Reading directory

Noun comment

System breakpoint: Breakpoint system, OllyDbg loaded with CreateProcessA DEBUG_ONLY_THIS_PROCESS arguments, it will trigger a INT13 after the program runs in the system space.

Entry point of main module: the entry point of the main module, i.e., the file entry point.

WinMain: WinMain program () function entry points

OD setup - Options - Event Set

OD familiar shortcuts

1, a breakpoint at F2,
2, the Alt + B break open the editor can edit all the breakpoints through
3, fast switching spacebar breakpoint status.
When 4, Ctrl + F9. When located in a CALL, then want to return to this place call CALL, you can press "Ctrl + F9" shortcut keys to perform the function returns. Such OD will stop at the first encounter a return command (such as RET, RETF or IRET).
5, Alt + F9 if follow-up system DLL API function provided, at this time would like to return to the application in the airspace, you can press the shortcut keys "Alt + F9" command execution is returned to the user code.
6, Ctrl + G jump to API, the address

Reverse the guess

Knowledge and development is proportional to the inverse relationship, only to develop particularly familiar with, in order to reverse a program to guess what the API key to use to quickly locate the data processing program.

See program feature by PEID, characterized by generating the IDE familiar programming language or API function development. They can more easily locate let us get to the edit function values.

[Function] GetDlgItemText used to obtain dialog box, specify a title or control text.

'OD using shortcut Ctrl + G] [jump to the next breakpoint location API.

F2 set breakpoints, [when] GetDlgItemTextA This function is called OD will be interrupted

[ALT + B] shortcut to open the Breakpoints window to view, at the breakpoint location Press [Spacebar] to activate and disable breakpoints.

Shortcut keys [Ctrl + F9] to return to the calling function at the tail ret.

back to the top

Reverse algorithm

F7 function within 004011E5 follow addresses into the subroutine call 00401340, 00401359 particular note is that the jump to 4,013,680, the relevant assembler code comments are as follows:

Note compiled encryption function as follows:

00401340  push ebp                                 ;  ebp入栈
00401341  mov ebp,dword ptr ss:[esp+0xC]           ;  将用户名移动到ebp中
00401345  push esi                                 ;  esi入栈
00401346 push edi ; edi入栈 00401347 mov edi,dword ptr ss:[esp+0x18] ; 将参数从堆栈中传给edi（用户名长度值） edi = 5 0040134B mov ecx,0x3 ; ecx = 3 00401350 xor esi,esi ; esi 清 0 00401352 xor eax,eax ; eax 清0 00401354 cmp edi,ecx 00401356 jle XTraceMe.00401379 ; edi<ecx条件成立时跳转,i<len 00401358 push ebx 00401359 /cmp eax,0x7 ; 比较eax与7的值 0040135C jle XTraceMe.00401360 ; 当等于7，ZF=1短跳转 0040135E |xor eax,eax 00401360 |xor edx,edx ; edx清0 00401362 |xor ebx,ebx 00401364 |mov dl,byte ptr ds:[ecx+ebp] ; 地址低8位的一个字节，dl是存储一个字节的寄存器，ecx = 3， [ecx+ebp] = d 00401367 |mov bl,byte ptr ds:[eax+0x405030] ; 00405030 0C 0A 13 09 0C 0B 0A 08 0040136D |imul edx,ebx ; edx * ebx 赋值给 edx， dl为高8位，存储1字节数 00401370 |add esi,edx ; edx+esi，把值赋予给esi ，esi = 4B0 + 3F2 00401372 |inc ecx ; 递增指令，ecx 由 3 -> 4 -> 5 00401373 |inc eax ; eax = 1，eax++ 00401374 |cmp ecx,edi 00401376 \jl XTraceMe.00401359 ; ecx 是否大于等于5（用户名长度）， jl指令大于不等于满足时跳转 00401378 pop ebx 00401379 push esi ; /<%ld> 0040137A push TraceMe.00405078 ; |Format = "%ld" 0040137F push ebp ; |s 00401380 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA 00401386 mov eax,dword ptr ss:[esp+0x1C] 0040138A add esp,0xC 0040138D push ebp ; /String2 0040138E push eax ; |String1 0040138F call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA

Username program originally entered: abcde, serial number: 123456. Stack window is seen in d, e, i.e.

   name[3]=‘d’,
   name[4]=‘e’

The determined address 00401367, the value bits after the bit-by-3 array index code takes a value of the ratio of fixed address. Then 0040137A 2201 will output the value of the key.

