NEWBIE BẮT ĐẦU VỚI OLLYDBG

download NEWBIE BẮT ĐẦU VỚI OLLYDBG

of 37

Transcript of NEWBIE BẮT ĐẦU VỚI OLLYDBG

NEWBIE BT U VI OLLYDBGBai vit nhiu hinh anh, xin chon Hide White Space trong Word khi xem bai hoc View Web Layout Font : Times New Roman(Xin vit bai bng font Times New Roman hay Arial ch font nha em it lm, oc Tut ma c nh oc ch c)

Reaonline.net Nha Trang -*Vit Nam*Reverse Engineering Association KingOfWarIII

Xin chao cac ban, ban nn oc tip nu nh ban la newbie mi n vi ky thut ReVerSe, con ban a ro v no cung nh ro v Ollydbg ri thi xin oc tip nu thich cung c cung nh xy dng bai cho newbie nay bng cach gi email cho ti. iu o tht co ich cho ti va cho cac ban newbie khi y kin cua ban cha co trong bai vit nay. Bai vit nay la bai vit u tin ti tham gia din an reaonline.net xin cac ban reonline.net ung h va quan tm. Bai vit c ti vit lai trn c s tp hp nhiu ngun nn xin ng la khi gp nhng oan ma ua, oan nay trong bai ma hi hi xin c cam n cac tac gia trang cui, vi muc ich cho newbie cai nhin tng quan va n gian v cng cu debugger/disassembler Ollydbg ang c ng ao ngi dung nht. Ban la newbie! Ti xin noi trc rng hoc reserve tr thanh cracker thi ban cn chun bi nhiu cng cu va chng trinh. Ti xin noi khai quat v cac cng cu ban cn hoc reserve : Analysis : Cng cu phn tich OllyDbg 1.10 -=- Plugins & Scripts W32Dasm 10 PEiD 0.94 + Plugins RDG Packer Detector v0.5.6 Beta English [Kem cac nhn dang cp nht nm 2008]

Rebuilding : Cng cu xy dng lai file PE ImpRec 1.7 Revirgin 1.5 - Fixed LordPE Packers : Cng cu nen file PE, cha hin nay co rt nhiu packer, khi thc hanh loai packer nao thi ban vao Google tim vy, nhiu qua k khng bit n bao gi. FSG 2.0 MEW 11 1.2 SE

UPX 1.25 & GUI SLVc0deCrypto 0.61 ARM Crypto WinUpack v0.39 Patchers : Cng cu tao file patcher, file patch phn mm dUP 2 CodeFusion 3.0 Universal Patcher Pro v2.0 Universal Patcher v1.7 Universal Loader Creator v1.2 aPatch v1.07 PMaker v1.2.0.0 Tola's Patch Engine v2.03b ABEL Loader v2.31 Yoda's Process Patcher Registry Patch Creator ScAEvoLa's PatchEngine v1.33 Dogbert's Genuine Patching Engine v1.41 Graphical-PatchMaker v1.4 The aPE v0.0.7 BETA Liquid2 PELG v0.3 PrincessSandy v1.0

HEX Editor : Cng cu bin tp file h hexa Hiew v7.10 WinHex v15 HexWorkShop 5.1 Decompilers : Cng cu dich ngc ma DeDe 3.50.04 VB Decompiler Flasm Unpackers : Cng cu unpack cho cac packer, mi packer co nhiu unpacker nn k xong khoi vit tip lun, t search vy nha ACProtect - ACStripper ASPack - ASPackDie ASProtect > Stripper 2.07 Final & Stripper 2.11 RC2 DBPE > UnDBPE FSG 1.33 > Pumqara's Dumper FSG 2.00 > UnFSG MEW > UnMEW PeCompact 1.x > UnPecomp PEncrypt > UnPEncrypt PeSpin 0.3 > DeSpinner 0.3

tELock 0.98-1.0 > UntELock EXEStealth > UnStealth Xtreme-Crypto / Themida > XprotStripper v1.1 Morphine Killer 1.1 by SuperCracker/SND ASPR Dumper v0.1 Armadillo Process Detach v1.1 Armadillo Dumper v1.0 Armadillo Nanomite Fixer Armadillo Distance Decryptor aka Jump Table Fixer ArmTools (Translated!) ArmInline v0.1 Quick Unpack v1.0.8 Procdump v1.6.2

