Table of contents
2. Load the target file for debugging
1. Preparation
Analyzing a Windows program is much easier than analyzing a DOS program because as long as the API functions are used in Windows, it is more difficult to hide some information from people who are looking for clues. Therefore, when analyzing a program, it is more important to use which API function as the entry point. If you have some programming experience, it will be more handy in this regard.
For ease of understanding, let’s take a brief look at the serial number verification process of TraceMe as shown in Figure 25. Enter the user name and serial number into the text box. The program calls the GetDigltemTextA function to read out the characters and then calculate, and finally use the lstremp function for comparison. Therefore, these invoked functions are the targets of decryption tracking. Using these functions as breakpoints and tracking the serial number verification process of the program, the correct serial number can be found. This kind of small program specially made for practicing decryption technology is generally referred to as "CrackMe".
2. Load the target file for debugging
In order for OllyDbg to interrupt at the entry point of the program, corresponding settings must be made before loading the program. Run OlyDbg, click "Oplions" - "Debugging options" option to open the debugging options configuration dialog box. Click the "Event" tab to set OllyDhg's processing methods for events such as interrupt entry point, module loading/unloading, thread creation/end, etc. Generally, you only need to set the breakpoint
at "WinMain".
After the setting is complete, click "File" - "Open" option to open TraceMeexe. At this time, 0llyDbg will interrupt the debugger analysis code at the first instruction of TraceMe and wait for the user's next operation. As shown in the figure below, when the cursor stops at 004013AOh, 004013A0h is the entry point of the program (EntryPoint). Most programs stop at the entry point when they start. Through some special modification methods, some programs can not stop at the population point when starting, so as to achieve the purpose of anti-debugging. The meaning of each part of the code is as follows.
- Virtual address: In general, the same instruction of the same program has the same value in different system environments.
- Machine code: It is the machine code executed by the CPU.
- Assembly instruction: program code corresponding to machine code
The register panel shows the current value of each register. Registers include EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, and EIP, etc., which are collectively referred to as 32-bit registers as shown in the figure below. ESP is a pointer, and the value of the stack is displayed on the stack panel at the lower right corner of the OllyDbg interface. Another important register is EIP, which points to the current instruction to be executed. Pressing the "F7" key will execute an instruction, and then EIP will point to the next instruction to be executed.
When debugging, you can double-click these registers to modify the values in the registers. However, the EIP register cannot be modified directly. You need to select a new instruction start address in the disassembly window, such as 004013AAh, right-click on it and select "New origin here" in the pop-up shortcut menu (here is the new EIP option EIP The value of will become 4013AAh, and the program will start to execute from this instruction. Below the registers are the flag registers, which are C, P, A, ZS, T, D, 0, and their values can only be two digital values -0 and 1, double click the number to switch between 0 and 1.
3. Single step tracking
One of the most basic functions of a debugger is dynamic tracing. 0llyDbg controls the running commands in the "Debug" menu, and each menu item has a corresponding shortcut key. olyDhg's single-step tracking shortcut keys are shown in the figure below.
| hot key | Function |
| F7 | Step by step, follow up when encountering a call instruction |
| F8 | Step by step, pass by when encountering a call instruction, do not follow up |
| Ctrl+F9 | Break until a rer instruction occurs |
| Alt+F9 | If you enter the airspace of the system, this command can instantly return to the airspace of the application |
| F9 | run the program |
| F2 | set breakpoint |
The "F8" key is frequently used in debugging. It can execute assembly instructions sentence by sentence and step by step. When encountering a call instruction, it will not follow up but pass by. The example is as follows.
The main difference between the "F7" key and the "F8" key is that if you encounter a command such as callloop, press the "F8" key to pass by, and press the "F7 key to follow up. The example is as follows.
"call00401DA0" means calling the subroutine at 00401DAOh. Once the subroutine is called, it returns to the next statement pointed to by the call, which is 004013FFh. Press the "F7" key to follow up the subroutine at 00401DAOh, observe the situation, you will find that the address 004013FFh of the next instruction of the call instruction is pushed into the stack as the return address, as shown in Figure 28. At the end of the subroutine is a ret instruction that executes the instruction at 00401DD7h, and returns to the next statement 004013FFh pointed to by call. In the process of entering the subroutine, if you want to look back at the code that you have single-step tracked before, you can press the "-" (minus sign) key; if you want the cursor to return to the statement pointed by the current EIP, you can click the button C Or double-click the EIP register.
