Ollydbg entry series (5)-message breakpoint and run tracking

Subject: [original] ollydbg entry series (5)-message breakpoint and run tracking
Author: ccdebuger
Time: 2006-02-19,16: 02
Chain: http://bbs.pediy.com/showthread.php? T = 21532

Ollydbg entry series (5)-message breakpoint and run tracking

Author: ccdebuger

I found crackme written in dozens of different languages and found that there are a lot of words that only use message breakpoint, and it cannot really reach the key position we are looking, it is more effective to combine message breakpoint and run trace. For more information about message breakpoints, refer to the article titled positioning of several typical program button processing codes by brother jingulong. Today, we still select a crackme named cycle in the crackmes.cjb.net image package. According to the Convention, run this program first to see:
 
Enter the user name ccdebuger, serial number 78787878, and click the "check" button above. No response! It seems that the registration code is correct. Turn off this crackme and use peid to check the shell. It turns out to be masm32/tasm32 [overlay]. Start ollydbg to load this program, and F9 let it run. This program is easily broken down based on the string reference or function reference method we mentioned earlier. But what we are learning today is the message breakpoint and run tracking. Let's use the message breakpoint to break this program. Before setting a message breakpoint, we need to know about two items: first, we need to know about the message. Windows translation is a "window", while Windows applications also interact with users through windows. Now there is a question: how does an application know what operations the user has performed? The message is required here. Windows is a message-based system. After the application starts to run, it creates a message queue for the program to store information of various Windows that may be created by the program. For example, you create a window, click a button, move the mouse, and so on, all through the message. In layman's terms, Windows is like a man-in-the-middle. What do you want to do is to notify the app first, and then it will notify the app through message transmission for corresponding operations. Now there is another problem. If multiple programs are running in windows, I clicked a button or maximized a window, does windows know which one I ordered? Here we need to talk about another content: handle. A handle is generally a 32-bit number, indicating an object. Windows uses a handle to identify the objects it represents. For example, if you click a button, Windows determines through the handle that you have clicked the button and then sends the corresponding message notification program. After that, let's go back to our debugging program. You should have used ollydbg to load the crackme and press the F9 key to run it? Now we enter the user name "ccdebuger" and the serial number "78787878". Do not click the "check" button first. We will go to ollydbg, click View> window (or click the "w" icon on the toolbar). The following content is displayed:
 
Right-click the selected item and select the menu item as shown in the following window:
 
Now, click the drop-down menu shown in the figure. Oh, there are actually a lot of messages in it. Which one should we choose for so many messages? Registration is a button, and we will interrupt the program when the button is pressed and then released. Check msdn. We know that the message should be wm_lbutton_up. You can also understand the message when the left button is released:
 
Select the 202 wm_lbutton_up from the drop-down menu, and then press the OK button to set the message breakpoint. Now we have to do one more thing: Open the run trace. Someone may ask, what is the run trace? Simply put, the run trace stores the commands executed by the debugging program, allowing you to view what was done during the program running. The run trace records the address, register content, messages, and known operands in the run trace buffer. You can view the records of the run trace to understand the commands executed by the program. Pay attention to the buffer size issue. If too many commands are executed and the buffer is full, the previous old records will be automatically discarded. You can set it in debugging Options> tracing:
 
Now let's go back to the ollydbg and click the menu debugging> open or clear the run trace (the first time we click this menu is to open the run trace, and when it is opened, it is to clear the run trace records, you can also set conditions when you are familiar with the run trace) to ensure that the program's current airspace is being debugged, right-click in the Disassembly window, choose "Run trail"> "add all functions" in the displayed menu:
 
We can see that ollydbg adds a gray line to the process of the identified function:
 
Now let's go back to the crackme and press the "check" button, which is broken by ollydbg:
 
Click the menu to view the memory, or click the "M" button on the toolbar (you can also press the combination key Alt + M) to go to the memory ing window:
 
I also want to explain why access breakpoint is set here. Let's take a look at common PE files. peid detection is like this if no shell is added:
 
Click the ">" symbol next to the EP segment to view the following content:
 
After reading the above figure, we should understand why the breakpoint is accessed under the code segment at 401000. Here we mean that after the message breakpoint is broken, as long as you press the F9 key to run the command to execute the program code segment, we will be interrupted, so that we can return to the program's airspace (of course, the segment where it is located at location 401000 is not absolute, we mainly want to see the position of the code segment of the program. In fact, we can see it clearly in the "include" column of the ollydbg Memory window in the figure above ). After the access breakpoint is set, we press the F9 key to be disconnected by ollydbg:

