[System Security] 4. The basic usage of OllyDbg dynamic analysis tool and the reverse cracking of Crakeme

You may have seen a similar article I wrote before, why do you have to repeat it? I just want to better help beginners understand virus reverse analysis and system security, and be more systematic without destroying the previous series. Therefore, I reopened this column to prepare systematically and in-depth study of system security, reverse analysis and malicious code detection. The "System Security" series of articles will be more focused, more systematic, and more in-depth. It is also the author's slow growth history. Changing majors is really difficult. Reverse analysis is also a hard part, but I also try to see how much I can learn from it in the next four years. The long journey is long and I tend to go to Hushan. Enjoy the process, come on together~

The author of the system security series will conduct in-depth research on malicious sample analysis, reverse analysis, offensive and defensive combat and Windows vulnerability exploitation, etc., and learn from bloggers through online notes and practical operations, hoping to make progress with you. The previous article popularized the basic usage of IDA Pro disassembly tool, and briefly explained a practical method of EXE reverse engineering decryption. This article will introduce in detail the basic usage of OllyDbg and the CrakeMe case, the reverse analysis of "Yi Tian Shou Long", I hope it will be helpful to the students who are getting started.

Without further ado, let us start a new journey! Your likes, comments, and favorites will be your greatest support to me. I am grateful to go all the way on the safe road. If there is any bad writing, you can contact me to modify it. Basic article, I hope it will be helpful to you. The author's purpose is to make progress with the safety people. Come on~

Author's github resources:

• System Security: https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
• Network Security: https://github.com/eastmountyxz/NetworkSecuritySelf-study

Preamble analysis:

• [System Security] 1. What is reverse analysis, the basis of reverse analysis and the reverse of classic minesweeping games
• [System Security] 2. How to learn reverse analysis and Lü Buchuan game reverse case
• [System Security] III. IDA Pro disassembly tool first knowledge and reverse engineering decryption actual combat
• [System Security] 4. The basic usage of OllyDbg dynamic analysis tool and the reverse cracking of Crakeme

Statement: I firmly oppose the use of teaching methods to commit crimes. All criminal behaviors will be severely punished. We need to maintain the green network together. It is recommended that you understand the principles behind them and better protect them.

---

1. Introduction to OllyDbg tool

OllyDbg is a new dynamic tracking tool that combines IDA with SoftICE. The Ring 3-level debugger is very easy to use. It is one of the most popular debugging decryption tools today. It also supports plug-in extensions and is currently one of the most powerful debugging tools.

OllyDbg opens as shown in the figure below, including disassembly window, register window, information window, data window, and stack window.

• Disassembly window : display the disassembly code of the debugged program, including address, HEX data, disassembly, comment
• Register window : display the CPU register content of the currently selected thread, click the label to switch the way of displaying the register
• Information window : display the parameters of the first command selected in the disassembly window, jump destination address, characters, etc.
• Data window : display the contents of memory or files, right-click menu to switch the display mode
• Stack window : displays the stack of the current thread

The following figure is the interface displayed after opening the EXE.

---

The following briefly explains the commonly used shortcut key debugging methods.

F2
Set the breakpoint, the red position as shown in the figure below, the program will pause when it runs to this point, and press the F2 key again to delete the breakpoint.

F9
Press this key to run the program. If the corresponding point is not set, the debugged program starts to run directly.

F8
Step through, every time you press this button, an instruction in the disassembly window will be executed, and the code will not be entered into subroutines such as CALL.

F7
Single step into, the function is similar to single step over (F8), the difference is that when you encounter a subroutine such as CALL, it will enter it, and it will first stop at the first instruction of the subroutine after entering. Enter the CALL subroutine as shown below.

F4
Run to the selected position, that is, run to the cursor position and pause.

CTRL+F9
Execute to return, press this key to pause when executing a return instruction, which is often used to return from the system airspace to the program airspace we are debugging.

ALT + F9
Execute to user code, quickly return from the system airspace to the airspace of the program we debugged.

---

2. OllyDbg analysis of Crakeme example 1

The first case is the Crakeme v3.0 file in the book "Encryption and Decryption", which needs to decrypt the user name and serial number.

Click the "Register now" button, there will be a prompt about input errors, as shown in the figure below.

