NEWBIE BT U VI OLLYDBG

Bai vit nhiu hinh anh, xin chon Hide White Space trong Word khi xem bai ho c View
Web Layout
Font : Times New Roman
(Xin vit bai bng font Times New Roman hay Arial ch font nha em it lm, oc Tut ma c nh oc ch c)

Reaonline.net
Nha Trang -*Vi t Nam*Reverse Engineering Association
KingOfWarIII

Xin chao cac ban, ban nn oc tip nu nh ban la newbie mi n vi ky thu t ReVerSe, con ban
a ro v no cung nh ro v Ollydbg ri thi xin oc tip nu thich cung c cung nh xy dng bai cho
newbie nay bng cach gi email cho ti. iu o th t co ich cho ti va cho cac ban newbie khi y kin cua
ban cha co trong bai vit nay.
Bai vit nay la bai vit u tin ti tham gia din an reaonline.net xin cac ban reonline.net ung
h va quan tm. Bai vit c ti vit lai trn c s t p hp nhiu ngun nn xin ng la khi g p nhng
oan ma ua, oan nay trong bai ma hi hi xin c cam n cac tac gia trang cui, vi muc ich
cho newbie cai nhin tng quan va n gian v cng cu debugger/disassembler Ollydbg ang c ng
ao ngi dung nht.
Ban la newbie! Ti xin noi trc rng hoc reserve tr thanh cracker thi ban cn chun bi nhiu
cng cu va chng trinh. Ti xin noi khai quat v cac cng cu ban cn hoc reserve :
Analysis : Cng cu phn tich
OllyDbg 1.10 -=- Plugins & Scripts
W32Dasm 10
PEiD 0.94 + Plugins
RDG Packer Detector v0.5.6 Beta English [Kem cac nh n dang c p nh t nm 2008]
Rebuilding : Cng cu xy dng lai file PE
ImpRec 1.7
Revirgin 1.5 - Fixed
LordPE
Packers : Cng cu nen file PE, cha hi n nay co rt nhiu packer, khi thc hanh loai packer nao thi ban
vao Google tim v y, nhiu qua k khng bit n bao gi.
FSG 2.0

MEW 11 1.2 SE
UPX 1.25 & GUI
SLVc0deCrypto 0.61
ARM Crypto
WinUpack v0.39
Patchers : Cng cu tao file patcher, file patch phn mm
dUP 2
CodeFusion 3.0
Universal Patcher Pro v2.0
Universal Patcher v1.7
Universal Loader Creator v1.2
aPatch v1.07
PMaker v1.2.0.0
Tola's Patch Engine v2.03b
ABEL Loader v2.31
Yoda's Process Patcher
Registry Patch Creator
ScAEvoLa's PatchEngine v1.33
Dogbert's Genuine Patching Engine v1.41
Graphical-PatchMaker v1.4
The aPE v0.0.7 BETA
Liquid2
PELG v0.3
PrincessSandy v1.0
HEX Editor : Cng cu bin t p file h hexa
Hiew v7.10
WinHex v15
HexWorkShop 5.1
Decompilers : Cng cu dich ngc ma
DeDe 3.50.04
VB Decompiler
Flasm
Unpackers : Cng cu unpack cho cac packer, mi packer co nhiu unpacker nn k xong khoi vit tip
lun, t search v y nha
ACProtect - ACStripper
ASPack - ASPackDie
ASProtect > Stripper 2.07 Final & Stripper 2.11 RC2
DBPE > UnDBPE
FSG 1.33 > Pumqara's Dumper
FSG 2.00 > UnFSG
MEW > UnMEW

