[System Security] 23. OllyDbg dynamic debugging review of reverse analysis and TraceMe case analysis

You may have seen a similar article I wrote before, why do you have to repeat it? I just want to better help beginners understand virus reverse analysis and system security, and be more systematic without destroying the previous series. Therefore, I reopened this column to prepare systematically and in-depth study of system security, reverse analysis and malicious code detection. The "System Security" series of articles will be more focused, more systematic, and more in-depth. It is also the author's slow growth history. It is really difficult to change a major. Reverse analysis is also a hard part, but I also try to see how much I can learn from it in the next four years. Enjoy the process, come on together~

In the previous article, the author introduced the Microsoft certificate vulnerability CVE-2020-0601, and explained the ECC algorithm, the Windows verification mechanism, and the example of reproducing the executable file signature certificate. This article will explain in detail the basic usage of the OllyDbg dynamic debugging tool for reverse analysis, including interface introduction, commonly used shortcut keys and TraceMe case analysis. These basic knowledge are not only related to system security, but are also closely related to the commonly used software, documents, and operating systems around us. I hope this knowledge will help you, and I hope you all increase your security awareness and have a long way to go. This article refers to the articles in the B-site vulnerability bank, security website, and references (see References for details), and combines my own experience and practice to write this article. I would like to thank these big guys.

Starting in July 2019, I came to an unfamiliar profession-cyberspace security. It is very painful and uncomfortable to enter the security field for the first time. There are too many things to learn and the coverage is too wide, but fortunately, I am struggling to move forward by sharing 100 articles in the "Network Security Self-study" series. I am grateful to the security guys and friends who have met, acquainted, and enjoyed each other this year. If the writing is not good or insufficient, please Haihan!

Next, I will start a new security series called "System Security", which is also a free 100 articles. The author will study malicious sample analysis, reverse analysis, intranet penetration, actual network attack and defense, etc., and will also go online Sharing the form of notes and practical operation and learning with bloggers, I hope to make progress with you, come on~

• Recommended foreword: Network Security Self-study Series-100

Author's github resources:

• Reverse analysis: https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
• Network Security: https://github.com/eastmountyxz/NetworkSecuritySelf-study

Preamble analysis:

• [System Security] 1. What is reverse analysis, the basis of reverse analysis and the reverse of classic minesweeping games
• [System Security] 2. How to learn reverse analysis and Lü Buchuan game reverse case
• [System Security] III. IDA Pro disassembly tool first knowledge and reverse engineering decryption actual combat
• [System Security] 4. The basic usage of OllyDbg dynamic analysis tool and the reverse engineering of Crakeme
• [System Security] 5. OllyDbg and Cheat Engine tools reverse analysis of the Plants vs. Zombies game
• [System Security] 6. Reverse analysis of conditional statements and loop statements source code restoration and flow control
• [System Security] 7. PE virus principle of reverse analysis, C++ implementation of file encryption and decryption, and OllyDbg reverse engineering
• [System Security] 8. CVE-2019-0708 Recurrence and Blue Screen Attack of Windows Vulnerability Exploitation
• [System Security] 9. Windows Vulnerability Exploitation MS08-067 Remote Code Execution Vulnerability Reproduction and In-depth Privilege Escalation
• [System Security] X. Windows Exploited SMBv3 Service Remote Code Execution Vulnerability (CVE-2020-0796) Recurrence
• [System Security] 11. Analysis of the behavior mechanism of panda burning incense and PE virus in those years
• [System Security] 12. Panda Burning Incense Virus IDA and OD Reverse Analysis (Part I) Virus Initialization
• [System Security] XIII. IDA and OD reverse analysis of panda burning incense virus (medium) virus release mechanism
• [System Security] 14. Panda Burning Incense Virus IDA and OD Reverse Analysis-Virus Release Process (Part 2)
• [System Security] 15. Chrome browser’s password retention function penetration analysis, blue screen vulnerability and reproduction of a certain music software vulnerability
• [System Security] 16. Basic knowledge of PE file reverse engineering (PE analysis, PE editing tool and PE modification)
• [System Security] 17. Windows PE virus concept, classification and infection method detailed
• [System Security] 18. Virus attack and defense mechanism and WinRAR malicious hijacking vulnerabilities (script virus, self-starting, scheduled shutdown, blue screen attack)
• [System Security] 19. The basics of macro virus entry, defense measures, spontaneous emails and analysis of APT28 macro samples
• [System Security] 20. PE Digital Signature (Part 1) What is a digital signature and a detailed explanation of the Signtool signature tool
• [System Security] 21. PE digital signature (medium) Signcode, PEView, 010Editor, Asn1View tool usage
• [System Security] 22. PE Digital Signature (Part 2) Microsoft Certificate Vulnerability CVE-2020-0601 Reproduction and Windows Verification Mechanism Analysis
• [System Security] 23. OllyDbg dynamic debugging review of reverse analysis and TraceMe case analysis