Now let's press the F9 key (or press the CTR + F12 key combination tracking step) to run the program, click the menu to view-> run trace, or click the "…" on the toolbar. Symbol to open the record window of the run trail:
 
Now let's take a look at the statistics:
 
Double-click the command at address 401082 to go to the following position:
 
Now we can press F2 on the command at address 4010a6 to delete all other breakpoints, click menu debugging, and close the run trace. Now we can start the analysis:

004010e2 |. 8bfe mov EDI, ESI; user name to send EDI
004010e4 |. 03f8 add EDI, eax
004010e6 |. FC ClD
004010e7 |. F3: A4 rep movs byte ptr es: [EDI], byte ptr ds: [esi]
004010e9 |. 33c9 XOR ECx, ECx; reset, set cycle counter
004010eb |. Be 71214000 mov ESI, cycle.00402171; the registration code is sent to ESI
004010f0 |> 41 Inc ECx
004010f1 |. AC lods byte ptr ds: [esi]; each character of the registration code
004010f2 |. 0ac0 or Al, Al;
004010f4 |. 74 0a je short cycle.00401100; Skip if no
004010f6 |. 3C 7E CMP Al, 7E; Determine whether the character is non-ASCII
004010f8 |. 7f 06 JG short cycle.00401100; Skip non-ASCII characters
004010fa |. 3C 30 CMP Al, 30; check whether it is less than 30 h, mainly to determine whether it is a number or letter
004010fc |. 72 02 JB short cycle.00401100; less than Skip
004010fe |. ^ EB F0 JMP short cycle.004010f0
00401100 |> 83f9 11 CMP ECx, 11; number of digits comparing the registration code, which must be 17 decimal digits
00401103 |. 75 1A jnz short cycle.0040111f
00401105 |. E8 e7000000 call cycle.004011f1; key: Follow F7
0040110a |. B9 01ff0000 mov ECx, 0ff01
0040110f |. 51 push ECx
00401110 |. E8 7b000000 call cycle.00401190; key: Follow in
00401115 |. 83f9 01 CMP ECx, 1
00401118 |. 74 06 je short cycle.00401120
0040111a |> E8 47000000 call cycle.00401166; registration failure dialog box
0040111f |> C3 retn
00401120 |> A1 68214000 mov eax, dword ptr ds: [402168]
00401125 |. 8b1d 6c214000 mov EBX, dword ptr ds: [40216c]
0040112b |. 33c3 XOR eax, EBX
0040112d |. 3305 82214000 XOR eax, dword ptr ds: [402182]
00401133 |. 0d 40404040 or eax, 40404040
00401138 |. 25 77777777 and eax, 77777777
0040113d |. 3305 79214000 XOR eax, dword ptr ds: [402179]
00401143 |. 3305 7d214000 XOR eax, dword ptr ds: [40217d]
00401149 |. ^ 75 CF jnz short cycle.0040111a; Skip here and it will be finished.
0040114b |. E8 2b000000 call cycle.0040117b; registration successful dialog box

When I wrote this tracing algorithm, I found that this crackme was still quite complicated. I did not write the specific algorithm, so I didn't have much time to perform detailed tracking. If you are interested, please check that the registration code is 17 bits and the user name is extended to 16 bits by means of replication. For example, if I enter "ccdebuger", the extension is "ccdebugerccdebug ". Generally, the first 8 digits of the Extended user name and the first 8 digits of the registration code are obtained first, calculate the first four digits and the last four digits of the user name with the first four digits and the last four digits of the Registration Code respectively, after calculation, the last 8 digits of the Extended user name and the last 8 digits of the registration code are divided into two parts, and the values calculated with the first 8 digits of the previous user name and registration code are different or calculated, the final result is 0. I have not found any use of the 17th-bit registration code. For beginners, this crackme may be a little more difficult. It doesn't matter. We mainly learn how to use ollydbg.

Finally, Let's explain:
1. After setting a message breakpoint, this program can omit the access breakpoint step in the code segment and directly open the run trace. After the message breakpoint is broken, press the CTR + F12 key combination to run the program, the key points can be found in the run trace record.
2. For this program, you can set a message breakpoint. after entering the user name and registration code, you can directly open the run trace without pressing the "check" button, after adding "entry to all function processes", return to the program and click the "check" button. In this case, you can also find the key position by opening the run trace record in ollydbg.

[Copyright notice] This article is purely a technical exchange. repost the article to indicate the author and keep it complete. Thank you!

Uploaded attachment

Cycle.zip (, 0, 6787 downloads)