PeCompact 1.x > UnPecomp

PEncrypt > UnPEncrypt
PeSpin 0.3 > DeSpinner 0.3
tELock 0.98-1.0 > UntELock
EXEStealth > UnStealth
Xtreme-Crypto / Themida > XprotStripper v1.1
Morphine Killer 1.1 by SuperCracker/SND
ASPR Dumper v0.1
Armadillo Process Detach v1.1
Armadillo Dumper v1.0
Armadillo Nanomite Fixer
Armadillo Distance Decryptor aka Jump Table Fixer
ArmTools (Translated!)
ArmInline v0.1
Quick Unpack v1.0.8
Procdump v1.6.2
Keygenning : Cng cu tao keygen - keymaker
TMG Ripper Studio 0.02
Other : Nhng cng cu b tr cn thit
FileMon v7 (Patched)
RegMon v7 (Patched)
RSATool 2
DAMN HashCalc
EVACleaner 2.7
Process Explorer
Resource Hacker
PUPE 2002
PointH Locator
ASPR CRC Locator 1.2
PE Tools 1.5 RC5
API Address Finder
Jump to Hex Convertor
PE GeNeRaToR 1.2.1
Quick File Viewer v1.0.1
PE Insight 0.3b
Crypto Searcher
PE Editor v1.7
bkslash's Inline Patcher
Stud_PE v2.1
Injecta v0.2
PE Rebuilder v0.96b
PE Optimizer v1.4
ToPo v1.2

NFO Builder 2000 v1.02

NFO File Maker v1.6
TMG NFOmakeR v1.0
hCalc
Vao chuy n chinh, ti se gii thi u cng cu debugger/disassembler Ollydbg 1.10 cho ban.
Ollydebug, thng goi la Olly, la mt Ring3 debugger. Ngha la Olly hoat ng trong cac cp ng
dung Windows, nhng no cung co th kim soat trong cac ng dung khac. Vi cng cu tuyt vi nay
(thanks Oleh Yushuk), chng ta tim li cua chng trinh, khng ch tim ma con sa chng trinh.
Ollydbg la m t cng cu g ri, ng thi dich ma chng trinh v ma hp ng, chinh vi iu thu n ti n
o nn newbie tt nht bt u bng Ollydbg, co 1 cu so sanh th nay: SoftICE + W32Dasm + Hiew =
Ollydbg co ngha la Ollydbg la cng cu AIO va c bi t d s dung vi newbie. Th ma xem! Vi c u
tin la ban cn tai cng cu Ollydbg 1.10 v. Hi n nay co nhiu ban Ollydbg nhng ti se phn phi 2 ban
Ollydbg cho ban, tuy chon ban nao cung c :
1/ Ollydbg 1.10 [KingOfWarIII] :

File nen WinRar, ban ch cn giai nen va se c :

Th muc OllyScripts : B su t p 851 script (c p nh t thang 5/2008). S dung cac script se gip
ban lam vi c nhanh chong hn, ta se hoc s dung chng sau. Moi Script nn vao th muc nay.
- Th muc PeiD : cha chng trinh detect packer PeiD 0.94.
- Th muc Plugins : cha cac plugin s dung bi Ollydbg, moi plugin ban tai v ri copy vao y
la Ollydbg se t ng nh n ra.
- Th muc UDD : ni tam lu cac t p tin x ly bi Ollydbg.
- Th muc Tools : cac cng cu linh tinh.
Trong ban nay ban se thy 2 Ollydbg : 1 cai ban 1.10 Final, con 1 cai ban 2.0c. Ti khuyn nn dung
ban 1.10 vi ban 2.0c lc bo kha nhiu gy kho khn trong s dung. Sau y la cu hinh Ollydbg
d s dung :
a/ Cu hinh Ollydbg thanh JIT (Just-In-Time Debugging) :

Chon theo hinh :

Hi n tai chng trinh drwtsn32 la JIT m c inh cua Windows, cu hinh Ollydbg thanh JIT
(Ollydbg se c m c inh chay g ri khi co ng dung bi li) ta chon nh hinh :

Okey, Ollydbg a thanh JIT debugger m c inh cho Windows. Mi khi co chng trinh g p li
thi Ollydbg se b t no ln ban sa li.
b/ Cu hinh Ollydbg vao Windows Explorer :
Chon theo hinh :

Hi n tai Ollydbg cha co trong Windows Explorer, cu hinh Ollydbg vao Windows Explorer ta
chon nh hinh :

Okey, Ollydbg a c cu hinh vao Windows Explorer, ban co th m thanh m t file PE nao o
bng cach truy c p nhanh Ollydbg qua Windows Explorer :

c/ Cu hinh PeiD vao Windows Explorer : Tng t nh Ollydbg, ban co th cu hinh PeiD 0.94 vao
Windows Explorer truy c p no nhanh chong. Vao th muc PeiD, chay file PEiD.exe ln va lam nh
hinh :

Chon nh hinh va check :