The basic process of OllyDbg dynamic analysis is as follows:

• Usually, if you get a software, try to run the software first. If you have a help file, you can consult the help file, familiarize yourself with the basic usage of the software, and then try to enter the wrong registration code and observe the error message.
• If there is no place to enter the registration code, consider whether it is to read the registry or Key file (the program reads the contents of a file to determine whether to register), these can be analyzed with other tools.
• If it is not, the original program is just a trial version with incomplete functions, so to register as the official version, you need to write code to perfect it manually.
• If you need to enter the registration code, as shown in the figure above, call the shell software to check whether the program is packed (such as PeiD, FI). If there is a shell, you need to unpack it and then call OllyDbg for analysis and debugging. If there is no shell, you can directly call the tool for debugging.

---

Let's start the formal analysis.

Step 1: Call PEiD to check whether the program is packed.
The feedback result is "Borland Delphi 4.0-5.0", a file written by Delphi without shell.

Step 2: Run the CrakeMe V3.0 file and click "Register now" to prompt an error message.
The dialog box prompts the error message "Wrong Serial, try again!".

Step 3: Start the OllyDbg software, select the menu "File", and open the CrackMe3 file.
At this time, the file will stay in the following position, double-click the comment position to add a custom comment.

Step 4: Right-click in the disassembly window and select "Find" -> "All Reference Text Strings".

The dialog box shown in the figure below pops up.

Step 5: Right-click and select "Find Text", and enter "Wrong" to locate the "Wrong Serial, try again!" position.

As shown in the figure below, locate the "Wrong Serial" position.

Step 6: Right-click and click "Follow in Disassembly Window".

Then locate to the position shown in the figure below.

Step 7: Select the sentence and right click "Find Reference" -: "Selected Address" (shortcut key Ctrl+R).

The "reference page" shown in the figure below pops up.

Step 8: Go to the two addresses (00440F79, 00440F93) on the dual machine to the corresponding locations.

Scroll up in the disassembly window to see the core code:

Step 9: You can query the corresponding program by viewing the instruction that jumps to the "Wrong serial, try again" string.
In "Debugging Options" -> "CPU" -> check "Show Jump Path" and "Display the gray path if the jump is not implemented" and "Show the path to the selected command.

As shown below:

Step 10: Analyze the disassembly code in detail.
In the figure below, press F2 to set a breakpoint at address 0040F2C, and then press F9 to run the program.

Enter "Test" and "754-GFX-IER-954", click "Register now!", the display result is shown in the figure below.

The program will stop at the breakpoint and prompt for what you just entered.

The output content is as follows, where "Test" is entered in the memory address 02091CE0.

Step 11: Left-click "ss: [0019F8FC]=02091CE0, (ASCII "Test")", right-click and select "Follow the value in the data window", you will see the input in the data window. EAX=00000004 means that the length of the input content is 4 characters.

The twelfth step: call the F8 button and F7 button to analyze the code step by step.
Go back to the part of the code below 00440F2C, press F8 to run step by step, pay attention to the core code below.

00440F2C  |.  8B45 FC       mov eax,[local.1]            ;  输入的内容送到EAX，即"Test"
00440F2F  |.  BA 14104400   mov edx,crackme3.00441014    ;  ASCII "Registered User"
00440F34  |.  E8 F32BFCFF   call crackme3.00403B2C       ;  关键点：用按F7进入子程序
00440F39  |. /75 51         jnz Xcrackme3.00440F8C       ;  调走到这里就错误:Wrong serial
...

Step 13: When F8 runs to "00440F34 |. E8 F32BFCFF call crackme3.00403B2C", press F7 to enter the CALL subroutine, and the cursor stays at the position shown below (00403B2C).

Here, PUSH ebx, PUSH esi, etc. are all commands used when calling a subroutine to save the stack. Press F8 to run the code step by step. The core explanation is as follows, which is the basic assembly language: (refer to "OllyDBG Getting Started Tutorial" by Kan Xue CCDebuger)

Important: When the program runs to the interface as shown in the figure below, you can see the comparison between "Test" and "Registered User". Through the analysis of the above picture, we know that the user name must be "Registered User".

Step 14: Then press F9 to run the program, an error dialog box appears, click OK, re-enter "Registered User" in the edit box, and click the "Register now!" button again to analyze and debug the program.
Note that the F12 key is pause.

The core code is as follows, the CALL at address 00440F34 has been analyzed clearly, continue to F8 to execute the next step, know the second key place, that is, 00440F51, press F7 to enter the subroutine. Note: The prompt of the comment content does not necessarily exist. It is the correct way to dynamically debug the program to the register to view the corresponding registration code.

00440F34  |.  E8 F32BFCFF   call crackme3.00403B2C
00440F51  |.  E8 D62BFCFF   call crackme3.00403B2C

In the above two sentences of code, you can see that both the user name and the registration code call the same subroutine. The CALL analysis method is the same as the above.

