dich

The Art of Reversing

by Ap0x

Preface to second edition

We live our daily lives unaware of the little things and small things

We are happening before the eyes. We move through the obvious things because we are

make simple and logical. Not feel need that peek below

simple uniform exterior things, or just do not want to? Set

myself the question: When we last see an object and wondered how he

it works? What are the processes behind us available his face? Why is

something is going well as it happens? When we have an object last

decomposed the components of the power of their minds? When we last saw

beyond the obvious and accessible? The answers to these questions lie within ourselves and

are very on reverse engineering. The very tendency that the

penetrate in beginnings and causes fact, that the to initial conditions come of

results opens amazing opportunities, only if change point

view, only if the with of passive observers move in place

reverser, the only way to get to the core of reverse engineering. Please

to note that the reverse Engineering not applied only to computers,

all around us is the reverse engineering, but it needs to observe.

This is the second edition of The Art Of Cracking to receive new

behalf of The Art Of Reversing it is now woven into it my second book under

as PE and ASM for Crackers. In this second edition have been added some

chapters are complemented by some but most of the corrections related to grammatical-

semantic errors were noted in the book for this author owes special thanks

MDHamel-in that he did review the book and language departments. On this occasion I wanted

that the thank all that are me supported and more always me support that

continue work on this project.

The book is dedicated to all the people who have left an indelible impression on my

life: family, best friends, first love, mentors, other

friends, enemies and others that not here listed but

are more or less important part of my life.

"The more I learn, the more I realize how much I don` t know! "

Ap0x

The Art Of Reversing by Ap0x

Page 2 of 293

The Book

1:00 Intro to 6

01:01 What is 7

1:02 Beginners Guide to Reversing ............................................. ............................................. 8

Becoming a 01:03 9

01:04 ASM 10

01:05 ASM for Crackers - Part I. .......................................... .................................................. .. 10

01:06 ASM for Crackers - Part II ........................................... .................................................. . 18

01:07 ASM for Crackers - Part III ........................................... .................................................. 21

01:08 ASM for Crackers - Part IV ........................................... .................................................. 24

01:09 ASM for Crackers - Part V. .......................................... .................................................. . 26

1:10 Reading Time 30

01:11 Tools of Trade 31

Configuring 01:12 Tools of Trade ............................................. ................................................ 32

01:13 OllyDbg 32

01:14 W32Dism + + / W32Dasm 8.93 ............................................. ........................................... 32

01:15 Numega Smart Check v.6.03 ........................................... .............................................. 33

01:16 peido v.0.93. 33

01:17 My first crack 34

01:18 My second crack 39

01:19 OllyDbg from beginning .............................................. .................................................. 43

Debugging Basics 1:20 - Breakpoints ............................................. ....................................... 43

01:21 Debugging basics - User VS kernel mode .......................................... .......................... 44

01:22 Introduction to OllyDbg .............................................. .................................................. . 44

02:00 NAG 48

02:01 Killing NAGS - 49

02:02 Killing NAGS - 51

02:03 Killing NAGS - MsgBoxes & Olly ........................................... ......................................... 53

02:04 Killing NAGS - Dialogs & Olly ........................................... .............................................. 56

Cracking 03:00 57

03:01 The Serials - Jumps 58

03:02 The Serials - Fishing # 1 ........................................... .................................................. .... 60







03:09 The Serials - Smart Check # 1 ......................................... .............................................. 73

03:10 The Serials - Smart Check # 2 ......................................... .............................................. 75

03:11 The Serials - Computer ID ............................................ ................................................. 76

03:12 The Serials - VB & Olly ........................................... .................................................. ..... 78

The Serials 3:13 - 79

The Serials 3:14 - 81

03:15 The Serials - keyfile and Registry ........................................... ..................................... 84

04:00 Making 92

04:01 KeyGen - Ripping 93

04:01 KeyGen - Ripping 94

04:02 KeyGen - Beginning # 1 ............................................ .................................................. .... 95



04:05 KeyGen - Beginning # 4 ............................................ .................................................. .. 102

04:06 Keygens & Smart Check # 1 ........................................... ............................................. 104

04:07 Keygens & Smart Check # 2 ........................................... ............................................. 106


of 293

05:00 CD 108

CD Checking 05:01 - 109

05:02 CD Checking - CrackMe ............................................. ................................................. 111