Xong va by gi trn Windows Explorer se co :

Ban se t hoi Tai sao phai cn n PeiD lam gi?. Th t ra mi u ti cung khng bit PeiD la
cai gi u, nhng sau nay thi nh n ra PeiD la cng cu khng th thiu, quan trong nh Ollydbg v y, PeiD
se tim xem file PE o c pack bng loai packer nao ban chon unpacker thich hp, c protect bng
loai crypto nao ta con tim cach bo protect i. Noi chung, phn ln file PE (.exe .dll) u c nha san
xut pack lai hay gh gm hn la s dung crypto bao v nhm muc ich khng cho nhng ngi nh
chng ta pha hoai chng trinh cua ho m t cach khng minh bach, s loai packer pack va protect thi
hi i nhiu khng m xu (o co th la cua m t hang nao o san xut ho c chinh ngi l p trinh vit
nn bao v san phm cua ho), va PeiD vi c s d li u nh n dang hn 600 packer va nhiu loai
crypto thng dung nht se gip ta ha sat bng cach s dung tool unpack ho c mup (manual unpacking
unpack bng tay) qua Ollydbg.
d/ Cu hinh ni file Plugin va UDD : Khi ban tai ban nay v va giai nen thi ng dn ti n th
muc Plugin va UDD se khng ng na, vi v y cn cu hinh lai Ollydbg nh n ra th muc Plugin
ly plugin va th muc UDD. Olly cn ia ch th muc UDD vi lu tr breakpoints va info khac o. Olly
la 1 cng cu rt linh hoat vi no h tr vic s dung cac plugins nng cao kha nng cua chng trinh.
Sau khi thit lp xong, ban phai restart Olly. Okey, cu ... cu ... cu ... hinh lao.
Chon nh hinh

Thay th ng dn n th muc UDD va Plugins y cho phu hp :

Khi ng lai Ollydbg thay i co hi u lc, khi xut hi n thm Menu Plugin thi coi nh cu
hinh thanh cng :

e/ Cu hinh tr gip API : file tr gip WIN32.HLP tr gip v c im cac ham API, cu hinh no
sau nay khng hiu API o la gi thi ly ra ma coi. Chon nh hinh :

Chon file WIN32.HLP trong th muc ban a trich xut :

Okey, xong ri.

Chup hinh giao di n cua ban nay cai :

2/ Portable Ollydbg 1.10 [SND Team] :

Ban Portable do SND Team share, ch cn chay thi, khng cn cu hinh n ch Plugin va
UDD. No la file SFX do WinRar tao ra, ban co th nhp i vao no chay ho c dung WinRar giai nen
no ra :

Se c th muc cha :

Ban nay portable do SND tao ra nn ban ng tim cach thay i n i dung cua no, ch xai thi. In
cai giao di n cua no cho ban thy :

Khng phai ti ch hang cua SND, ho t p hp cac cng cu hay dung vao ban portable nay nhng
s hin thi dong l nh trong Ollydbg cua ho khng bng ban trn. Tuy ban, thich dung ban nao cung c

ca.
Ban chinh thc, cha co plugin va script, cha cu hinh ban co th tai tai y :
http://www.ollydbg.de .
Ollydbg c s dung nhiu ngoai d s dung con vi c cac team cracker h tr qua cac plugin
sa li, plugin h tr. Vi v y nu ban mun co ban Ollydbg tt, c fix li thi ngoai 2 ban ti gii
thi u, ban co th vao trang http://www.tuts4you.com tai cac ban mod lai c share bi cac cracker va
team cracker ni ting.
Noi dai noi dai, sinh ra noi dai, thi gii thi u th cac ban a co th tai ban Ollydbg v s dung
c ri. By gi vao chuy n chinh, hoc cracking bng Ollydbg.
M t v nhn nao a noi : Cach hoc tt nht la thc hanh. M c k ng nao noi nhng iu o
ng 100%. y ti xin ly 2 cai thc hanh va hoc hanh la :
- CrackMe.exe
- ReverseMe.exe
2 cai nay ti trong t p tin inh kem theo sn.
Cac bai hoc cua chng ta se t vi c thc hanh ma rt ra kinh nghi m, oc my tut kh khan xong
ma chng rt ra c cai ri thi chan oc nhm.
I/ X 2 em CrackMe.exe cua Cruehead/MiB va ReverseMe.exe cua Lena151 : 2 cai c ban nht nhi cho
newbie xem xet va x ly.
1/ CrackMe.exe :
- Vi c u tin va tr thanh lu t bt thanh vn la dung PEiD 0.94 xem CrackMe.exe c pack
bng packer nao va co crypto hay khng. Nhp chu t phai ln file CrackMe.exe va chon nh sau :