Keygenning : Cng cu tao keygen - keymaker TMG Ripper Studio 0.02 Other : Nhng cng cu b tr cn thit FileMon v7 (Patched) RegMon v7 (Patched) RSATool 2 DAMN HashCalc EVACleaner 2.7 Process Explorer Resource Hacker PUPE 2002 PointH Locator ASPR CRC Locator 1.2 PE Tools 1.5 RC5 API Address Finder Jump to Hex Convertor PE GeNeRaToR 1.2.1 Quick File Viewer v1.0.1 PE Insight 0.3b Crypto Searcher PE Editor v1.7 bkslash's Inline Patcher Stud_PE v2.1 Injecta v0.2 PE Rebuilder v0.96b PE Optimizer v1.4 ToPo v1.2 NFO Builder 2000 v1.02 NFO File Maker v1.6 TMG NFOmakeR v1.0 hCalc Vao chuyn chinh, ti se gii thiu cng cu debugger/disassembler Ollydbg 1.10 cho ban.

Ollydebug, thng gi l Olly, l mt Ring3 debugger. Ngha l Olly hot ng trong cc cp ng dng Windows, nhng n cng c th kim sot trong cc ng dng khc. Vi cng c tuyt vi ny (thanks Oleh Yushuk), chng ta tm li ca chng trnh, khng ch tm m cn sa chng trnh. Ollydbg la mt cng cu g ri, ng thi dich ma chng trinh v ma hp ng, chinh vi iu thun tin o nn newbie tt nht bt u bng Ollydbg, co 1 cu so sanh th nay: SoftICE + W32Dasm + Hiew = Ollydbg co nghia la Ollydbg la cng cu AIO va c bit d s dung vi newbie. Th ma xem! Vic u tin la ban cn tai cng cu Ollydbg 1.10 v. Hin nay co nhiu ban Ollydbg nhng ti se phn phi 2 ban Ollydbg cho ban, tuy chon ban nao cung c : 1/ Ollydbg 1.10 [KingOfWarIII] :

File nen WinRar, ban chi cn giai nen va se c :

Th muc OllyScripts : B su tp 851 script (cp nht thang 5/2008). S dung cac script se giup ban lam vic nhanh chong hn, ta se hoc s dung chung sau. Moi Script nn vao th muc nay. - Th muc PeiD : cha chng trinh detect packer PeiD 0.94. - Th muc Plugins : cha cac plugin s dung bi Ollydbg, moi plugin ban tai v ri copy vao y la Ollydbg se t ng nhn ra. - Th muc UDD : ni tam lu cac tp tin x ly bi Ollydbg. - Th muc Tools : cac cng cu linh tinh. Trong ban nay ban se thy 2 Ollydbg : 1 cai ban 1.10 Final, con 1 cai ban 2.0c. Ti khuyn nn dung ban 1.10 vi ban 2.0c lc bo kha nhiu gy kho khn trong s dung. Sau y la cu hinh Ollydbg d s dung : a/ Cu hinh Ollydbg thanh JIT (Just-In-Time Debugging) : Chon theo hinh :

-

Hin tai chng trinh drwtsn32 la JIT mc inh cua Windows, cu hinh Ollydbg thanh JIT (Ollydbg se c mc inh chay g ri khi co ng dung bi li) ta chon nh hinh :

Okey, Ollydbg a thanh JIT debugger mc inh cho Windows. Mi khi co chng trinh gp li thi Ollydbg se bt no ln ban sa li. b/ Cu hinh Ollydbg vao Windows Explorer : Chon theo hinh :

Hin tai Ollydbg cha co trong Windows Explorer, cu hinh Ollydbg vao Windows Explorer ta chon nh hinh :

Okey, Ollydbg a c cu hinh vao Windows Explorer, ban co th m thanh mt file PE nao o bng cach truy cp nhanh Ollydbg qua Windows Explorer :

c/ Cu hinh PeiD vao Windows Explorer : Tng t nh Ollydbg, ban co th cu hinh PeiD 0.94 vao Windows Explorer truy cp no nhanh chong. Vao th muc PeiD, chay file PEiD.exe ln va lam nh hinh :