Carefully push against it again:

   edx =  64 * 0C = 4B0

   edx =  65 * 0A = 3F2

   4B0 + 3F2  =  8A2 
   
8A2对应的十进制为2210

Reverse conclusion:

abcde converted to hexadecimal values bit by bit from the start bit of the index value of 3, 64: d, 65: e, then the sum and then multiplied by the value corresponding to 00405030 0C 0A 13 09 0C 0B 0A 08. 8A2 resulting value is converted to decimal code 2210.

The encryption function it would take out the count number RI, the following encryption function is to convert disassembler C code:

#include "stdafx.h"
#include <string.h> //char name[65] = "abcdexxxx"; char name[65]; char table[8] = { 0xC ,0xA ,0x13 ,0x09 ,0x0C ,0x0B ,0x0A ,0x08 }; int main() { printf(" 输入key：\n "); scanf_s("%s",name,65); //会用到一个固定地址的值 //会用到姓名里的后两位 //eax = i int user_len = strlen(name); int key_code= 0; //esi int count_ecx = 3; //esi int eax = 0; //eax for (; count_ecx<user_len;) { if (eax>7) eax = 0; int ebx = 0; int edx = 0; edx = name[count_ecx]; ebx = table[eax]; ebx = edx * ebx; key_code += ebx; count_ecx++; eax++; } printf("key_code: %d", key_code); return 0; }

back to the top

Brute force

Positioning at this API to GetDlgItemText, F8 followed down to single step through the determination of the test place, observe the position of the data stack area.

Note assembler instructions as follows:

0040119C  mov esi,dword ptr ss:[esp+0x100]         ;  Case 3F5 of switch 0040115E 004011A3 mov edi,dword ptr ds:[<&USER32.GetDlgIte>; user32.GetDlgItemTextA 004011A9 push ebx 004011AA lea eax,dword ptr ss:[esp+0x4C] 004011AE push 0x51 ; /Count = 51 (81.) 004011B0 push eax ; |Buffer 004011B1 push 0x6E ; |ControlID = 6E (110.) 004011B3 push esi ; |hWnd 004011B4 call edi ; \GetDlgItemTextA 004011B6 lea ecx,dword ptr ss:[esp+0x9C] 004011BD push 0x65 ; /最大字符数 004011BF push ecx ; |文本缓冲区指针 004011C0 push 0x3E8 ; |控件标识 004011C5 push esi ; |对话框句柄 004011C6 mov ebx,eax ; |将用户名的长度转到ebx中 004011C8 call edi ; \GetDlgItemTextA 004011CA mov al,byte ptr ss:[esp+0x4C] ; 将用户名的第一个字节给al 004011CE test al,al ; 检查有没有输入用户名 004011D0 je XTraceMe.00401248 ; 如果没有输入用户名跳走，告知输入的字符太少，zf=0跳转 004011D2 cmp ebx,0x5 004011D5 jl XTraceMe.00401248 ; 如果用户名不大于5那么就跳转到错误提示处 004011D7 lea edx,dword ptr ss:[esp+0x4C] ; 用户名地址放到edx中 004011DB push ebx ; 用户名长度 004011DC lea eax,dword ptr ss:[esp+0xA0] ; 密码地址放到eax 004011E3 push edx ; 用户名地址入栈 004011E4 push eax ; 密码地址入栈 004011E5 call TraceMe.00401340 ; 调用函数，相当于a("123456",abcde,5) 004011EA mov edi,dword ptr ds:[<&USER32.GetDlgIte>; user32.GetDlgItem 004011F0 add esp,0xC ; 平衡堆栈 004011F3 test eax,eax ; 函数返回值都是在eax里面的，eax=0注册失败，eax=1注册成功 004011F5 nop ; zf标志位为0，满足条件时跳转

The first test instruction first comparison that the username is greater than 5, no more than 5 to jump to the wrong place pop-up prompts. Otherwise continue. F8 single-step through into the back of the [calling] GetDlgItemTextA view the code. 004011E5 address call to call a function, and prior to push the three parameters.