When pressing the "F7" or "F8" key repeatedly, OllyDbg provides shortcut keys "Ctl+F7" and "Ctrl+F8" until the user presses the "Esc" key, "F12" key or encounters other breakpoints to stop.
When you are in a call finger and want to return to the position where the cl finger is called, you can press the shortcut key "Ctrl+F9" to execute the Executetillreum" (execute to return) command. OllyDhg will stop at the first return command encountered (retretf or iret). This can easily skip some useless code.
For example, if the above code is at 00401DAO, if you press the "Ctl+F9" shortcut key, it will return to 004013FFh. It can be set in the options whether to pause or pass when encountering the et finger. The method is to open the debug setting options dialog box and set "After Execting tillRETstepover RET" in the "Trace" tab (after executing the ret instruction, step through the ret instruction) .
If you have entered the API function provided by the system DLL, you can press the shortcut key "Alt+F9" to execute the "Executetillusercode" (execute to user code) command when you want to return to the airspace of the application program. The example is as follows.
Press the "F7" key at 004013C6h to follow up the system KERNEL32DLL, the example is as follows.
"7C8114AB" and so on are the address spaces where the system DLL is located. At this time, just press the shortcut key "Alt+F9" to return to the application airspace. The code is as follows.
Note: The so-called "airspace" actually refers to the owner of a certain piece of code pointed to by CPU's CS:EIP at a certain moment.
If you don't want to single-step tracking and want to run the program directly, you can press the "F9" key or click the right button in the toolbar. If you want to re-debug the target program, you can press the "Ctrl+F2" shortcut key, OllyDhg will end the debugged process and reload it. If the program enters an infinite loop, you can press the "F12" key to suspend the program.
4. Set breakpoints
Breakpoint (breakpoint) is an important function of the debugger, which can make the program break at the specified place, so as to analyze it conveniently. As shown in the figure below, move the cursor to 004013A5h and press the "F2" key to set a breakpoint and press the "F2" key again to cancel the breakpoint. You can also double-click the corresponding line in the "Hexdump" column to set a breakpoint, and double-click again to cancel the breakpoint.
After setting the breakpoint, press the "Alt+B" shortcut key or click the B button to open the breakpoint window, and view the breakpoint details as shown in the figure below. Breakpoints other than hardware breakpoints are shown here, where "Always" means the breakpoint is active and "Disable" means the breakpoint is disabled. Press the spacebar to toggle its state. These breakpoints can also be managed through the context menu. The shortcut to delete a breakpoint is the "Del" key.
00B2A5C8 . E8 1BAA0000 call 路径修复.00B34FE8 ; \路径修复.00B34FE8
00B2A5CD . 59 pop ecx ; kernel32.777D0099
00B2A5CE . B8 4D5A0000 mov eax,0x5A4D