Chon nh hinh va check :

Xong va by gi trn Windows Explorer se co :

Ban se t hoi Tai sao phai cn n PeiD lam gi?. Tht ra mi u ti cung khng bit PeiD la cai gi u, nhng sau nay thi nhn ra PeiD la cng cu khng th thiu, quan trong nh Ollydbg vy, PeiD se tim xem file PE o c pack bng loai packer nao ban chon unpacker thich hp, c protect bng loai crypto nao ta con tim cach bo protect i. Noi chung, phn ln file PE (.exe .dll) u c nha san xut pack lai hay gh gm hn la s dung crypto bao v nhm muc ich khng cho nhng ngi nh chung ta pha hoai chng trinh cua ho mt cach khng minh bach, s loai packer pack va protect thi hi i nhiu khng m xu (o co th la cua mt hang nao o san xut hoc chinh ngi lp trinh vit nn bao v san phm cua ho), va PeiD vi c s d liu nhn dang hn 600 packer va nhiu loai crypto thng dung nht se giup ta ha sat bng cach s dung tool unpack hoc mup (manual unpacking unpack bng tay) qua Ollydbg. d/ Cu hinh ni file Plugin va UDD : Khi ban tai ban nay v va giai nen thi ng dn ti n th muc Plugin va UDD se khng ung na, vi vy cn cu hinh lai Ollydbg nhn ra th muc Plugin ly plugin va th muc UDD. Olly cn a ch th mc UDD v lu tr breakpoints v info khc . Olly l 1 cng c rt linh hot v n h tr vic s dng cc plugins nng cao kh nng ca chng trnh. Sau khi thit lp xong, bn phi restart Olly. Okey, cu ... cu ... cu ... hinh lao. Chon nh hinh

Thay th ng dn n th muc UDD va Plugins y cho phu hp :

Khi ng lai Ollydbg thay i co hiu lc, khi xut hin thm Menu Plugin thi coi nh cu hinh thanh cng :

e/ Cu hinh tr giup API : file tr giup WIN32.HLP tr giup v c im cac ham API, cu hinh no sau nay khng hiu API o la gi thi ly ra ma coi. Chon nh hinh :

Chon file WIN32.HLP trong th muc ban a trich xut :

Okey, xong ri. Chup hinh giao din cua ban nay cai :

2/ Portable Ollydbg 1.10 [SND Team] :

Ban Portable do SND Team share, chi cn chay thi, khng cn cu hinh n ch Plugin va UDD. No la file SFX do WinRar tao ra, ban co th nhp i vao no chay hoc dung WinRar giai nen no ra :

Se c th muc cha :

Ban nay portable do SND tao ra nn ban ng tim cach thay i ni dung cua no, chi xai thi. In cai giao din cua no cho ban thy :

Khng phai ti ch hang cua SND, ho tp hp cac cng cu hay dung vao ban portable nay nhng s hin thi dong lnh trong Ollydbg cua ho khng bng ban trn. Tuy ban, thich dung ban nao cung c

ca. Ban chinh thc, cha co plugin va script, cha cu hinh ban co th tai tai y : http://www.ollydbg.de . Ollydbg c s dung nhiu ngoai d s dung con vi c cac team cracker h tr qua cac plugin sa li, plugin h tr. Vi vy nu ban mun co ban Ollydbg tt, c fix li thi ngoai 2 ban ti gii thiu, ban co th vao trang http://www.tuts4you.com tai cac ban mod lai c share bi cac cracker va team cracker ni ting. Noi dai noi dai, sinh ra noi dai, thi gii thiu th cac ban a co th tai ban Ollydbg v s dung c ri. By gi vao chuyn chinh, hoc cracking bng Ollydbg. Mt vi nhn nao a noi : Cach hoc tt nht la thc hanh. Mc k ng nao noi nhng iu o ung 100%. y ti xin ly 2 cai thc hanh va hoc hanh la : - CrackMe.exe - ReverseMe.exe 2 cai nay ti trong tp tin inh kem theo sn. Cac bai hoc cua chung ta se t vic thc hanh ma rut ra kinh nghim, oc my tut kh khan xong ma chng rut ra c cai ri thi chan oc nhm. I/ X 2 em CrackMe.exe cua Cruehead/MiB va ReverseMe.exe cua Lena151 : 2 cai c ban nht nhi cho newbie xem xet va x ly. 1/ CrackMe.exe : - Vic u tin va tr thanh lut bt thanh vn la dung PEiD 0.94 xem CrackMe.exe c pack bng packer nao va co crypto hay khng. Nhp chut phai ln file CrackMe.exe va chon nh sau :

