackme3.00441014; ASCII "registered user"
00366f34 |. E8 f32bfcff call crackme3.00403b2c; key: Follow F7
00366f39 |. 75 51 jnz short crackme3.0020.f8c; Skip here and it will be finished.
00366f3b |. 8d55 FC Lea edX, dword ptr ss: [EBP-4]
00366f3e |. 8b83 c8020000 mov eax, dword ptr ds: [EBX + 2c8]
00366f44 |. E8 d7fefdff call crackme3.00420e20
00366f49 |. 8b45 FC mov eax, dword ptr ss: [EBP-4]
00366f4c |. Ba 2c0000400 mov edX, crackme3.0044102c; ASCII "GFX-754-IER-954"
00366f51 |. E8 d62bfcff call crackme3.00403b2c; key: Follow F7
00366f56 |. 75 1A jnz short crackme3.0020.f72; Skip here and it will be finished.
00366f58 |. 6a 00 push 0
00366f5a |. B9 3c0000400 mov ECx, crackme3.0044103c; ASCII "crackme cracked successfully"
00366f5f |. Ba 5c0000400 mov edX, crackme3.0044105c; ASCII "congrats! You cracked this crackme! "
00366f64 |. A1 442c4400 mov eax, dword ptr ds: [442c44]
00366f69 |. 8b00 mov eax, dword ptr ds: [eax]
00366f6b |. E8 f8c0ffff call crackme3.0043d068
00366f70 |. EB 32 JMP short crackme3.0020.fa4
00366f72 |> 6a 00 push 0
00366f74 |. B9 80104400 mov ECx, crackme3.00441080; ASCII "beggar off! "
00366f79 |. Ba 8c0000400 mov edX, crackme3.0044450c; ASCII "Wrong serial, try again! "
00366f7e |. A1 442c4400 mov eax, dword ptr ds: [442c44]
00366f83 |. 8b00 mov eax, dword ptr ds: [eax]
00366f85 |. E8 dec0ffff call crackme3.0043d068
00366f8a |. EB 18 JMP short crackme3.0020.fa4
000000f8c |> 6a 00 push 0
0010000f8e |. B9 80104400 mov ECx, crackme3.00441080; ASCII "beggar off! "
00366f93 |. Ba 8c0000400 mov edX, crackme3.0044450c; ASCII "Wrong serial, try again! "
00366f98 |. A1 442c4400 mov eax, dword ptr ds: [442c44]
00366f9d |. 8b00 mov eax, dword ptr ds: [eax]
00366f9f |. E8 c4c0ffff call crackme3.0043d068

Note that I have marked two key points on the above annotations. Some may ask, how do you know the two are the key points? In fact, it is very simple. I decided to jump to the command corresponding to the string "Wrong serial, try again. If you choose "debug option"> "CPU tag", "show Jump path" and the two "show Gray path if the jump is not implemented" and "show the path to jump to the selected command "if selected, you will see the jump from where to where the error string is:

We set a breakpoint at the address 0020.f2c by pressing the F2 key. Now we press the F9 key and the program is running. In the above edit box, enter it casually, for example, ccdebuger. The edit box below is still the original "754-gfx-ier-954". Let's click the "register now !" Button, oh, ollydbg jumped out and paused at our breakpoint. Let's take a look at the information window. You should have found the content you just entered? It is shown as follows:

Stack SS: [0012f9ac] = 00d44db4, (ASCII "ccdebuger ")
Eax= 00000009

The above memory address 00d44db4 is the content we just entered. Here I am ccdebuger. You can choose stack SS: [0012f9ac] = 00d44db4, (ASCII "ccdebuger"), right click, select "value following in the data window" in the pop-up menu, and you will see the content you just entered in the data window below. While eax = 00000009 refers to the length of the input content. For example, the ccdebuger I entered is 9 characters long. As shown in:

 
Press the F8 key to analyze it step by step:

00366f2c |. 8b45 FC mov eax, dword ptr ss: [EBP-4]; send the content we entered to eax, I am "ccdebuger"
00366f2f |. Ba 14104400 mov edX, crackme3.00441014; ASCII "registered user"
00366f34 |. E8 f32bfcff call crackme3.00403b2c; key: Follow F7
00366f39 |. 75 51 jnz short crackme3.0020.f8c; Skip here and it will be finished.

