You can right-click on this window to disable or delete the breakpoints that have been set. OllyDbg has many context menus. You can right-click on almost anything in OllyDbg to get a context menu to examine your many debugging options. First, it is usually a good idea to configure OllyDbg to ignore exceptions and to show loops. Figure Configure Olly to Ignore Exceptions. To demonstrate the power and functionalities of OllyDbg, we will use a sample that has some copy protections.
Say we downloaded a trial piece of software that expires after a certain date or after 30 days. All we get is an error message when we attempt to execute it. The first thing we should do is assess the software with CFF explorer to identify the development language used and some other particulars.
We will need to rely on OllyDbg. Open the CrackMeDemo. In the menu bar, select File then open to navigate to the location of CrackMeDemo. Olly will disassemble the binary file and it will look something like Figure After disassembly, Olly will take us to the entry point, which for this sample is at virtual address 0xE.
At this point, the question we are now faced with is where to begin? Instead, we will use the power of the debugger to help us locate the error message. By hitting F9 to run the debugger, we should encounter the error message as seen in Figure Now we will attempt to find the time limit checking code. Next press F12 to pause the debugging execution.
With the execution paused, we now can search for the code that causes the error message. One way to look for our error message is to examine the current call stack since the error message is currently displayed at this point. From this vantage point you can easily see that the error message string is a parameter of the MessageBoxA function call see Figure Select the USER MessageBoxA near the bottom of the call stack. MessageBoxA is made Figure The parameters start with the PUSH 10 instruction at 0x Since we are at the PUSH 10 instruction indicated by the grey line , we can examine the Hints pane to see the parts of code that references this call:.
Figure The Hints pane shows two places that jump to this error message box. Praise for Linux Basics. Robot How Elliot Covered his Tracks. How Elliot Traces the Dark Army. How Elliot Hacked the Prison. How Angela Stole Boss's Password. How Elliot Made his Hacks Untraceable. How Hackers Obtained the Panama Papers.
Part 1, Getting Started. Part 2, Finding Stuff. Part 3, Creating, Removing and Renaming. Part 4, Networking. Part 5, Adding and Removing Software. Part 6, Managing Permssions. Part 8, Managing the User Environment. Part 9, Text manipulation. Part 10, Loadable Kernel Modules. Training Packages. Shadow Brokers Exploits. Wireless Hacks Wireless Hacking Strategies. Getting Started with aircrack-ng. Cracking WPS on Wifi. Evading Wireless Authentication. Wi-Fi Hacking without Cracking Passwords.
Part 3: Building a Raspberry Spy Pi. Part 2, Building a Raspberry Spy Pi. Part 4: Adding Listening Capability. Spy on Anyone's Smartphone. Listen to Anyone's Conversation. How to Catch a Terrorist. How to Hack Web cams. Part 7: Creating a Backdoor with weevely.
Part 8: Cloning a Web Site. Part 9: XSS. Part Directory or Path Traversal. Part CSRF. Part OS Command Injection. Part Fingerprinting with whatweb. Finding Hidden Directories with dirb. Web Technologies, Part 1. Overview and Strategy for Beginners. Spidering a Website with Scarab. Finding Vulnerable WordPress Sites. Finding Vulnerabilities in WordPress. Finding Web Vulnerabilities: Wikto. Hacking Form Authentication with Burp Su.
Network Forensics Wireshark Basics. Part 1: Analyzing an Intrusion. Part 3: Packet Analysis EternalBlue. Networks Basics for Hackers. Digital Forensics Network Forensics. Part 1, Capturing the Image. Part 2, Live Memory Acquisition. Part 3, Recovering Deleted Files.
Part 4, Finding key Evidence. Part 5, Analyzing the Registry. Part 6: Pre-Fetch Files. Part 7: Browser Forensics. Part 8: Live Analysis with Sysinternals. Automobile Hacking Hacking the Mitsubishi Outlander.
Part 2, can-utils for Linux. Part 3: Car Hacking with Metasploit. Part 4: Hacking the Key Fob. Part 5: Hacking the Remote Alarm.
Anatomy of ClamAV. Evading AV with Veil-Evasion. Part 4, Extracting Data with sqlmap. Password Cracking Strategy. Online Password Cracking. Online Password Cracking with Hydra. Cracking Passwords with hashcat. Creating a Custom Wordlist with Crunch. Welcome About. HoneyPot Dionaea Part 1. Dionaea Part 2. Reconnaissance Operating System Fingerprinting with p0F. Recon with unicornscan. How to Use Maltego, Part 1.
Maltego, Part 2: Recon on a Person. Well, stepping through it passes the comparison with 'A' as 61 is indeed greater than 41 A. When we get to the comparison with Z though, it fails and the jump is taken at F to This is because, as the table shows, a 61 is greater than Z 5A. Our character is in AL and gets 20 subtracted from it.
Whats this for? It then jumps back to the routine, increments ESI to the next letter and continues. Step through the rest of the routine and you'll notice that your entire username is processed to make sure its uppercase.
Thats all this bit is doing. A couple of points to note though are that if you only used uppercase letters anyway, this routine is redundant and you wont even see the SUB AL,20 part. Also, if you have non alphabetic characters in there, they'll be taken down 20 values too as they obviously are not between A and Z. Then comes this line: D. Setting a breakpoint here may be useful too! Then a similar thing happens to what happened in the above routine - the only difference being that the first letter of our capitalised username is move to BL rather than AL.
Its then tested incase its 0 before landing at CC. We then increment to the next letter of our username and the process is repeated although notice that the loop does not include the XOR functions each time. This basically has the effect of adding all the values of our username together and storing it in EDI. We land here : A2. We then jump back to the initial code we looked at in section 2.
Congratulations you've just traced your first call and now you understand exactly how this applications processes a username! Now see if you can follow the same procedure for the second call below! Trace into it with F7 and see what you can find Lets find out Firstly we see EAX is pushed to the stack we know that this contains our summed username XOR'd with from the previous call and then our entered serial is pushed to the stack too.
We can then use F7 to trace our second call. Following this, our Serial number is moved into ESI and the processing begins. Lets try and work out whats going on here. Firstly, 0A 10 is moved into AL and then the first character of our serial 1 in my case is moved into BL before being tested for 0 in the usual way. Note though that EBX contains 31 rather than 1 i.
After this, 30 is subtracted from our number i. This is then stored in EDI. Actually, what this has done is to convert our serial to hex! So we jump out of the loop and land at F5. This is interesting - remember in the last call where the username was uppercased and XOR'd with h?
Well here we've just hexed the serial and now we're XORing it with h result is 1f in my case! Simple really! We jump back to here : D. This is then popped to EAX. Then comes the critical comparison : The next jump statement is the critical one - if the two values in EAX and EBX are equal, we jump to the call statement at the bottom of the above code extract Hence the reason I said we could patch this jump to jump if not equal rather than if equal.
If EAX and EBX are not equal, we dont jump and we are taken down the 'No luck there mate' routine - this is where I go on this occasion as is not my correct serial. Specifically, our processed serial give the same result as our processed username in order to be valid.
So how do we achieve this? Well, this is where knowledge of the XOR function brings us through. So how is this useful? Well, looking at the way the serial is processed, our entered serial in hex XOR with must equal our processed username in my case 54A4. Using the above reasoning then, our serial is our processed username XOR with i. I hope you enjoyed this and found it useful.
0コメント