Bem, PEiD chay ra bao cao :

Thng tin cho bit, CrackMe.exe khng bi pack va c vit bng ngn ng MASM32, ro hn ban chon nh sau :

Ro rang no khng bi pack ri nha, nu mt trong 2 dong di o ku packed thi ta cn coi lai bng

mt chng trinh khac cho chc nh RDG Packer Detector v0.5.6 Beta hay ExE info PE. Xem no co crypto nao hay khng ta dung plugin tn Krypto ANALyzer cua PeiD. Nh hinh :

Bem, ra chao nao :

Khng co crypto nao ca, nu co no lit k ra lin. CrackMe nay qua khoe, khng pack, khng crypto. Ban se hoi : T nhin khng dung Ollydbg lun ma chay cai v vn nay lam chi? Cha cha, Ollydbg chi x ly ung khi file PE khng bi pack va khng bi crypto, nu co ta phai tim cach unpack file PE ra, loai bo crypto trc khi chay no ln bng Ollydbg. Noi chung my cai nay code cho newbie chung ta thc hanh, ai lai n pack hay dung crypto ma

nhut chi chin u cua chung ta ch. Nhng khi ban a thanh thao thi ban phai bit unpack bng cng cu hay bng tay, va loai bo crypto ra khoi file PE. - By gi tai CrackMe.exe ln Ollydbg thi. Lam nh hinh :

Bem, Ollydbg a tai thanh cng CrackMe.exe vao no :

Xin ng co ngp nha, luc u hi ngp nhng nhin hoai la quen, thc hanh hoai la hiu ht no ha. Ban cung co th tai CrackMe.exe thu cng bng cach t giao din chinh :

Nhn vao nut nay :

Hoc nhn phim tt la F3, ca s duyt file PE cn m bng Ollydbg xut hin :

Chon file PE cn m ri nhn nut Open, va ban se co giao din sau :

Cha noi gi vi, ban cn chu y n thanh trang thai, co my trang thai nh th nay : Trang thai San sang, hin tai Ollydbg cha tai ln file PE nao ca, va no ch ban tai file vao hoc la thoat ra khoi Ollydbg. Trang thai Tam dng, hin tai Ollydbg a tai file tn va ch ban x ly ( y la file CrackMe.exe). trang thai nay ban co th run trace, t break point Trang thai ang chay, hin tai Ollydbg a cho CrackMe.exe chay hoan toan qua phim tt F9 hay nut

, trang thai nay ban khng th run trace hay t break point, chng trinh se chay binh thng nu ban khng t break point, hay se tr lai trang thai Tam dng khi ban t break point va dong chi lnh se t ngay tai ia chi ban a t break point (tinh nng nay c s dung phn sau). Trang thai Chm dt (ti tam goi nh vy), hin tai chng trinh Ollydbg khng lin kt vi file CrackMe.exe na, co th do ban a ong CrackMe.exe sau khi no Run bng Ollydbg hoc cung co th do file tai ln s dung ky thut Anti-Ollydbg (ky thut do tim Olly, nu file c m bng Olly thi mt mun trong file se ngt t ngt va lam cho Olly khng th x ly trn file c.