06:00 Code 114

06:01 Delphi ASM 115

6:02 VC + + and ASM 117

06:03 Adding functions 118



07:00 "Getting 126

07:01 Softic detection 127

07:02 Windows API debugger check ............................................. ........................................ 129

07:03 Memory modification check .............................................. ............................................ 130

Reversing 07:04 CRC32 checks .............................................. .............................................. 132

Not Getting Caught 07:05 - Exerecise ............................................ ....................................... 136

Cracking 08:00 138

08:01 ReEnable buttons - ASM ............................................. ................................................. 139

08:02 ReEnable buttons - API ............................................. .................................................. . 140

08:03 ReEnable buttons - ResHacker ............................................. ....................................... 143

08:04 ReEnable buttons - ResHacker & Delphi ........................................... .......................... 144

08:05 ReEnable buttons - Olly & Delphi ........................................... ...................................... 145

08:06 ReEnable buttons - Olly & VB ........................................... ........................................... 147

08:07 ReEnable buttons - DeDe & Delphi ........................................... .................................. 148

Passwords 08:08 - Olly & Delphi ............................................ ................................................ 149

Passwords 08:09 - Olly & VB ............................................ .................................................. ... 150

Passwords 08:10 - Olly & ASM ............................................ .................................................. 151

8:11 Time-Trial 152

Patching a 08:12 155

09:00 Decrypt 157

Cryptography basics ............................................... 9:01 .................................................. ... 158

09:02 Simple Encryption 163

Reversing MD5 9:03 165

Basics RSA 09:04. 167

09:05 bruteforce 169

09:06 bruteforce 172

09:07 bruteforce the 174

09:08 bruteforce with 179

Advanced bruteforceing ............................................... 9:09 ................................................ 180

182

Unpacking 10:01 183

10:02 PE Basics. 184

10:03 PE EXE Files - 184

10:04 PE EXE Files - Basics ............................................ .................................................. .... 186

10:05 PE EXE Files - Tables ............................................ .................................................. .... 191

10:06 PE DLL Files - 194

10:07 UPX 0.89.6 - 1.02 / 1:05 to 1:24 ....................................... ............................................. 195

10:08 UPX-Scrambler RC1.x ........................................... .................................................. .... 199

10:09 UPX Protector 1.0x- 200

10:10 UPXShit 201

10:11 FSG 1.30 - 205

10:12 FSG 2.0. 206

10:13 ASPack 1.x - 207

10:14 Petite 2.2. 209

10:15 tElock 0.80. 210

10:16 tElock 0.96. 213

10:17 tElock 214


Page 4 of 293

10:18 PeCompact 2:22 217

10:19 PeCompact 1:40 218

10:20 PePack 220

ASProtect 10:21 1:22 / 1.2c ............................................ .................................................. ..... 223

10:22 ASProtect 2.0x 226

ReCrypt 10:23 12:15 228

10:24 ReCrypt 0.74 229

10:25 ReCrypt 0.80 230

10:26 ACProtect 1.4x 231

10:27 WinUPack 233

10:28 Neola 2.0. 234

NT PELock 10:29 2:04 235

10:30 Virogena Crypt 0.75 236

10:31 eZip 1.0. 237

10:32 SPEC b3. 237

10:33 CExe 1.0a - 1.0b 237

10:34 MEW 238

10:35 PEBundle 2.0x - 2.4x ........................................... .................................................. ...... 239

10:36 PkLite32 1.1 240

10:37 PEX 0.99. 241

10:38 ExEStealth 2.72 - 2.73 ............................................. .................................................. .. 242

10:39 Arm Protector 243

10:40 EXE32Pack 1.3x 244

10:41 PC Gurd 5.0 245

10:42 yC 1.3. 246

10:43 SVKP 1.3x. 247

10:44 xPressor 1.2.0 249

10:45 JDPack 1.x / 0.9 JDProtect .......................................... ................................................ 250

10:46 ap0x Crypt 251

Patching 11:00 254

11:01 'Hard patchers' 255

11:02 patchers Registry 255

11:03 patchers Memory 255

11:04 inline patching - UPX 0.8x - 1.9x ........................................ ......................................... 256

11:05 inline patching - nSPack 2.x. ......................................... ............................................... 257