Statement: I firmly oppose the use of teaching methods to commit crimes. All crimes will be severely punished. We need to maintain the green network together. It is recommended that you understand the principles behind them and better protect them. The sample will not be shared with everyone, the analysis tool will be shared. (See the references below)

---

1. OllyDbg interface introduction and configuration

OllyDbg is a dynamic tracking tool that combines IDA and SoftICE. The Ring 3-level debugger is very easy to use and is one of the most popular debugging decryption tools today. It also supports plug-in extensions and is currently one of the most powerful debugging tools.

OD and IDA can be said to be "Yitian" and "Slaying Dragon" of reverse analysis, a dynamic analysis and a static analysis.

This series of articles refers to the video of the "Game Reverse Communication" vulnerabilities at station B. The main contents include:

• OllyDbg interface introduction and configuration
• Commonly used shortcut keys
• OllyDbg basic operation
• Analysis of common breakpoints INT 3 breakpoint principle
• Anti-debugging and anti-anti-debugging of INT 3 breakpoints
• Analysis of hardware breakpoint principle of common breakpoints
• Analysis of memory breakpoint principle of common breakpoints
• Analysis of the principle of message breakpoints for common breakpoints
• Analysis of Conditional Breakpoint Principles of Commonly Used Breakpoints
• Memory access one-time breakpoint and conditional record breakpoint
• Plug-in
• Run trace 和Hit trace
• Debug symbol
• Frequently Asked Questions of OllyDbg

Recommend everyone to study, refer to the website: https://www.bilibili.com/video/BV1cE411f7sE

OllyDbg is a commonly used debugging tool for reverse analysis. Open the main interface as shown in the figure below, including disassembly window, register window, information window, data window, and stack window.

• Common dynamic debugging tools: OllyDbg, WinDbg, x64Dbg
• Common static debugging tool: IDA

If the interface we open is messy like the picture below, you can click the shortcut key C at the top, and then maximize the main window to optimize the layout.

Then just open an EXE program, and it will display as shown in the figure below:

Let's first explain the meaning of each window:

• Disassembly window: display the disassembly code of the debugged program, including address, HEX data, disassembly, comment
• Register window: display the contents of the CPU register of the currently selected thread, click the label to switch the way of displaying the register
• Information window: display the parameters of the first command selected in the disassembly window and the jump destination address, characters, etc.
• Data window: display the contents of the memory or file, the right-click menu can switch the display mode
• Stack window: display the stack of the current thread, record the passed parameters or local variables
• Shortcut to child window

Then add the knowledge points of interface options, click "Options" -> "Interface" to set the UDD path and plug-in path.

The UDD path is used to save our debugging information.

The plugin path contains various plugins and can be used directly.

If you want to select an EXE file, right-click it to open it directly with OllyDbg, how to set it?

Click "Options" -> "Add to Browser" to add OllyDbg to the System Explorer menu.

If we prompt the administrator permission to run every time we run OD, then we can simply set the shortcut keys.

The setting method is as follows: In compatibility, select "Run this program as an administrator".