Gii thiu s qua cac ca s trn Windows [CPU] cua Olly a : a/ Ca s Disassembler :

Ca s dich ngc ma, du file o c vit bng ngn ng lp trinh nao i na thi u c din din bng ngn ng Assemble (hp ng) ngn ng cp thp nht. Cracking oi hoi ban cn chun bi kin thc c ban v Assemble va mt it kin thc v cac ngn ng lp trinh bc cao nh C++, Visual Basic, Borland Delphi Theo mc inh Olly se phn tich ma va a ra Comment (ghi chu) thich hp, nhng co nhng luc Olly phn tich va a ra comment khng ung, khi y ta khng cn Olly phn tich lam gi, tuy bin Olly t ng phn tich ma a ra ghi chu hay khng, ta lam nh sau :

Sau nay co kinh nghim ban se bit Olly phn tich co ung khng, thit lp trn la t Olly phn tich ri a ra comment cho ta, nu Olly a ra Comment khng ung, nh th nay chng han :

remove nhng gi Olly a phn tich, ta nhp chut phai ri chon nh hinh :

Hinh nh ti i xa muc ich bai vit thi phai. trn ti mun noi la ban ng qua tin vao nhng gi Olly no phn tich, i khi ta phai linh ng co c cac Comment ung nht, khi y vic lam cua ta mi d dang. Tr lai phn gii thiu Ca s Disassembler, ta thy ro rng ca s nay co 4 khung nho : + Khung Address :

La khung cha ia chi ao, khi trinh nap Windows nap ng dung thi no se phn phat cho chng trinh mt khoang ia chi nh nht inh. ia chi nay la 32bit th hin qua 8 con s cua h hexa (h 16). No chi n gian la ia chi thi, ia chi thi c inh, ban se thy du tai CrackMe bt ky may tinh nao thi ia chi u tin cua no cung la 00401000 (cai nay goi la EP-entry point : ia chi khi u cua chng trinh). + Khung Hex Dump :

La ni ma ma Opcode c hin thi, ma opcode co th hiu c. + Khung Disassembly :

La ni hin thi ma Assemble cho chung ta thy va x ly no. Olly oc cac opcode bn khung Hex dump va dich no ra ma Assemble cho chung ta. + Khung Comment :

n gian la ni cha cac ghi chu do Olly phn tich hay cac ghi chu ma chinh chung ta ghi vao. b/ Ca s Register :

Ca s thanh ghi, y co cac thanh ghi va trang thai hay gia tri ma chung ang co. Thanh ghi (EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, EIP..) l mt ni c bit trong vng nh ca my tnh ni m chng ta c th cha d liu. Chng ta c th xem n nh l mt hp nh m trong chng ta c th cha: tn, s Noi chung cac thanh ghi la cai tui ngh ma ta cac vt cn thit vao o ch s dung. Ngoai ra y con co cac c trang thai (C, P, A, Z, S, T, D, O) c/ Ca s TIP :

Ca s nho phia di ca s Disassembler, ca s nay se hin thi gia tri cac i s trn ma Assemble, khi ban chi dong lnh ma Assemble thi gia tri cac i s cua no (nu co) se c hin thi tai y. d/ Ca s Dump :

y cac opcode se c xp thanh dong va ct, ta co th sa opcode y. e/ Ca s Stack :

Stack la ni nap cac tham s dong lnh trc khi lnh c goi, cac tham s c nap trc khi lnh thc hin va c ly ra sau khi lnh thc hin xong nhm tranh cho stack thanh gio rac va gia tri i s thay i ln xn. Stack lam vic chu yu theo c ch vao trc, ra sau, co nghia la cai gi c ct vao u tin se ly ra sau cung (tng tng no la chng ia y). - Okey, tip nao, trn ta a tai CrackMe.exe vao Olly ri ma qun cng oan tim hiu thng tin CrackMe (thng cng oan tim hiu thng tin badboy se c tin hanh sau khi dung PEiD kim tra file PE). Tim kim thng tin badboy la chay file tim ra ni dung chui badboy (chui badboy thng la mt thng ip bao li, thng ip oi ng ky, thng ip ht han s dung noi chung la thng ip bad). Tng t nhng ngc lai vi badboy la goodboy (thng ip bao ng ky thanh cng, thng ip chuc mng). Hin tai ban a load (tai) CrackMe.exe vao Ollydbg ri thi nguyn o, khng cn tt Olly i, ta chi cn nhp i vao file CrackMe.exe la no se chay trn nn Windows ma khng dinh gi n phn CrackMe.exe a c Olly load vao b nh :

Nhp fake user va fake serial (tn s dung va s ng ky gia) vao hp thoai ng ky cua CrackMe :

Bum, badboy bay ra vi ni dung la s ng ky cua ta nhp la sai :