Inline patching 11:06 - 1.x-2.x ASPack ...................................... ............................................ 259

11:07 inline patching - EZip 1.0 ............................................ ................................................. 260

Inline patching 11:08 - 1:33 ............................................ FSG ............................................... 261

11:09 inline patching - PEX ............................................ 0.99 ................................................ 262

11:10 Making a 265

266

12:01 BruteForceing the Secret .............................................. ............................................... 267

12:02 Keygening Scarabee # 4 ............................................ .................................................. 269

Patching 12:03 aC 272

12:04 Obsidium 1.2 Unpacking .............................................. ................................................ 274

12:05 & Cracking 275

Tricks of 13:00 287

13:01 Coding 288

Cracking 13:02 289

13:03 Only Fools and 290

13:04 Crackers Guide 290

13:05 FAQ. 291

13:06 Epilogue. 293


Page 5 of 293

01 Intro to cracking

In the first chapter in this section aims to introduce you to

reverse Engineering and that you show very on cracking, way

thinking and some basic tricks with tools for cracking. First you adopt

some primary terms related for cracking, you'll learn as the configures

tools we use, and finally we will make our first crack.


Page 6 of 293

What is RCE?

Reverse Code Engineering is a technique that gives the initial

values some features Beginning of its results. You'll note that I

used uopsteno definition RCEa, and not one who to the related to RCE

applied to computer applications. RCE I defined thus because is he

just to, without matter to area to by the applied RCE a

thinking techniques and procedures for the settlement of a problem from another

angle. But if it is confined to computers, then we define the RCE

as a mechanism for modifying an unknown source, when the source code of the program

is not available. Using techniques described in this book realize primary

problems in the analysis or modification of an unknown source is not known when the original

at the problems. Then we access reverse observation

problem, namely finding the causes of the different behavior of the program, starting

the very result that we would reach the beginner causes. Of course, like any

other area of human endeavor, including the RCEu have different problems

that in most case no unique solutions. This also means that the

most problems can resolved to great number ways and that in most cases

There are only the easiest and quickest solution, and those that are not. Since

in most cases we are not interested in the time needed to solve a problem,

major factor in solving the problem RCE will be the accuracy of the results.

This accuracy is cruel when it comes to RCE problems, because in most cases

There are only two case resolution problems. There are only true resolved

problems and those who are not. RCE problems that were solved incorrectly can lead

system instability, and rupture of the operating system

use as on for RCE. This also means that RCE is not Platform

defined as it can be applied, and applied on all computer

platforms.

Although the book is "pompous" called The Art Of Cracking It is not

refers to the true meaning of reverse engineering, nor is such a thing at all

possible. No, this book has set itself the goal to put the limit to only one

narrowly defined area, commonly called Cracking, seeking to describe what is

more possible phenomenon related for I Cracking. Of course and this is difficult

feasible, but I will try to guide you through this book assure that there is no point

called a "trusted application". From now on the term delete

from his vocabulary. The term, which will instead adopt a "heavy applications

for reversing ", which means that any application that can be run

be "broken" and should not trust the so-called commercial applications

to protect your or other people's programs. This book will destroy the delusions of those who

believe that their passwords are safe in the database, that their

passwords safe behind "Star". These misconceptions will fall in water after

reading this books. Developers save is, because your Applications will be

placed on a comprehensive test ...


Page 7 of 293

Beginners Guide to Reversing

Before you start to deal with reverse engineering needed

to know some basics of computer hierarchy and ways of writing / reading

data. The operating system that we have chosen to learn the basics on it

Reverse engineering the Windows, which will, whatever the version, give

insight into the architecture and way of thinking that is carried out when reversing.

Although I sure that but know that is itself basis Windows

operating system series executabilnih (. Exe) and static (. Dll) files, that

represent the core system. What most of you certainly did not know that

the content of these. exe and. dll files can be changed on the way in which these programs

execute instructions who we want. Technique modification other people

executabilnih and other Files that contain excellent at called the Cracking.

Note that reversing the application for which you do not have the approval of its

by extremely illegal and therefore be careful in choosing target who will

reversovati.