The second piece of the test instruction following the jump instruction with nop je filled out.

Right then copied to the executable file [] - [] All modifications

Select All Copy

Select [Save file], brute force is complete

Passwords are prompted to enter any success after success bomb box, shots are as follows:

back to the top

Reference sample

"Encryption and decryption" in this book comes applet TraceMe.exe.

http://pan.baidu.com/s/1miRZZg0 bdq1

back to the top

Noun comment

System breakpoint: Breakpoint system, OllyDbg loaded with CreateProcessA DEBUG_ONLY_THIS_PROCESS arguments, it will trigger a INT13 after the program runs in the system space.

Entry point of main module: the entry point of the main module, i.e., the file entry point.

WinMain: WinMain program () function entry points

OD setup - Options - Event Set

OD familiar shortcuts

Reverse the guess

See program feature by PEID, characterized by generating the IDE familiar programming language or API function development. They can more easily locate let us get to the edit function values.

[Function] GetDlgItemText used to obtain dialog box, specify a title or control text.

'OD using shortcut Ctrl + G] [jump to the next breakpoint location API.

F2 set breakpoints, [when] GetDlgItemTextA This function is called OD will be interrupted

[ALT + B] shortcut to open the Breakpoints window to view, at the breakpoint location Press [Spacebar] to activate and disable breakpoints.

Shortcut keys [Ctrl + F9] to return to the calling function at the tail ret.

back to the top

Reverse algorithm

F7 function within 004011E5 follow addresses into the subroutine call 00401340, 00401359 particular note is that the jump to 4,013,680, the relevant assembler code comments are as follows:

Note compiled encryption function as follows:

00401340  push ebp                                 ;  ebp入栈
00401341  mov ebp,dword ptr ss:[esp+0xC]           ;  将用户名移动到ebp中
00401345  push esi                                 ;  esi入栈
00401346 push edi ; edi入栈 00401347 mov edi,dword ptr ss:[esp+0x18] ; 将参数从堆栈中传给edi（用户名长度值） edi = 5 0040134B mov ecx,0x3 ; ecx = 3 00401350 xor esi,esi ; esi 清 0 00401352 xor eax,eax ; eax 清0 00401354 cmp edi,ecx 00401356 jle XTraceMe.00401379 ; edi<ecx条件成立时跳转,i<len 00401358 push ebx 00401359 /cmp eax,0x7 ; 比较eax与7的值 0040135C jle XTraceMe.00401360 ; 当等于7，ZF=1短跳转 0040135E |xor eax,eax 00401360 |xor edx,edx ; edx清0 00401362 |xor ebx,ebx 00401364 |mov dl,byte ptr ds:[ecx+ebp] ; 地址低8位的一个字节，dl是存储一个字节的寄存器，ecx = 3， [ecx+ebp] = d 00401367 |mov bl,byte ptr ds:[eax+0x405030] ; 00405030 0C 0A 13 09 0C 0B 0A 08 0040136D |imul edx,ebx ; edx * ebx 赋值给 edx， dl为高8位，存储1字节数 00401370 |add esi,edx ; edx+esi，把值赋予给esi ，esi = 4B0 + 3F2 00401372 |inc ecx ; 递增指令，ecx 由 3 -> 4 -> 5 00401373 |inc eax ; eax = 1，eax++ 00401374 |cmp ecx,edi 00401376 \jl XTraceMe.00401359 ; ecx 是否大于等于5（用户名长度）， jl指令大于不等于满足时跳转 00401378 pop ebx 00401379 push esi ; /<%ld> 0040137A push TraceMe.00405078 ; |Format = "%ld" 0040137F push ebp ; |s 00401380 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA 00401386 mov eax,dword ptr ss:[esp+0x1C] 0040138A add esp,0xC 0040138D push ebp ; /String2 0040138E push eax ; |String1 0040138F call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA

Username program originally entered: abcde, serial number: 123456. Stack window is seen in d, e, i.e.

   name[3]=‘d’,
   name[4]=‘e’

The determined address 00401367, the value bits after the bit-by-3 array index code takes a value of the ratio of fixed address. Then 0040137A 2201 will output the value of the key.