When we press the F8 key to go to the "00366f34 |. E8 f32bfcff call crackme3.00403b2c" sentence, we press the F7 key to enter the call. When we enter, the cursor stops at this sentence:

 
The push EBX and push ESI commands we see are the commands used to call the subroutine to save the stack. Don't worry about them. Press the F8 key step by step. We only care about the key parts:

00403b2c/$53 push EBX
00403b2d |. 56 push ESI
00403b2e |. 57 push EDI
00403b2f |. 89c6 mov ESI, eax; send the user name entered in eax to ESI
00403b31 |. 89d7 mov EDI, EDX; send the "registered user" data in edX to EDI
00403b33 |. 39d0 CMP eax, EDX; Use "registered user" to compare it with the user name we entered
00403b35 |. 0f84 8f000000 je crackme3.00403bca; Skip if the same
00403b3b |. 85f6 test ESI, ESI; check if data exists in ESI, mainly to see if we have entered the user name
00403b3d |. 74 68 je short crackme3.00403ba7; Skip if the user name is empty
00403b3f |. 85ff test EDI, EDI
00403b41 |. 74 6B je short crackme3.00403bae
00403b43 |. 8b46 FC mov eax, dword ptr ds: [ESI-4]; User Name Length to send eax
00403b46 |. 8b57 FC mov edX, dword ptr ds: [EDI-4]; the length of the "registered user" string sends edX
00403b49 |. 29d0 sub eax, EDX; subtract the username length from the "registered user" String Length
00403b4b |. 77 02 ja short crackme3.00403b4f; Skip if the user name length is greater than "registered user"
00403b4d |. 01c2 add EDX and eax; Add the subtracted value to the length of "registered user", that is, the length of the user name.
00403b4f |> 52 push edX
00403b50 |. c1ea 02 SHR edX, 2; the length of the user name is shifted two places to the right, which is equal to the length divided by 4
00403b53 |. 74 26 je short crackme3.00403b7b; the preceding command and this command determine that the username length must be at least 4
00403b55 |> 8b0e mov ECx, dword ptr ds: [esi]; send the user name we entered to ECx
00403b57 |. 8b1f mov EBX, dword ptr ds: [EDI]; send "registered user" to EBX
00403b59 |. 39d9 CMP ECx, EBX; Comparison
00403b5b |. 75 58 jnz short crackme3.00403bb5; wait until it is finished

According to the above analysis, we know that the user name must be "registered user ". Press the F9 key to run the program. The error dialog box is displayed. Click OK. Enter "registered user" in the first edit box and click "register now!" again !" Button, blocked by ollydbg. We have already analyzed the call at location 002.16f34. This time, we don't have to press F7 to follow up and press F8 to pass the call. Press the F8 key to go to the second key code:

00366f49 |. 8b45 FC mov eax, dword ptr ss: [EBP-4]; get the entered registration code
00366f4c |. Ba 2c0000400 mov edX, crackme3.0044102c; ASCII "GFX-754-IER-954"
00366f51 |. E8 d62bfcff call crackme3.00403b2c; key: Follow F7
00366f56 |. 75 1A jnz short crackme3.0020.f72; Skip here and it will be finished.

Please note that the call crackme3.00403b2c at address 0020.f51 is the same as the call crackme3.00403b2c at address 0020.f34 analyzed above? This indicates that the user name and registration code are detected using the same subroutine. We have analyzed the call subprogram above. Now we can easily draw a conclusion that this call is to compare the entered registration code with the "GFX-754-ier-954" command after the 0020.f4c address. If the call is equal, OK. Now we have enough information. Now, choose> breakpoint> open the breakpoint window (you can also open the breakpoint window by pressing Alt + B or clicking the "B" icon on the toolbar ):

Why is this step not to delete the breakpoint? This is mainly for the sake of insurance. In case of analysis errors, we need to proceed with the analysis. If the breakpoint is deleted, we need to repeat the work. We recommend that you disable it first. If it turns out that our analysis is correct, it will not be too late to delete it. Now we disable the breakpoint and press F9 in ollydbg to run the program. Enter the analyzed content:
Username: Registered User
The registration code: GFX-754-IER-954
Click "register now !" Button, haha, finally succeeded:

--------------------------------------------------------------------------------
[Copyright notice] This article is purely a technical exchange. repost the article to indicate the author and keep it complete. Thank you!

Uploaded attachment

Cffo-3.rar (, 0, 15974 downloads)