Now the certainly wondering as us knowledge that the Operating system

consists of large number . Exe and . Dll Files can help in Reversing? And

percent know this we that suppose that the their content to some

I have written in a way. exe file! Here we are on the right track for all. Exe and

. Dll Files have unique ways writing. These ways write are

standardized on Windows 32-bit systems (Windows versions from 98 and the

on) and called the PE (Portable Executable) standard. This standard narrowly

defines position and meanings each bytes (At least Units each file,

1024b = 1kb) in a standard. Exe file. With this standard will be

introduced later but for now important to know that part of the standard PE file

izrsavanje responsible for the functions themselves. exe file performs. These functions

are also written in a standard mechanical way. This only means that strings

bytes that represent a true great in their significance. Interpretation

series bytes performed I processor your computers, and this standard

commands are called ASM (Assembler) command. With ASM standard will be

familiarize to the beginning this books. Understanding the works books is

prerequisite for understanding all other Chapters and therefore it a

framework for understanding the whole of this book.

These are just a basic way of thinking that all beginners have to

have in mind before you start dealing with reversing. Other very important

things will be cf. the introduction parallel with problems with where will the meet

When reading this book.


Page 8 of 293

Becoming a Reverser

This is a very common question that everyone wants to be involved in reversing

ask themselves. How to become a reverser? What that really means? What all have

I know?

The answers to these questions are more individual, depending from person to person,

but it table I I learned during these year In addressing the programming and

Reversing that everything is possible, that everything can be done. The only two things

they need to solve every problem the time and patience. Wishing

you become what you want to become you will need to learn much more.

Most of the things you learn will be related to the structure of computers, the way

program execution, the structure of files, the structure of Windows, but

Despite all this you will need to learn the basics of cryptography and mathematics.

Believe it or not but the best reverserskog world problems are mathematical. Therefore

No matter how hated math, trust me on word, zavolecete is safe ...

As I already said there is no exact "recipe" how to become a reverser

but there is a basic guide that will guide you which line you have to learn how

To become a reverser. This sequence should look like this:

™ Basics of the Windows operating system

™ Basics hexadecimal / decimal numbers

™ The basic set of commands ASM

™ Crackerski basic tools: W32Dasm and Hiew

™ Basic tools crackerski: Soft ICE, Olly, SmartCheck, DeDe

™ Basics PE STRUCTURE

™ Crackerski basic tools: peido, ResHacker, LordPe, Impreca

™ Programming languages: Visual Basic, Delphi, C + +, MASM

™ Basics of cryptography: SHA1, MD5, RSA, RC4, RC5, SkipJask

Of course this order the relations to some logically order thinking and

learning that should be applied to gain insight into the final reverserske

problems. Of course analogous this there and list species target who to

should "break". This list should look like this:

™ Removing the NAG screen

™ Changing rebounds to arrive at the post about the exact registration

™ Advanced patchovanje, killing dialogue, protect CD ...

™ Fishing serial numbers with the help of debugger

™ Simply unpacking easy targets: ASPack, UPX

™ Change the target themselves in their keygeneratore

™ Creating keygeneratora in a programming language

™ ASM ripping keygeneratora

™ Creating bruteforcera

™ Odpakivanje advanced tread: ASProtect, ACProtect, SCMM, Armadillo

™ Advanced reversing target in order to understand someone else's algorithm

Will you become reversers after reading this book?

No, but you'll be well on its way to become ....


of 293

ASM Basics

ASM is the basis of reverserskog problems, so it is necessary

good to know even the basic ASM commands to be able to understand the

that the is front you. Basic and only tools that will us need further in

OllyDbg is a chapter, but we are beginning to deal with the theory.

ASM for Crackers - Part I

ASM that I am here to explain not using ASM programmers to

wrote programs. Not although is most Command same here will be only say on

essentially each ASM Command with which will the meet during reversovanja

target. Let's start with a little math ...

Since the as basis each program state simple

mathematical surgery, therefore are primary ASM Command intended bass

these operations.

Assigning values - ASM is the basic command that is used to

to the some variable (EAX, EBX, EDX, ECX ,...) whose are name defined

assigned a constant arithmetic value. This would seem in assembly

follows:

MOV EAX, 1

and its mathematical meaning is: EAX = 1

Addition - the basic mathematical operations and is a very good

known. I'm sure you know that adds up but you probably do not know how to

performs addition of numbers in assembly. An example is the addition of two variables:

ADD EAX, EBX

This simple ASM command is equivalent mathematical Command

addition of two numbers: EAX = EAX + EBX.