---

2. Commonly used shortcut keys

The following briefly explains the commonly used shortcut key debugging methods.

F2: Set breakpoint To
set a breakpoint, just press the F2 key at the position where the cursor is located, and press the F2 key again to delete the breakpoint. In the red position as shown in the figure below, the program will pause when it runs to this point.

F9: Run
Press F9 to run the program. If the corresponding breakpoint is not set, the debugged program will start running directly.

F8: Single step over
Single step over, each time you press this button, an instruction in the disassembly window will be executed, and the code will not be entered into subroutines such as CALL.

F7: Single step in
Single step in, the function is similar to single step over (F8), the difference is that when you encounter a subprogram such as CALL, it will enter it, and it will first stay on the first instruction of the subprogram after entering. Enter the CALL subroutine as shown in the figure below.

CALL means to enter the function, RETN means to return.

F4: Run to the selected position
Run to the selected position, the function is to run directly to the position where the cursor is and pause. For example, if the cursor is at 0x00401034, we then run from 0x00401027, which will jump directly to the cursor. When we encounter a loop during debugging, we can adjust the cursor to skip the loop.

CTRL+F9: Execute to return
Execute to return, press this key to pause when a return instruction is executed. It is often used to return from the system airspace to the program airspace that we are debugging. When debugging a program, pressing CTRL+F9 will run the program until a RETURN returns. For example, when we enter the subroutine shown in the figure below, it will run to RETN 10.

Then press F8 at the RETN 10 position, it will return to the position shown in the figure below, after executing the CALL function, enter the next sentence.

CTRL+F2: Restart
When the program wants to re-debug, just press CTRL+F2.

ALT+F9: Execute to user code
Execute to user code, quickly return from the system airspace to the airspace of the program we debugged.

---

3. OllyDbg dynamic blasting software demo

Let's take the "TraceMe.exe" program of "Encryption and Decryption" as an example. Program download address:

• https://github.com/eastmountyxz/Reverse-Analysis-Case

When we input the wrong user name and serial number, clicking the "Check" button will display the input error.

Next, we need to use OD to blast. The basic flow of the program is shown in the figure below. Only when the correct user name and serial number are entered can the correct dialog box be displayed.

Then open the program through OD, it will automatically locate the module entry point 0x004013A0 position. The author github resource provides various OD versions for readers to use.

The first step, first press F9, the program will run, and a dialog box will pop up

In the second step, we need to know what functions are used to input values ​​in the dialog box.
Click "API Breakpoint Setting Tool" -> "Common Breakpoint Setting".

Check the two functions "GetWindowTextA" and "GetDlgItemTextA" to get the input value of the dialog box, which means to set a breakpoint for these two functions, and it will stop when the program runs to a certain function. If the reader is not sure of the corresponding function, you can check all the functions.

The third step is to enter the user name and serial number and click the "Check" button.
At this point, the program enters the 0x75CA4390 position and displays the call to the GetDlgItemTextA function.

We first press F2 to remove the breakpoint, and then press F9 to execute the code, you can see the "Serial number error, do it again!" pop-up box. This proves that the breakpoint we just made is effective.

The four parameters of GetDlgItemTextA: dialog box handle, control identification (ID number), buffer pointer, maximum number of characters in the buffer, refer to the Win32.API manual.

Then we check the "GetDlgItemTextA" function, and then click the "Check" button, it will continue to locate the 0x75CA4390 position, as shown in the figure below.

The fourth step, then press Ctrl+F9 to execute to the return position.
The address 0x75CA43C1 is displayed at this time.

The fifth step, press F8 again to execute the return.
At this point, we see the location where the GetDlgItemTexeA function is executed. It will return the next line of code for the calling function. Note that it is the next line. Our program has two dialog box values, so there will be two calls to GetDlgItemTexeA function.

Then we continue to press F8 to go down, these two values ​​are obtained, the next step should be the process of calculating the sequence, and then we will judge whether it is correct.