Badboy ta co la No luck there, mate!, nh ly no, cn thit sau. - Tim thng tin badboy a xong by gi ta x ly CrackMe a tai ln Olly:

Ban nh badboy ch (ng qun mau nha), ban se tim thy dong badboy trong khung Comment, nh y, 2 cai nhng c goi theo 2 kiu khac nhau :

Address bt u cua oan ma goi badboy nay la 00401362. c goi khi s ng ky sai. Va y na :

Address bt u cua oan ma goi badboy nay la 004013AD. c goi khi Name nhp la s. Cac ban ng hoi lam sao lai bit nh th, tht ra y la kinh nghim thi, ti patch tng cai goi badboy lai va xac inh ra c im goi cua chung. Th thi.

Cach tim badboy trn la kha c ban, no chi danh cho cac CrackMe rt d nay thi con gp chng trinh nng my MB thi lnh no dai kinh tim xong ht mun lam gi lun, thng thng tim vi tri badboy ta phai dung cach sau : Click chut phai va chon nh hinh :

Ca s lit k cac text string trong file CrackMe hin ra, y ta se thy ca chui gdboy thng bao ta a Crack c CrackMe trong ca s nay :

Ban thy 2 cai badboy ri ch (ta se patch ca 2 cai badboy nay lai ln lt), u tin la a trn, n nhanh ia chi cha badboy ta chi cn nhn up vao dong lnh cha badboy : La n ngay ia chi cua no trn ca s Disassembler :

Nhin ln phia trn dong lnh cha comment badboy ta thy co dong lnh tai ia chi 00401362 c goi t mt dong lnh khac. Ban nn bit th nay, khi ta nhp fake user va fake serial thi CrackMe se co mt s so sanh, nu so sanh la ung thi no goi n oan ma hin thi goodboy, la cai nay :

Con so sanh la sai thi no se goi cai badboy nay ra :

Vic chung ta se lam la tim ra vi tri dong lnh goi oan ma thc thi s hin thi badboy ri patch no lai, khi lam xong thi chung ta nhp s ng ky gi i na (tr s ng ky ung) thi CrackMe u hoan h rng chung ta lam tt ( goodboy). Tim dong lnh goi ia chi 00401362 hin thi badboy bng cach nhp chut phai tai dong lnh ia chi 00401362 nh hinh :

Qua hinh ta thy dong lnh tai ia chi 00401362 c goi t ia chi 00401245, nhp vao ta se n ia chi 00401245 va thy ni dung dong lnh goi la :

Hoc cracking thi cai chuyn mo ln khng th khng nh ma phai nm long, nm rut vi vic lam cua chung ta la i ngc lai qua trinh kim tra s ng ky ma, khng mo ln ma mo xung thi v nha mo vi v. Noi ua th thi, mo ln ti ta thy ngay cu lnh nhay co iu kin ngay trn cu lnh goi badboy :

Suy nghia mt ti na, cu lnh nhay nay nu khng nhay thi no se thc hin cu lnh goi badboy ngay di no, con nu no nhay thi se never goi ra cai badboy khi nhp s ng ky sai. Th y, cho no nhay cng ch nao (JE la nhay co iu kin (phu thuc vao c E), JMP la nhay khng iu kin, du tri t co n tung ngay y thi no vn c nhay) thay lnh JE thanh JMP. la la, lam nh sau, nhp i vao dong lnh trn phn cua khung Disassmbler hay nhn phim Space (phim tt), bem cai sa lnh assemble hin ra :

Thay JE thanh JMP lao :

Nhn nut, ra th nay :

X ly cai badboy c goi khi nhp s ng ky sai th la xong, nhng test cai cho pa con tin. Okey, chay CrackMe thi, nhn phim tt F9 y, thanh trang thai chuyn i t : sang ng thi CrackMe trong b nh cung chay ra, nhp vao fake user va fake serial xem :

Bem, goodboy ra kia!