Subtraction - is also basic Mathematical command who to in

assembler like this:

SUB EAX, EBX


subtraction of two numbers: EAX = EAX - EBX.

Multiply - is often used command, and looks just like this:

IMUL EAX, EBX


Page 10 of 293


mnozenja two numbers: EAX = EAX * EBX.

These are only the beginning of some basic commands that ASM will be used to

resolve some simple math problems. So far there is no need to

worry about what variables we use, for now it will not explain

because there is no need, I'll get to later that, for now is only important to understand

how to perform ASM command.

First we write a program that will multiply two numbers and their product

add a fourth

Solution:

MOV EAX, 3

MOV ECX, 4

IMUL EAX, ECX

ADD EAX, 4

I think it is clear that for this simple program, but just in case

I will explain why We program written bass like this. First we assign

changing the value of EAX and ECX to what we had to multiply. This

for the first two rows. After doing this a standard multiplication of two numbers,

after which we will in the last row to add the product to their fourth Of course

result of the execution of this program will be: 3 * 4 + 4 = 16

Probacemo that do modification this examples so that program after

adding 4 to 8 and the product takes away the result multiplied by 4

Solution:

MOV EAX, 3

MOV ECX, 4

IMUL EAX, ECX

ADD EAX, 4

SUB EAX, 8

IMUL EAX, 4

As we can see the result will be: (((3 * 4) + 4) - 8) * 4 = 32 Of course, should

have to note that if we write ASM programs all numbers must be in

hexadecimal, so the task will be the result of the last 20h and not

32nd

Since we have successfully mastered the basic mathematical operations, work time

to explain why and how to use variables.

As and in mathematics and in assembler we define Variable where

We can assign any value arithmetic. The only restriction when

the to with assembler is that there but defined number variables who

we used. These Variable the call Registries and used the for all

assembler operation. Some names of these registers have already been mentioned but the whole

list to seemed follows: EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI, EIP. These


Page 11 of 293

Registries although the can use for any who surgery, are assigned

specific types of operations. So:

EAX

EBX

ECX

use for basic mathematical operations,

use for basic mathematical operations,

serves as a counter in the loop,

EDX serves as a register in which is recorded and the remainder for other things,

ESP

EBP

ESI

EDI

EIP

serves as a pointer to the various controls / stack

serves as a pointer to the memory of parts,

serves as a free registry,

serves as a free registry,

serves as a pointer to the current RVA address.

But this does not mean you have to realize that this list use registries black

White, this are only usually use registers, but the their use

can change in Depending on of situation to situation. See We that as and

variables in mathematics, the registry can take any numeric value and

use the for mathematical operations. Before than table continue with

Explaining other ASM commands you need to understand the difference between

32bit, 16bit and 8bit registers and realize the connection between them.

The registries we met up (EAX-EIP) are 32-bit registers. This means that

numbers that may contain registers range from 00000000 - FFFFFFFF, which makes

This 32-bit registers. For backward compatibility, standard 32-bit

registers contain the 8bitne 16bit registers. This means that if for example

EAX contains heksadecimani number FF443322 he a his 32 bits

value. But there are other registers that are closely related to the very registo

EAX. These registers are AX (16 bit), AH (8bit) and AL (8bit). The connection between the registers

given in the following table:

Register

EAX

AX

AL

AH

The first byte

FF

-

-

-

Second Byte

44

-

-

-

Third byte

33

33

-

33

The fourth byte

22

22

22

-

As can be seen in the table there are registers with which to modify or

only access to various registers 32bitnih. Although the example given in

EAX register and the same goes for the other registers. This is important because it takes

understand why the 32-bit registers in the program change if you change some

16bitnih of 8bitnih or register. For example I will explain parts of the accession

EAX register in the example:

MOV EAX, FF443322

MOV AX, 1111

MOV AH, 22

MOV AL, 66

The result of executing these commands ASM row would be:

EAX = FF443322, EAX = FF441111, EAX = FF442211, EAX = FF442266. As

table Notice impossible is access first and other byte 32bitnog


Page 12 of 293

Register EAX over 16bitnih or 8bitnih registers. This is substantially at writing

keygeneratora because it is important to know how it will change 16/8bitni regist

final value of a registry. Now there's certainly clear what we were doing

When we wrote up a simple ASM program. Since we know so far only

four ASM Command time is that extend the this list with additional

ASM mathematical commands.