Carefully push against it again:

   edx =  64 * 0C = 4B0

   edx =  65 * 0A = 3F2

   4B0 + 3F2  =  8A2 
   
8A2对应的十进制为2210

Reverse conclusion:

The encryption function it would take out the count number RI, the following encryption function is to convert disassembler C code:

#include "stdafx.h"
#include <string.h> //char name[65] = "abcdexxxx"; char name[65]; char table[8] = { 0xC ,0xA ,0x13 ,0x09 ,0x0C ,0x0B ,0x0A ,0x08 }; int main() { printf(" 输入key：\n "); scanf_s("%s",name,65); //会用到一个固定地址的值 //会用到姓名里的后两位 //eax = i int user_len = strlen(name); int key_code= 0; //esi int count_ecx = 3; //esi int eax = 0; //eax for (; count_ecx<user_len;) { if (eax>7) eax = 0; int ebx = 0; int edx = 0; edx = name[count_ecx]; ebx = table[eax]; ebx = edx * ebx; key_code += ebx; count_ecx++; eax++; } printf("key_code: %d", key_code); return 0; }

back to the top

Brute force

Positioning at this API to GetDlgItemText, F8 followed down to single step through the determination of the test place, observe the position of the data stack area.

Note assembler instructions as follows:

0040119C  mov esi,dword ptr ss:[esp+0x100]         ;  Case 3F5 of switch 0040115E 004011A3 mov edi,dword ptr ds:[<&USER32.GetDlgIte>; user32.GetDlgItemTextA 004011A9 push ebx 004011AA lea eax,dword ptr ss:[esp+0x4C] 004011AE push 0x51 ; /Count = 51 (81.) 004011B0 push eax ; |Buffer 004011B1 push 0x6E ; |ControlID = 6E (110.) 004011B3 push esi ; |hWnd 004011B4 call edi ; \GetDlgItemTextA 004011B6 lea ecx,dword ptr ss:[esp+0x9C] 004011BD push 0x65 ; /最大字符数 004011BF push ecx ; |文本缓冲区指针 004011C0 push 0x3E8 ; |控件标识 004011C5 push esi ; |对话框句柄 004011C6 mov ebx,eax ; |将用户名的长度转到ebx中 004011C8 call edi ; \GetDlgItemTextA 004011CA mov al,byte ptr ss:[esp+0x4C] ; 将用户名的第一个字节给al 004011CE test al,al ; 检查有没有输入用户名 004011D0 je XTraceMe.00401248 ; 如果没有输入用户名跳走，告知输入的字符太少，zf=0跳转 004011D2 cmp ebx,0x5 004011D5 jl XTraceMe.00401248 ; 如果用户名不大于5那么就跳转到错误提示处 004011D7 lea edx,dword ptr ss:[esp+0x4C] ; 用户名地址放到edx中 004011DB push ebx ; 用户名长度 004011DC lea eax,dword ptr ss:[esp+0xA0] ; 密码地址放到eax 004011E3 push edx ; 用户名地址入栈 004011E4 push eax ; 密码地址入栈 004011E5 call TraceMe.00401340 ; 调用函数，相当于a("123456",abcde,5) 004011EA mov edi,dword ptr ds:[<&USER32.GetDlgIte>; user32.GetDlgItem 004011F0 add esp,0xC ; 平衡堆栈 004011F3 test eax,eax ; 函数返回值都是在eax里面的，eax=0注册失败，eax=1注册成功 004011F5 nop ; zf标志位为0，满足条件时跳转

The second piece of the test instruction following the jump instruction with nop je filled out.

Right then copied to the executable file [] - [] All modifications

Select All Copy

Select [Save file], brute force is complete

Passwords are prompted to enter any success after success bomb box, shots are as follows:

back to the top

Reference sample

"Encryption and decryption" in this book comes applet TraceMe.exe.

http://pan.baidu.com/s/1miRZZg0 bdq1

[Note] Reverse OD tool - reverse TraceMe.exe

Reading directory

Noun comment

OD familiar shortcuts

Reverse algorithm

Brute force

Reference sample

Noun comment

OD familiar shortcuts

Reverse algorithm

Brute force

Reference sample

Guess you like