00B2A5D3 . 66:3905 0000B>cmp word ptr ds:[0xB20000],ax
00B2A5DA . 74 04 je short 路径修复.00B2A5E0
00B2A5DC > 33DB xor ebx,ebx
00B2A5DE . EB 33 jmp short 路径修复.00B2A613
00B2A5E0 > A1 3C00B200 mov eax,dword ptr ds:[0xB2003C]
00B2A5E5 . 81B8 0000B200>cmp dword ptr ds:[eax+0xB20000],0x4550
00B2A5EF .^ 75 EB jnz short 路径修复.00B2A5DC
00B2A5F1 . B9 0B010000 mov ecx,0x10B
00B2A5F6 . 66:3988 1800B>cmp word ptr ds:[eax+0xB20018],cx
00B2A5FD .^ 75 DD jnz short 路径修复.00B2A5DC
00B2A5FF . 33DB xor ebx,ebx
00B2A601 . 83B8 7400B200>cmp dword ptr ds:[eax+0xB20074],0xE
00B2A608 . 76 09 jbe short 路径修复.00B2A613
00B2A60A . 3998 E800B200 cmp dword ptr ds:[eax+0xB200E8],ebx
00B2A610 . 0f95c3 setne bl
00B2A613 > 895D E4 mov dword ptr ss:[ebp-0x1C],ebx
00B2A616 . E8 067C0000 call 路径修复.00B32221
00B2A61B . 85C0 test eax,eax
00B2A61D . 75 08 jnz short 路径修复.00B2A627
00B2A61F . 6A 1C push 0x1C
00B2A621 . E8 DC000000 call 路径修复.00B2A702
00B2A626 . 59 pop ecx ; kernel32.777D0099
00B2A627 > E8 F4690000 call 路径修复.00B31020
00B2A62C . 85C0 test eax,eax
00B2A62E . 75 08 jnz short 路径修复.00B2A638
00B2A630 . 6A 10 push 0x10
00B2A632 . E8 CB000000 call 路径修复.00B2A702
00B2A637 . 59 pop ecx ; kernel32.777D0099
00B2A638 > E8 94AA0000 call 路径修复.00B350D1
00B2A63D . 8365 FC 00 and dword ptr ss:[ebp-0x4],0x0
00B2A641 . E8 EE7E0000 call 路径修复.00B32534
00B2A646 . 85C0 test eax,eax
00B2A648 . 79 08 jns short 路径修复.00B2A652
00B2A64A . 6A 1B push 0x1B
00B2A64C . E8 B1000000 call 路径修复.00B2A702
00B2A651 . 59 pop ecx ; kernel32.777D0099
00B2A652 > FF15 3400B400 call dword ptr ds:[<&KERNEL32.GetCommand>; [GetCommandLineA
00B2A658 . A3 C8DCB400 mov dword ptr ds:[0xB4DCC8],eax
00B2A65D . E8 AFAA0000 call 路径修复.00B35111
00B2A662 . A3 4CBDB400 mov dword ptr ds:[0xB4BD4C],eax
00B2A667 . E8 52A40000 call 路径修复.00B34ABE
00B2A66C . 85C0 test eax,eax
00B2A66E . 79 08 jns short 路径修复.00B2A678
00B2A670 . 6A 08 push 0x8
00B2A672 . E8 6D820000 call 路径修复.00B328E4
00B2A677 . 59 pop ecx ; kernel32.777D0099
00B2A678 > E8 70A60000 call 路径修复.00B34CED
00B2A67D . 85C0 test eax,eax
00B2A67F . 79 08 jns short 路径修复.00B2A689
00B2A681 . 6A 09 push 0x9
00B2A683 . E8 5C820000 call 路径修复.00B328E4
00B2A688 . 59 pop ecx ; kernel32.777D0099
00B2A689 > 6A 01 push 0x1 ; /Arg1 = 00000001
00B2A68B . E8 8E820000 call 路径修复.00B3291E ; \路径修复.00B3291E
00B2A690 . 59 pop ecx ; kernel32.777D0099
00B2A691 . 85C0 test eax,eax
00B2A693 . 74 07 je short 路径修复.00B2A69C
00B2A695 . 50 push eax
00B2A696 . E8 49820000 call 路径修复.00B328E4
00B2A69B . 59 pop ecx ; kernel32.777D0099
00B2A69C > E8 FDAA0000 call 路径修复.00B3519E
00B2A6A1 . 56 push esi ; /Arg4 = 00B2A5A8
00B2A6A2 . 50 push eax ; |Arg3 = 010FFC98
00B2A6A3 . 6A 00 push 0x0 ; |Arg2 = 00000000
00B2A6A5 . 68 0000B200 push 路径修复.00B20000 ; |Arg1 = 00B20000
00B2A6AA . E8 B1CBFFFF call 路径修复.00B27260 ; \路径修复.00B27260
00B2A6AF . 8BF0 mov esi,eax
00B2A6B1 . 8975 DC mov dword ptr ss:[ebp-0x24],esi ; 路径修复.<ModuleEntryPoint>
00B2A6B4 . 85DB test ebx,ebx
00B2A6B6 . 75 06 jnz short 路径修复.00B2A6BE
00B2A6B8 . 56 push esi ; 路径修复.<ModuleEntryPoint>
00B2A6B9 . E8 C9840000 call 路径修复.00B32B87
00B2A6BE > E8 4C820000 call 路径修复.00B3290F