Adding a +1 - a mathematical operation that further add to

value 1 at any register. In the ASM-it looks like this:

INC EAX

This simple command is the ASM equivalent mathematical EAX = EAX + 1

Now surely this is just wondering why we do with ASM

ADD command. The answer is that ASM ADD command takes from 4-8 bytes

file while INC takes only one. Is not great save but Compilers so

exe files are compiled.

Subtraction -1 - is additional Mathematical operation who to

subtracting 1 from any registry. It looks like this in ASM:

DEC EAX

This simple command is the ASM equivalent mathematical EAX = EAX - 1

This command also takes only one byte in the file.

Sharing - a mathematical operation that I left for the end because

knowledge that is necessary registers to understand how the numbers are divided

in asthma. Example number two sharing:

MOV EAX, 10

MOV ECX, 4

MOV EDX, 0

DIV ECX

Although this seems a little complicated, in fact, it is not. Here, the following happens:

First EAXu ECXu and assigned a value, then assign the value EDXu

EDX will be zero because they contain the remainder of sharing, and ultimately share with ECX. This would

Science look like this:

EAX = 16 (decimal)

ECX = 4

EDX = 0

EAX = EAX / ECX

That I is need place EDX to zero? Is because if this not do

integer overflow and cause the program will crash. Sharing may seem

little complicated but is not when learn that the always EAX share with some

other registers of your choice in this case ECXom.


Page 13 of 293

As we learned all the basic mathematical commands them to provezbacemo

one example. For example going to write an ASM program that will gather

two numbers, multiply the sum by 4, add a value to the product of

6 products seized, confiscated share value with 3 and finally subtract one

of the results.

Solution:

MOV EAX, 4

MOV ECX, 3

ADD EAX, ECX

IMUL EAX, 4

INC EAX

SUB EAX, 6

MOV EDX, 0

MOV ECX, 3

DIV ECX

DEC EAX

I think everyone knows what is going on, but if not here is the mathematical

solution of the problem:

EAX = 4

ECX = 3

EAX = EAX + ECX

EAX = EAX * 4

EAX = EAX + 1

EAX = EAX - 6

EDX = 0

ECX = 3

EAX = EAX / ECX

EAX = EAX - 1

Understanding basic mathematical operation is key at resolution

reverserskih basic problems. Since we did all the basic mathematical

Command time is that do logical ASM command. Not afraid the this

name, because the commands are the only logical mathematical operations

logical operators such as NOT, AND, OR and the like. This is the same as when

in mathematics using conjunctions, disjunctions and similar operators. The results of these

mathematical operations are either TRUE or FALSE.

AND - is basic logical command in Asthma. Benefits the as logically

operator between two registers. It looks like this in ASM:

AND EAX, ECX

After execution this Command EAX gets value who corresponds

mathematical operation between two registers. To thoroughly understand what

to the logical command we will make a small table with two binary numbers and

will show how to count the result that we obtained using the command

AND. Say you are trying to gather logical 3 and 5


Page 14 of 293

AND Operation

EAX

ECX

The result - EAX

Number of decimal

3

5

1

Number of binary

0011

0101

0001

As table the see from top table result logical addition 3 AND 5 = 1st

Why is it just a number? AND command compares the binary numbers bit by bit and

formed on the basis of the result. If the bits are 0, 0, 0, 1 or 1 and 0 will result

always be 0, and only if are two bits who the compare equal 1 then will

result of this will be equal to 1 Because of this, 0011 AND 0101 = 1

OR - is logical command in Asthma. Benefits the as logically operator

between two registers. It looks like this in ASM:

OR EAX, ECX

After execution this ASM Command result will the set in EAX, and

value you will get EAX register is shown in the following table:

OR Operation

EAX

ECX

The result - EAX

Number of decimal

3

5

7

Number of binary

0011

0101

0111

As can be seen from the table result of logical OR of the command number 3

and 5 on 7 But why is the result of just 7? OR command compares the binary numbers

bit by bit, which formed the basis of the result. If our numbers are 0011 and 0101

the result will be 0111 because the OR command puts the result 0 only if both

bits equal to 0 and if the first or second bit is 1 then the result will be the first

NOT - the logical command in asthma. Used as a logical operator

applies to a Register. Example:

NOT EAX

After execution this ASM Command EAX gets value who the can

read the following table:

NOT Operation

EAX

The result - EAX

Number of decimal

3

12

Number of binary

0011

1100

As seen in Table command NOT invert the bits only. That is, if

bit equal 0 then will in result be equal 1 and vice versa. This is extremely

ASM simple command.


