Let me talk nonsense before writing (Who throwing banana skin, egg ^^^^^^^^^^):
OLLYDBG is a powerful software. I used to use him (not used to), and many classic tutorials are written in TRW and Softice as an example tool. Beginner (Note: A person as me) often contact these Tools, doing exercises, use these tools! It can be said that it is already getting up! The dynamic debugging function of Ollydbg is strange!
Now a very real problem makes me change habits, my keyboard mouse is USB, the monitor also gives me a pair! TRW and Softice are not used! Helpless only learn ollydbg. I found this thing is too good !!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! * When dynamic debugging, you can listen to the song chat mm (TRW, Softice can only blank screen * Debugging, and function reference, you can add it, easy to copy, clearly see the change of the stack ^^^^^^^ * The interface is beautiful, you can set the background color at will! * Have a powerful right-click function, use it It is particularly convenient! (Especially suitable for the elderly children to use ~~~~) * I can't say it ~~~ Other advantages You go to discover yourself !!! I am a big rookie, how long the contact is not broken, the brain is not How to get the light, the level is pitiful, please ask the high-end finger !!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OLLYDBG introduction ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Let me now This rookie introduced the rookie: 1 * work interface: (we look down from top)
See the title bar, menu bar and toolbar (don't let me do nouns!) Remember: All functions of the toolbar can be found in the menu bar, the toolbar is the shortcut button of the menu bar (nonsense!) Detailed Features We are here to say! Watch out four windows, they are the code window (top left), register window (upper right), memory window (left) and stack window (right below)
2 * Menu Bar Near Command Function * File (f) ---- These commands? | ____ Note ** The lower part of this menu has the last record, the record is saved, you have last unable to remove Breakpoint ** Note **
* View (V) ------ This menu I only introduce I often used, others I won't! :-) | ____ execute the module (shortcut ALT E): View the dynamic connection used by the program Library (my understanding) | | ____ breakpoint (shortcut OLT B): This is to view all your breakpoints, (sometimes you have forgotten yourself, you can look at it) a auxiliary function. I It will be so much!
* Debug (D) ------- This menu is the key, don't understand you don't debug software! Just say common! | ______ Run (F9) After loading the program, run! | | ______ 动(F12) | | ______ 单步 进 (f7) Meet the Call! Enter the subtext! Book: "Follow" | | | _____ 单步 Skip (F8) Meet Call! Do not go to the tube Internal! The first time is common! | | | ______ to return (Alt F9) is the return statement that is executed to the subtertainer!
The rest of the menu is not important ~ I don't have a tongue ~~~ I am "the first lazy" in the world (the name of the Emperor Qianlong gives me) I know so much ~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Objective: Flashpt 2.1 Build 3067 Cracker: WinRoot Tool: PEID, W32DASM, Aspackdie, OLLYDBG purpose: an OLLYDBG tutorial, software is relatively simple! Download address: http://www.softreg.com.cn/shareware_view.asp? Id = / 4C7E305E-226A-43B9-98D2-BE0410D46806 /
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ Crack process: There are 3 components after the software installed. I have the same way. I chose Flash conversion decryption.
1 * PEID check, Aspack 2.12 -> alexey solodovnikov 2 * Using Aspackdie Shell. After the shell, the folded file name is unpacked.exe 3 * Static analysis using W32DASM anti-compilation! Load unpacked.exe -> Contract -> The "Reference" Select String Data Reference "Select String Data Reference" Select "Select" Registration Code Error, please re-enter! "Double-click. * Reference by A (U) Nconditional OR (C) Onditional Jump At Address: |: 004d1174 (c) | ~~~~~~~~~~~~~~~~~~~~ is from here, we will see: 004D120D 6A00 Push 00000000 * Possible StringData Ref from code Obj -> "Tip ": 004D120F B974124D00 MOV ECX, 004D1274
* Possible StringData Ref from code obj -> "Registration code error, please re-enter!"