00B2A6C3 . EB 2E jmp short 路径修复.00B2A6F3
00B2A6C5 . 8B4D EC mov ecx,dword ptr ss:[ebp-0x14]
00B2A6C8 . 8B01 mov eax,dword ptr ds:[ecx]
00B2A6CA . 8B00 mov eax,dword ptr ds:[eax]
00B2A6CC . 8945 E0 mov dword ptr ss:[ebp-0x20],eax
00B2A6CF . 51 push ecx ; 路径修复.<ModuleEntryPoint>
00B2A6D0 . 50 push eax
00B2A6D1 . E8 8DA20000 call 路径修复.00B34963
00B2A6D6 . 59 pop ecx ; kernel32.777D0099
00B2A6D7 . 59 pop ecx ; kernel32.777D0099
00B2A6D8 . C3 retn
00B2A6D9 . 8B65 E8 mov esp,dword ptr ss:[ebp-0x18]
00B2A6DC . 8B75 E0 mov esi,dword ptr ss:[ebp-0x20]
00B2A6DF . 8975 DC mov dword ptr ss:[ebp-0x24],esi ; 路径修复.<ModuleEntryPoint>
00B2A6E2 . 837D E4 00 cmp dword ptr ss:[ebp-0x1C],0x0
00B2A6E6 . 75 06 jnz short 路径修复.00B2A6EE
00B2A6E8 . 56 push esi ; 路径修复.<ModuleEntryPoint>
00B2A6E9 . E8 B4820000 call 路径修复.00B329A2
00B2A6EE > E8 0D820000 call 路径修复.00B32900
00B2A6F3 > C745 FC FEFFF>mov dword ptr ss:[ebp-0x4],-0x2
00B2A6FA . 8BC6 mov eax,esi ; 路径修复.<ModuleEntryPoint>
00B2A6FC . E8 847C0000 call 路径修复.00B32385
00B2A701 . C3 retn
00B2A702 /$ 55 push ebp
5. Debugging analysis
Press the "F8" key to step out of the GetDlllemTextA function. Of course, you can also press the "Alt+F9" shortcut key to return to the place where the function was called. OllyDbg is very powerful. It has annotated the call parameters and current values of each function. The relevant codes are as follows.
When reading these codes, there are a few things to keep in mind.
- Be clear about the definition of each API function (check the relevant API manual)
- Most API functions adopt the sdcall calling convention, that is, the function population parameters are placed on the stack in the order from right to left, and the callee cleans up the parameters in the stack, and the return value is placed in the eax register. Therefore, for the relevant API functions, it is necessary to analyze the push instructions in front of them. These instructions put parameters on the stack to be transferred to the API call. Pay attention to the changes of stack data during the whole trace process.
- The subroutine in the C code adopts the C calling convention, and the parameters of the function population are added to the stack in order from right to left, and the caller clears the parameters in the stack.
- Calling convention, parameter transfer and other knowledge, the GetDlgItemText function uses the standard calling convention, and the parameters are placed on the stack in the order from right to left. The assembly code for this example is as follows:
00B2A728 \. C3 retn
00B2A729 CC int3
00B2A72A CC int3
00B2A72B CC int3
00B2A72C CC int3
00B2A72D CC int3
00B2A72E CC int3
00B2A72F CC int3
00B2A730 $ 57 push edi ; 路径修复.<ModuleEntryPoint>
00B2A731 . 56 push esi ; 路径修复.<ModuleEntryPoint>
00B2A732 . 8B7424 10 mov esi,dword ptr ss:[esp+0x10] ; ntdll.77C67B6E
00B2A736 . 8B4C24 14 mov ecx,dword ptr ss:[esp+0x14]
00B2A73A . 8B7C24 0C mov edi,dword ptr ss:[esp+0xC]
00B2A73E . 8BC1 mov eax,ecx ; 路径修复.<ModuleEntryPoint>
00B2A740 . 8BD1 mov edx,ecx ; 路径修复.<ModuleEntryPoint>
00B2A742 . 03C6 add eax,esi ; 路径修复.<ModuleEntryPoint>