The fifteenth step: Press F8 to debug the subroutine, and find that cmp compares the two values ​​to see if they are equal, and 0044102C is the content of the registration code.

Step 16: Press F12 to pause, then press F9 to restart, enter the correct user name and password, and the decryption is successful.

• Registered User
• GFX-754-IER-954

Difficulty: How to debug the core code, such as the CMP comparison here, and the assembly code is also more obscure.

---

3. OllyDbg analysis of Crakeme example 2

This case is to crack Afkayas.1.EXE in Crakeme, which is a typical string sequence cracking program. Serial is launched according to the value of name.

Step 1: Check that it has no shell through PEiD, written in VB.

Step 2: The OllyDbg tool opens the Afkayas.1.EXE file as shown in the figure below.

Step 3: Right-click in the disassembly area and select "Find" -> "All Reference Text Strings".

Step 4: Find the failed prompt character "You Get Wrong" in the pop-up dialog box, right click "Follow in the disassembly window".

At this time, you will return to the code area, and you can see the failure and achievement strings.

Step 5: Usually, the feedback strings of success and failure are not far apart. You need to judge beforehand. If the input serial is correct, it succeeds, otherwise it fails; then go up to find the entry point for calling the string comparison function.

Note that this step is more critical, but I personally feel that it takes a long time of experience and practice to accurately locate.

Before assembling the calling function, the parameters are put on the stack, and then the function is called with the CALL instruction. There is a PUSH EAX instruction before the string comparison function. It can be inferred that EAX here is the first address of the string.

Step 6: Press the F2 key to set a breakpoint at the comparison function 00402533, and then press the F9 key to execute. At this time, the running interface will pop up. We enter "Eastmount" and "12345678", and then click the OK button.

At this time, the program stays at the breakpoint, and the correct Serial prompt is displayed in the stack area in the lower right corner.

Step 7: Enter the correct user name and Serial to register the results.

• Eastmount
• AKA-877848

---

The following is a simple analysis of the basic logic of encryption in combination with the blog posts of the Ghost Hand God and the Haitian God God. At the same time, I strongly recommend everyone to read their articles, see the previous references. These reverse experiences are really not something that can be obtained overnight. I know that there are too many things to learn and experience. You and I will work hard together.

The basic process is as follows:
serial ='AKA-' + reverse order itoa(strlen(name) * 0x17CFB + name[0])

• Find the length of the username
• Multiply the username length by 0x17CFB to get the result, jump if overflow
• Add the ASCII of the first character of the username to the result
• Convert the result to decimal
• Join the result and AKA to get the final serial number

Let me share a piece of Python decryption code.

# encoding:  utf-8

key = "AKA"
name = "Eastmount"

#获取用户名长度
nameLen = len(name)
print(u'获取用户名长度:')
print(nameLen)

#用户名长度乘以0x17CFB得到结果
res = nameLen * 0x17CFB
print(u'用户名长度乘以0x17CFB:')
print(res)

#将结果加上用户名的第一个字符的ASCII
print(name[0], ord(name[0]))
res = res + ord(name[0])
print(u'结果加上用户名第一个字符的ASCII:')
print(res)

#转换为十进制 省略

#拼接序列号
key = key + str(res)
print(u'最终结果:')
print(key)

Define different user names to get the corresponding Serial.

---

Four. Summary

At this point, this basic article is finished. There is really a lot of knowledge to learn about network security, covering a wide range of areas, including assembly, network, operating system, encryption and decryption, C/C++, Python, etc. I hope I can make progress slowly and pay equal attention to research and practice. I also hope that readers like this series of summary notes. If you don’t like it, don’t spray, walk with you~

Today just broke through 100,000 CSDN fans, I sincerely thank you all for your company and support over the years, I am grateful to know you, and I hope that in the future I can continue to share higher-quality articles, help more people get started and solve the problem, entertaining and encouraging !

The newly opened "Nazhang AI Security Home" on August 18, 2020 mainly focuses on Python big data analysis, cyberspace security, artificial intelligence, Web penetration, and offensive and defense technology to explain, while sharing the algorithm implementation of the paper. Nazhang’s House will be more systematic, and will reconstruct all the author’s articles, explain Python and security from scratch, and have written articles for nearly ten years. I really want to share what I have learned and felt. I would also like to invite you to give me your advice and sincerely invite your attention! Thank you.

(By: Eastmount 2020-12-22 Written in Wuhan https://blog.csdn.net/Eastmoun on Tuesday at 10pm )