################ We came to 004D1174 ########################## ######: 004d116b 8b55E4 MOV EDX, DWORD PTR [EBP-1C]: 004D116E 58 POP EAX: 004D116F E8C42CF3FF CALL 00403E38: 004D1174 0F8593000000 JNE 004D120D; see it! That is from here! ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~: 004D117A B201 MOV DL, 01: 004D117C A1DCCA4400 MOV EAX, DWORD PTR [0044CADC]: 004D1181 E856BAF7FF call 0044CBDC: 004D1186 8BD8 mov ebx, eax: 004D1188 BA02000080 mov edx, 80000002: 004D118D 8BC3 mov eax, ebx: 004D118F E8E8BAF7FF call 0044CC7C: 004D1194 B101 mov cl, 01
* Possible StringData Ref from Code Obj -> "software / microsoft / windows / currentversion / chan" -> "gid" |: 004D1196 BA98124D00 mov edx, 004D1298: 004D119B 8BC3 mov eax, ebx: 004D119D E83EBBF7FF call 0044CCE0: 004D11A2 84C0 test al Al: 004D11A4 745E JE 004D1204 ~~~~~~~~~~~~~~~~~~~~~~ 省 some code
* Possible StringData Ref from code Obj -> "Tips" |: 004D11E2 B974124D00 MOV ECX, 004D1274
* Possible StringData Ref from code obj -> "Successful registration! Thank you for using this software!
Program needs to be restarted "
~~~~~~~~~~~~~~~~~~ **** ~ ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Blast is bursting :-) Look at our analysis: 004D1174 0F8593000000 JNE 004D120D; see it Let's go to death from here! Then we will not leave! His JNE we changed to Je * started !!!!!!!!!!! First, run ollydbg load the unpacked after the shell. Exe find address 004d1174 004d1174 0f85 93000000 jnz unpacked.004d120d
咦 !!!!!!! How can I become JNZ? (I don't know why) but he has nothing to do with the blast! We will change him into JZ to play the same effect 1) We double-click here: jnz unpacked.004d120D It is changing its assembly code __________________ Note {2) After changing him into JZ 004D120D points, he turns red again! {3) then right-click JZ 004D120D to select "Copy to Executable File" {Double-click the address bar is an absolute address and relative address conversion 4) The top is the top is the top is 0000000 JE 000D120D {, for example: we double-click 004d1174 to turn $ ==> We right click JE 000D120D selection " Save the file "{Double-click the machine code bar is to set this address as a breakpoint 5) Enter the name of the file you envisaged {for dual-click 0F85 93000000 We can see red 6) run, huh,!! Explain that we have set 004d1174 to break again and then double-click.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After the above process, if you feel that you don't add addiction to register Table HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CURRENTVERSION / CHANGID Deletes the key value of the key (if it is registered without registration, it is not available.) We continue to analyze this time ~~ ########### #####################Dynamic Analysis########################### ######## The premise of dynamic analysis is static analysis, let's take a look at the results of static analysis: 004D116B 8B55E4 MOV EDX, DWORD PTR [EBP-1C]: 004D116E 58 POP EAX: 004D116F E8C42CF3FF Call 00403E38 // This is a comparison of Call: 004D1174 0F8593000000 JNE 004D120D
Then we set a breakpoint at 004d116b ~~~ f2 or double-click the machine code bar to set the breakpoint - f9 (run) - Enter the username WinRoot, get the ID, ID number 4835812338, click registration, the program is intercepted by Ollydbg,乖 ~~ You guess what we saw !!!! A string of numbers !!! 3230027325 to see the stack window to the right down the number 4835812338, one line 3230027325 You see his face, long is like a registration code ~~ ~ Quit to try it ~~~ You look at my face :-) Hehe ~~~~ Success ~~~ Memory registration machine you will do it yourself ~ Exercise!