Bem, PEiD chay ra bao cao :

Thng tin cho bit, CrackMe.exe khng bi pack va c vit bng ngn ng MASM32, ro hn
ban chon nh sau :

Ro rang no khng bi pack ri nha, nu m t trong 2 dong di o ku packed thi ta cn coi lai

bng m t chng trinh khac cho chc nh RDG Packer Detector v0.5.6 Beta hay ExE info PE.
Xem no co crypto nao hay khng ta dung plugin tn Krypto ANALyzer cua PeiD. Nh hinh :

Bem, ra chao nao :

Khng co crypto nao ca, nu co no li t k ra lin.

CrackMe nay qua khoe, khng pack, khng crypto. Ban se hoi : T nhin khng dung Ollydbg
lun ma chay cai v vn nay lam chi? Cha cha, Ollydbg ch x ly ng khi file PE khng bi pack va
khng bi crypto, nu co ta phai tim cach unpack file PE ra, loai bo crypto trc khi chay no ln bng
Ollydbg. Noi chung my cai nay code cho newbie chng ta thc hanh, ai lai n pack hay dung crypto ma

nhut chi chin u cua chng ta ch. Nhng khi ban a thanh thao thi ban phai bit unpack bng cng cu
hay bng tay, va loai bo crypto ra khoi file PE.
- By gi tai CrackMe.exe ln Ollydbg thi. Lam nh hinh :

Bem, Ollydbg a tai thanh cng CrackMe.exe vao no :

Xin ng co ngp nha, lc u hi ngp nhng nhin hoai la quen, thc hanh hoai la hiu ht no
ha. Ban cung co th tai CrackMe.exe thu cng bng cach t giao di n chinh :

Nhn vao nt nay :

Ho c nhn phim tt la F3, ca s duy t file PE cn m bng Ollydbg xut hi n :

Chon file PE cn m ri nhn nt Open, va ban se co giao di n sau :

Cha noi gi v i, ban cn ch y n thanh trang thai, co my trang thai nh th nay :

Trang thai San sang, hi n tai Ollydbg cha tai ln file PE nao ca, va no ch ban tai file vao
ho c la thoat ra khoi Ollydbg.
Trang thai Tam dng, hi n tai Ollydbg a tai file tn va ch ban x ly ( y la file
CrackMe.exe). trang thai nay ban co th run trace, t break point
Trang thai ang chay, hi n tai Ollydbg a cho CrackMe.exe chay hoan toan qua phim tt F9
hay nt

, trang thai nay ban khng th run trace hay t break point, chng trinh se chay binh thng nu ban
khng t break point, hay se tr lai trang thai Tam dng khi ban t break point va dong ch l nh se
t ngay tai ia ch ban a t break point (tinh nng nay c s dung phn sau).
Trang thai Chm dt (ti tam goi nh v y), hi n tai chng trinh Ollydbg khng lin kt vi
file CrackMe.exe na, co th do ban a ong CrackMe.exe sau khi no Run bng Ollydbg ho c cung co

th do file tai ln s dung ky thu t Anti-Ollydbg (ky thu t do tim Olly, nu file c m bng Olly thi
m t mun trong file se ngt t ng t va lam cho Olly khng th x ly trn file c.
Gii thi u s qua cac ca s trn Windows [CPU] cua Olly a :
a/ Ca s Disassembler :

Ca s dich ngc ma, du file o c vit bng ngn ng l p trinh nao i na thi u c din
din bng ngn ng Assemble (hp ng) ngn ng cp thp nht. Cracking oi hoi ban cn chun bi
kin thc c ban v Assemble va m t it kin thc v cac ngn ng l p trinh b c cao nh C++, Visual
Basic, Borland Delphi Theo m c inh Olly se phn tich ma va a ra Comment (ghi ch) thich hp,
nhng co nhng lc Olly phn tich va a ra comment khng ng, khi y ta khng cn Olly phn tich
lam gi, tuy bin Olly t ng phn tich ma a ra ghi ch hay khng, ta lam nh sau :