Continue to go down to the 0x004011E4 position, we can see that the values ​​of EDX and EAX in the upper right corner are the "eastmount" and "123456" we entered. At the same time, the lower right corner shows that both values ​​have been pushed into the stack.

• EAX：123456
• EDX：eastmount

The sixth step is to access the TraceMe.00401340 function.
We can guess that the "call TraceMe.00401340" function called is for judgment, and add the following comments. But it may not be. When we perform software reverse analysis or blasting, we usually need to rely on logic ability and programming ability to speculate.

Press F7 to enter the program, position 0x00401340.

Press F8 again to execute, you can find that there is a loop here to determine whether the input value is consistent with its original value.

After the loop, continue to execute and you can see some judgment information of the serial number "123456".

Eventually it will return a value and put it in EAX, the value is equal to 0, and then continue to return to the value.

The return value is 0, and then continue to execute.

The seventh step, jump function analysis
If this function is a judgment function, then the following jump is likely to be the key jump. It is the jump that we need to modify, and use it to blast. Location: 0x004011F5

Increase the breakpoint, and then press F8 to continue running.

It was found that it jumped directly to 0x0040122E, and then prompted "Serial number error, do it again!".

Then press F9 to run, and an error dialog box pops up behind, so that it is determined that the above is a key jump.

The eighth step, press Ctrl+F2 to re-run the program and
then press F9 to execute the program, enter the content in the pop-up dialog box, and click "check".

Continue to press F9 to run the program and jump to the "key jump" position where we just hit the breakpoint.

The key step: modify the assembly code, JE is to achieve jump, modified to JNZ not to jump.

Continue to press F8 to execute, or directly press F9, you can prompt a dialog box of "Congratulations, success". This is the basic process of blasting.

The ninth step is to save the blasting software.
Select the modified lines, then right-click and click "Copy to Executable File".

Select the "TraceMe.exe" file and right-click to save the file, such as "TraceMe_PO2.exe".

After the save is successful, just enter the user name and serial number, and it will prompt success!

At the same time, the input length of the program has a judgment, we can also try to blast.

But what is the principle? We will continue to introduce it in subsequent articles.

---

Four. Summary

After writing this, the introduction of this article is over, I hope you like it~

• OllyDbg interface introduction and configuration
• Commonly used shortcut keys
• OllyDbg dynamic blasting software demo

If there are some shortcomings in this article, please ask Haihan. The author is slowly growing up as a beginner in network security! I hope to write related articles more thoroughly in the future. At the same time, I am very grateful to the security experts in the references for sharing their articles, and thank the masters, brothers and sisters, and sisters and sisters for their teachings. I know that I am very good and have to work hard.

Welcome everyone to discuss, do you think this series of articles help you! Any suggestions can be commented to inform readers and encourage each other.

• Reverse analysis: https://github.com/eastmountyxz/SystemSecurity-ReverseAnalysis
• Network Security: https://github.com/eastmountyxz/NetworkSecuritySelf-study

The newly opened "Nazhang AI Security Home" on August 18, 2020 will mainly focus on Python big data analysis, cyberspace security, artificial intelligence, Web penetration and offensive and defensive technology, and share CCF, SCI, South and North nuclear papers The algorithm implementation. Nazhang’s House will be more systematic and will reconstruct all the author’s articles, explain Python and security from scratch, and have written articles for nearly ten years. I really want to share what I have learned, what I have learned, and what I have done. I would also like to invite you to give me your advice and sincerely invite you. your attention! Thank you.

(By: Eastmount 2021-02-22 12 noon written in Wuhan http://blog.csdn.net/eastmount/ )

---

Reference materials:
[1] OllyDbg (OD) tutorial for dynamic debugging tools-B station yxfzedu
[2] [Reverse notes] OD tool usage-Reverse TraceMe.exe-17bdw notes
[3] "Encryption and Decryption" Duan Gang waiting
[4] "OllyDBG Introductory Course" Kanxue Academy-CCDebuger
[5] 160 Crackme006-Ghost Hand 56 Big Brother