######################################################################################################################################################################################################################################################################################################## ############################################################################# Still analyzing ~~ Through the above dynamic analysis, we know that the generation of the serial number is affirmed at a certain segment of the 004d116b, ~ How to determine that only tracking, the latest registration code is in which place appears! So we found it again A loop! Very suspicious, break down track! (OLLYDBG will target the loop!) 004d10Ea |. C745 f0 000000> Mov DWORD PTR SS: [EBP-10], 0 ~~~~~~~~~~~~~~~~~~~~~ ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ F2 or double-click the machine code bar to set the breakpoint - -f9 (run) - Enter the username WinRoot, get the ID, ID number 4835812338, click on registration, the program is intercepted by Ollydbg. We press F8 (single step jump) Execute, pay attention to the changes of registers and stacks !! 004d10f1 |. C745 F4 000000> MOV DWORD PTR SS: [EBP-C], 0 004D10F8 |. 8B45 FC MOV EAX, DWORD PTR SS: [EBP-4] 004d10fb |. E8 282CF3FF CALL UNPACKED.00403D28 004D1100 |. 8BF0 MOV ESI, EAX 004D1102 |. 85F6 TEST ESI, ESI 004D1104 |. 7E 2D JLE SHORT UNPACKED.004D1133 004D1106 |. BB 01000000 MOV EBX, 1 // counter 004D110B |> 8B45 FC / MOV EAX, DWORD PTR SS: [EBP-4] // Take ID String 004D110E |. 807C18 FF 00 | CMP BYTE PTR DS: [EAX EBX-1], 0 004D1113 |. 74 1A | JE Short Unpacked.004D112F // is zero jump! 004d1115 |. 8b45 fc | MOV EAX, DWORD PTR SS: [EBP-4] // EAX = STR 004D 1118 |. 8A4418 FF | MOV Al, Byte Ptr DS: [EAX EBX-1] // Al = STR [EBX-1] 004d111c |. 25 FF000000 | And Eax, 0FF 004D1121 |. 33D2 | xor Edx, EDX 004d1123 |. 0345 F0 | Add Eax, DWORD PTR SS: [EBP-10] // and the first value plus 004d1126 |. 1355 F4 | ADC EDX, DWORD PTR SS: [EBP-C] 004D1129 |. 8945 F0 | MOV DWORD PTR SS: [EBP-10], EAX / / Deposit 004d112C |. 8955 F4 | MOV DWORD PTR SS: [EBP-C], EDX 004D112F |> 43 | Inc EBX / / counter plus 1 004d1130 | 4E | DEC ESI 004D1131 |. ^ 75 D8 / Jnz short unpacked.004d110b // Cycle accumulated plus 004d1133 |>
6A 00 Push 0 004d1135 |. 68 F1E05D00 PUSH 5DE0F1 // Form 004D113A |. 8B45 F0 MOV EAX, DWORD PTR SS: [EBP-10] // Care and 004D113D - Database & Sql Blog Articles SS: [EBP-C] 004d1140 |. E8 874ff3ff Call unpacked.004060cc // Accumulated and * 0x5DE0F1 004D1145 |. 8945 F0 MOV DWORD PTR SS: [EBP-10], EAX 004D1148 |. 8955 F4 MOV DWORD PTR SS: [ EBP-C], EDX 004D114B |. 8d55 E8 Lea EDX, DWORD PTR SS: [EBP-18] 004D114E |. 8b87 F8020000 MOV EAX, DWORD PTR DS: [EDI 2F8] 004d1154 |. E8 b7d3fbff call unpacked.0048E510 / / Becomes 10-en-real serial number 004d1159 |. 8B45 E8 MOV EAX, DWORD PTR SS: [EBP-18] // Take the hypothesis number of string 004d115c |. 50 push eax 004d115d |. Ff75 f4 push dword PTR SS: [EBP-C]; / Arg2; Return Value 004d1160 |. FF75 F0 PUSH DWORD PTR SS: [EBP-10]; | Arg1; Serial No. 004D1163 |. 8D45 E4 Lea Eax, DWORD PTR SS: [EBP- . 1C]; | 004D1166 | E8 0574F3FF CALL UNPACKED.00408570; /UNPACKED.00408570 004D116B | 8B55 E4 MOV EDX, DWORD PTR SS:.. [EBP-1C] 004D116E | 58 POP EAX 004D116F | E8 C42CF3FF CALL UNPACKED.00403E38. // Comparison 004d1174 |. 0F85 93000000 jnz unpacked.004d120D // Take out wrong Note: All The comments are derived from the changes in the registers and stacks after tracking! It is not to be drawn in one track, it is a conclusion that has been drawn many times! ^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Conclusion: We can see that the serial number is produced, and the amount of ASCII value of each bit of the ID and the value of the 0x5DE0F1 multiplied by the value of 0x5De0F1 transforms to 10-en-forming sequence number ~~ So Name: WinRoot ID: 4835812338 Ser = [(0x34 0x38 0x33 0x35 0x38 0x31 0x32 0x33 0x33 0x38) * 0x5De0f1] = [c0864e3d] = [3230027325] 16 16 10 simple ~~ I hope that our rookie group can come out Master ~~ Can write the best tutorial, not like me ~~ 他 人 ~
Rookie experience: CRACK is a great knowledge of door operability, so be sure to do it, see a good article, you must have a more step-by-step experience. Don't see that others have written it. Learn Come to be half a little fake!