Sau nay co kinh nghi m ban se bit Olly phn tich co ng khng, thit l p trn la t Olly
phn tich ri a ra comment cho ta, nu Olly a ra Comment khng ng, nh th nay chng han :

 remove nhng gi Olly a phn tich, ta nhp chu t phai ri chon nh hinh :

Hinh nh ti i xa muc ich bai vit thi phai. trn ti mun noi la ban ng qua tin vao nhng
gi Olly no phn tich, i khi ta phai linh ng co c cac Comment ng nht, khi y vi c lam cua
ta mi d dang.
Tr lai phn gii thi u Ca s Disassembler, ta thy ro rng ca s nay co 4 khung nho :
+ Khung Address :

La khung cha ia ch ao, khi trinh nap Windows nap ng dung thi no se phn phat cho chng
trinh m t khoang ia ch nh nht inh. ia ch nay la 32bit th hi n qua 8 con s cua h hexa (h 16).
No ch n gian la ia ch thi, ia ch thi c inh, ban se thy du tai CrackMe bt ky may tinh nao thi
ia ch u tin cua no cung la 00401000 (cai nay goi la EP-entry point : ia ch khi u cua chng
trinh).
+ Khung Hex Dump :

La ni ma ma Opcode c hin thi, ma opcode co th hiu c.

+ Khung Disassembly :

La ni hin thi ma Assemble cho chng ta thy va x ly no. Olly oc cac opcode bn khung Hex
dump va dich no ra ma Assemble cho chng ta.
+ Khung Comment :

n gian la ni cha cac ghi ch do Olly phn tich hay cac ghi ch ma chinh chng ta ghi vao.
b/ Ca s Register :

Ca s thanh ghi, y co cac thanh ghi va trang thai hay gia tri ma chng ang co. Thanh ghi
(EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, EIP..) la mt ni c bit trong vung nh cua may tinh
ni ma chng ta co th cha d liu. Chng ta co th xem no nh la mt hp nho ma trong o chng ta co
th cha: tn, s Noi chung cac thanh ghi la cai ti ngh ma ta cac v t cn thit vao o
ch s dung. Ngoai ra y con co cac c trang thai (C, P, A, Z, S, T, D, O)
c/ Ca s TIP :

Ca s nho phia di ca s Disassembler, ca s nay se hin thi gia tri cac i s trn ma
Assemble, khi ban ch dong l nh ma Assemble thi gia tri cac i s cua no (nu co) se c hin thi tai
y.
d/ Ca s Dump :

y cac opcode se c xp thanh dong va c t, ta co th sa opcode y.

e/ Ca s Stack :

Stack la ni nap cac tham s dong l nh trc khi l nh c goi, cac tham s c nap trc khi
l nh thc hi n va c ly ra sau khi l nh thc hi n xong nhm tranh cho stack thanh gio rac va gia tri
i s thay i l n x n. Stack lam vi c chu yu theo c ch vao trc, ra sau, co ngha la cai gi c
ct vao u tin se ly ra sau cung (tng tng no la chng a y).
- Okey, tip nao, trn ta a tai CrackMe.exe vao Olly ri ma qun cng oan tim hiu thng tin
CrackMe (thng cng oan tim hiu thng tin badboy se c tin hanh sau khi dung PEiD kim tra file
PE). Tim kim thng tin badboy la chay file tim ra n i dung chui badboy (chui badboy thng la
m t thng i p bao li, thng i p oi ng ky, thng i p ht han s dung noi chung la thng i p
bad). Tng t nhng ngc lai vi badboy la goodboy (thng i p bao ng ky thanh cng, thng i p
chc mng). Hi n tai ban a load (tai) CrackMe.exe vao Ollydbg ri thi nguyn o, khng cn tt
Olly i, ta ch cn nhp i vao file CrackMe.exe la no se chay trn nn Windows ma khng dinh gi n
phn CrackMe.exe a c Olly load vao b nh :

Nh p fake user va fake serial (tn s dung va s ng ky gia) vao h p thoai ng ky cua CrackMe
:

Bum, badboy bay ra vi n i dung la s ng ky cua ta nh p la sai :

Badboy ta co la No luck there, mate!, nh ly no, cn thit sau.