Test th u ri, nhng cha phai xong ri u, vi khi nhp name la s ta vn gp badboy, nh th nay :

Nhp Ok, badboy bay ra :

Ri sau o goodboy mi bay ra

iu o co nghia gi ? Mt la ta cha lam xong nn no mi th, Hai la ta nhn ra th t kim tra cua CrackMe nay : Kim tra Name u tin, co ch cho qua, toan s thi goi baboy ra nhc nh (nhc nh kiu khng ging ai, 2 cai badboy ging y xi xi nhau), Kim tra Serial sau, ung cho goodboy, sai nem badboy ra. Cui cung nu ta nhp name toan la s, s ng ky sai thi 2 cai badboy thi nhau nem vao mt ta, patch trn chi cho goodboy khi nhp s ng ky sai, cai badboy hin ra khi ta nhp name la s giai quyt nh sau : + Patch cho khng kim tra Name (nghia la Name bng gi thi CrackMe cung khng co y kin). Tip nao, nhn phim tt Ctrl+F2 reload lai CrackMe.exe vao b nh. Ri ban patch ia chi 00401243 t JE -> JMP (reload lai thi nhng gi ban chinh sa se tr lai ban u nn ti phai nhc ban patch lai). S dung Search for n vi badboy c goi khi nhp Name la s, nh hinh :

Nhp up vao badboy o n nhanh ia chi cha comment la ni dung badboy :

Mo ln mt chut nao, ta thy :

y la ni khi u oan ma goi badboy khi Name nhp la s, t y ta truy ra ia chi cha dong lnh goi no, nhp chut phai va chon nh hinh :

Ban a n ri :

Ti chon cach n gian nht cho mt cu lnh thc thi ma khng lam gi ca la i ni dung dong lnh goi trn thanh NOP (NOP : mt lnh c cracker s dung khi mun cho cu lnh o thc hin nhng khng lam gi ca) Okey, nhp i vao no hay nhn nut Space va lam nh hinh :

i thanh :

Nhn nut Assemble va nh chon Fill with NOPs nhe. Ta co :

Dong lnh CALL trn s dung 5byte m ta opcode, khi dung lnh NOP ta cn 5 lnh NOP u 5 byte (nguyn tc cracking la khng lam cho tp tin phinh to ra hay nho i). Test th nhe :

Tt, chi co 1 googboy ma thi. Cng vic cua ta n y co th xong. CrackMe.exe ta a thc hanh xong, chc cac ban cung co mt it kin thc qua thc hanh nay. Good luck!. Vn tip theo co le cac ban a nghi qua la lam sao lu no thanh file khac (a patch) khi tim trong menu File chng thy cai Save hay Save As u ca. Xin tha ti se hng dn ngay, lu trong Ollydbg hi khac khac ty, nhp chut phai ri chon nh hinh ne :

Chon tip :

Okey, hin ra ca s mi, nhp chut phai ln no va chon :

o lu file y ne, by gi t tn file mi va chon ch lu cho file mi (a patch) nay :

Bm Save th la trn Desktop a co file ma ni dung cua no a c ta patch ri. Nu ban lam ung nhng gi trn thi con ngai gi ma khng test th thanh qua thc hanh cua minh i. 2/ ReverseMe.exe : - Dung PEiD xem xet nao :

Va na :

Kt lun nh cai CrackMe.exe trn : khng pack, khng crypto. Xin ng noi ti ranh, y la cng oan khng th bo qua, tuy ban la newbie nhng nn tp no lam 1 thoi quen. Okey! Tim thng tin badboy nao :

Badboy qua ro rang va d nhn ra : Evaluation period out of date. Purchase new license Rut ngn thi gian, ti xin trinh bay ngn gon bng hinh thi, load ReserveMe.exe ln Olly :

Tim vi tri badboy thi.

Cha cha, cai gi kia, mt badboy na kai Keyfile is not valid. Sorry. Vy la cai ReserveMe nay tao ra keyfile va so sanh s ngm xem ta co keyfile hay keyfile cua ta co hp l hay khng. Nhim vu cua ta la lam cho Reserve tng ta co keyfile hp l (->Goodboy ha ha). Minh xin tam gac but ngm cu xong cai tut cua Lena151 v cai ReserveMe a, oc s qua cha nm c nhiu, nm nhiu vit mi hay, newbie nh tui va my ban mi hiu ch. Tht l, tht l, giang h dy song, KOWIII gac tam cy but ch giang h co song thn ly van lt chi.