- Tim thng tin badboy a xong by gi ta x ly CrackMe a tai ln Olly:

Ban nh badboy ch (ng qun mau nha), ban se tim thy dong badboy trong khung Comment,
nh y, 2 cai nhng c goi theo 2 kiu khac nhau :

Address bt u cua oan ma goi badboy nay la 00401362. c goi khi s ng ky sai.
Va y na :

Address bt u cua oan ma goi badboy nay la 004013AD. c goi khi Name nh p la s.
Cac ban ng hoi lam sao lai bit nh th, th t ra y la kinh nghi m thi, ti patch tng cai goi
badboy lai va xac inh ra c im goi cua chng. Th thi.

Cach tim badboy trn la kha c ban, no ch danh cho cac CrackMe rt d nay thi con g p chng
trinh n n g my MB thi l n h no dai kinh tim xong ht mun lam gi lun, thng thng tim vi tri
badboy ta phai dung cach sau : Click chu t phai va chon nh hinh :

Ca s li t k cac text string trong file CrackMe hi n ra, y ta se thy ca chui gdboy thng
bao ta a Crack c CrackMe trong ca s nay :

Ban thy 2 cai badboy ri ch (ta se patch ca 2 cai badboy nay lai ln lt), u tin la a trn,
n nhanh ia ch cha badboy ta ch cn nhn p vao dong l nh cha badboy :
La n ngay ia ch cua no trn ca s Disassembler :

Nhin ln phia trn dong l nh cha comment badboy ta thy co dong l nh tai ia ch 00401362
c goi t m t dong l nh khac. Ban nn bit th nay, khi ta nh p fake user va fake serial thi CrackMe
se co m t s so sanh, nu so sanh la ng thi no goi n oan ma hin thi goodboy, la cai nay :

Con so sanh la sai thi no se goi cai badboy nay ra :

Vi c chng ta se lam la tim ra vi tri dong l nh goi oan ma thc thi s hin thi badboy ri patch
no lai, khi lam xong thi chng ta nh p s ng ky gi i na (tr s ng ky ng) thi CrackMe u hoan
h rng chng ta lam tt ( goodboy). Tim dong l nh goi ia ch 00401362 hin thi badboy bng cach
nhp chu t phai tai dong l nh ia ch 00401362 nh hinh :

Qua hinh ta thy dong l nh tai ia ch 00401362 c goi t ia ch 00401245, nhp vao ta se n
ia ch 00401245 va thy n i dung dong l nh goi la :

Hoc cracking thi cai chuy n mo ln khng th khng nh ma phai nm long, nm ru t vi vi c

lam cua chng ta la i ngc lai qua trinh kim tra s ng ky ma, khng mo ln ma mo xung thi v nha
mo vi v.
Noi ua th thi, mo ln ti ta thy ngay cu l nh nhay co iu ki n ngay trn cu l nh goi badboy
:

Suy ngha m t ti na, cu l nh nhay nay nu khng nhay thi no se thc hi n cu l nh goi badboy
ngay di no, con nu no nhay thi se never goi ra cai badboy khi nh p s ng ky sai. Th y, cho no
nhay cng ch nao (JE la nhay co iu ki n (phu thu c vao c E), JMP la nhay khng iu ki n, du tri
t co n tung ngay y thi no vn c nhay) thay l nh JE thanh JMP. la la, lam nh sau, nhp i vao
dong l nh trn phn cua khung Disassmbler hay nhn phim Space (phim tt), bem cai sa l nh assemble
hi n ra :

Thay JE thanh JMP lao :

Nhn nt, ra th nay :

X ly cai badboy c goi khi nh p s ng ky sai th la xong, nhng test cai cho pa con tin.
Okey, chay CrackMe thi, nhn phim tt F9 y, thanh trang thai chuyn i t :
sang
ng thi CrackMe trong b nh cung chay ra, nh p vao fake user va fake
serial xem :

Bem, goodboy ra kia!

Test th u ri, nhng cha phai xong ri u, vi khi nh p name la s ta vn g p badboy, nh th

nay :

Nhp Ok, badboy bay ra :

Ri sau o goodboy mi bay ra

iu o co ngha gi ? M t la ta cha lam xong nn no mi th, Hai la ta nh n ra th t kim tra

cua CrackMe nay : Kim tra Name u tin, co ch cho qua, toan s thi goi baboy ra nhc nh (nhc nh
kiu khng ging ai, 2 cai badboy ging y xi xi nhau), Kim tra Serial sau, ng cho goodboy, sai nem
badboy ra. Cui cung nu ta nh p name toan la s, s ng ky sai thi 2 cai badboy thi nhau nem vao mt
ta, patch trn ch cho goodboy khi nh p s ng ky sai, cai badboy hi n ra khi ta nh p name la s giai
quyt nh sau :
+ Patch cho khng kim tra Name (ngha la Name bng gi thi CrackMe cung khng co y kin).
Tip nao, nhn phim tt Ctrl+F2 reload lai CrackMe.exe vao b nh. Ri ban patch ia ch
00401243 t JE -> JMP (reload lai thi nhng gi ban chnh sa se tr lai ban u nn ti phai nhc ban
patch lai). S dung Search for n vi badboy c goi khi nh p Name la s, nh hinh :

Nhp p vao badboy o n nhanh ia ch cha comment la n i dung badboy :

Mo ln m t cht nao, ta thy :

y la ni khi u oan ma goi badboy khi Name nh p la s, t y ta truy ra ia ch cha dong

l nh goi no, nhp chu t phai va chon nh hinh :

Ban a n ri :

Ti chon cach n gian nht cho m t cu l nh thc thi ma khng lam gi ca la i n i dung
dong l nh goi trn thanh NOP (NOP : m t l nh c cracker s dung khi mun cho cu l nh o thc
hi n nhng khng lam gi ca) Okey, nhp i vao no hay nhn nt Space va lam nh hinh :

i thanh :

Nhn nt Assemble va nh chon Fill with NOPs nhe. Ta co :

Dong l nh CALL trn s dung 5byte m ta opcode, khi dung l nh NOP ta cn 5 l nh NOP
u 5 byte (nguyn tc cracking la khng lam cho t p tin phinh to ra hay nho i).
Test th nhe :

Tt, ch co 1 googboy ma thi. Cng vi c cua ta n y co th xong. CrackMe.exe ta a thc

hanh xong, chc cac ban cung co m t it kin thc qua thc hanh nay. Good luck!. Vn tip theo co le
cac ban a ngh qua la lam sao lu no thanh file khac (a patch) khi tim trong menu File chng thy cai
Save hay Save As u ca. Xin tha ti se hng dn ngay, lu trong Ollydbg hi khac khac ty, nhp
chu t phai ri chon nh hinh ne :

Chon tip :

Okey, hi n ra ca s mi, nhp chu t phai ln no va chon :

o lu file y ne, by gi t tn file mi va chon ch lu cho file mi (a patch) nay :

Bm Save th la trn Desktop a co file ma n i dung cua no a c ta patch ri. Nu ban lam
ng nhng gi trn thi con ngai gi ma khng test th thanh qua thc hanh cua minh i.
2/ ReverseMe.exe :
- Dung PEiD xem xet nao :

Va na :

Kt lu n nh cai CrackMe.exe trn : khng pack, khng crypto. Xin ng noi ti ranh, y la cng
oan khng th bo qua, tuy ban la newbie nhng nn t p no lam 1 thoi quen. Okey!
Tim thng tin badboy nao :

Badboy qua ro rang va d nh n ra : Evaluation period out of date. Purchase new license
Rt ngn thi gian, ti xin trinh bay ngn gon bng hinh thi, load ReserveMe.exe ln Olly :

Tim vi tri badboy thi.

Cha cha, cai gi kia, m t badboy na kai Keyfile is not valid. Sorry. V y la cai ReserveMe nay
tao ra keyfile va so sanh s ngm xem ta co keyfile hay keyfile cua ta co hp l hay khng. Nhi m vu
cua ta la lam cho Reserve tng ta co keyfile hp l (->Goodboy ha ha). Minh xin tam gac bt ngm cu
xong cai tut cua Lena151 v cai ReserveMe a, oc s qua cha nm c nhiu, nm nhiu vit mi
hay, newbie nh tui va my ban mi hiu ch. Tht l, tht l, giang h d y song, KOWIII gac tam cy
bt ch giang h co song thn ly van lt chi.