Page 15 of 293

LOL - ASM is a very important command that is because of its reversibility

used for the purpose encryption and dekriptcije. This command applies to the two

ASM in the registry as follows:

XOR EAX, ECX

After execution this ASM Command EAX gets value who the gets

XORom EAXa ECXom. XORovanja principle can be seen from the following table:

XOR Operation

EAX

ECX

The result - EAX

Number of decimal

3

5

6

Number of binary

0011

0101

0110

Result is 6, but Why? XOR is such operation who compare bits from

EAXa ECXa and so if a bit out-source (EAXa) different from the target (ECXa)

then result in an immediate and if the numbers are the same then the result immediately 0th

Because this is a 0011 XOR 0101 = 0110 that is 3 XOR 5 = 6 XOR function is

most important because of its reversibility. This means that 3 xor 5 = 6 and that 6

xor 5 = 3 and that 6 xor 3 = 5 Also important feature of XOR function is that if

XORujemo a number of self will always get zero as a result, it

is 3 XOR 3 = 0

These were the most important logical functions of ASM. In order to determine what we do

bottom, we'll do one task. ASM are going to write code that will add up

two number, then will XORovati result with 7, to what we logically add 4,

negation will do, so we do logical subtract the number 5 from the obtained

values, and eventually will do the negation of the values obtained.

Solution:

MOV EAX, 2

MOV ECX, 3

ADD EAX, ECX

XOR EAX, 7

AND EAX, 4

NOT EAX

OR EAX, 5

NOT EAX

The solution of this equation will NOT ((NOT ((2 + 3) xor 7) AND 4) OR 5) = 0

Of course you may have noticed that this is a double negation here is nullified and

there is no need for its introduction to the algorithm.

LEA - the mathematical command in asthma. It is used as a mathematical

operator for execution more operation simultaneously. It in ASM looks

follows:

LEA EAX, DWORD PTR DS: [ECX * 4 +6]


Page 16 of 293

After execution this ASM Command result will the set in EAX, and

value you will get EAX register ECX is equal to the result * 4 +6. Of course

here to respect the principle of mathematical operations so that the benefits will be the first

execute the multiplication and then add.

SHL / SHR - Binary command is used to move bytes

registers to the left or right side. This command would look like in ASM:

SHR AL, 3

Therefore see that that SHR / SHL command there are two parameters: destination in

as a registry of applied operations that count and that tells us to

how to move binary numerical value of AL register. In practice, the execution

the above command, if the AL was the same binary 01011011, should be as follows:

01011011 - Original content AL

00101101 - Moving Ala in one position right

00010110 - Scroll to the right of ALA for another place

00001011 - Scroll to the right of ALA for another place

All Bytes that are moving brought to end physical size Register

are being pushed out. Last Squeeze is recorded in byte carry-flag. Of course this

operation the can apply and to 8bitnim, 16bit and to 32 bits

registers.

ROL / ROR - Binary command is used to rotate the byte

registers to the left or right side. This command would look like in ASM:

ROL AL, 3

Therefore see that that ROL / ROR command there are two parameters: destination in

as a registry of applied operations that count and that tells us to

how to move binary numerical value of AL register. In practice, the execution

the above command, if the AL was the same binary 01011011, should be as follows:

01011011xxx - Original content AL

x01011011xx - ALA Moving to the right one position

xx01011011x - ALA Moving to the right for another place

xxx01011011 - ALA Moving to the right for another place

11001011 - Final appearance after rotation

As you can see the rotation is similar to sifting with the difference that can squeeze the data

back to the beginning register rotated to the left (ROL) or right (ROR) side.

Now we have learned most of the standard ASM commands with which you are

meet when Reversing applications, but this not means that We finished with

ASMom, on the contrary only begin with interesting related for ASM

programs.


Page 17 of 293

ASM for Crackers - Part II

To now You learned as the used primary mathematical ASM

commands, now is the time to learn how to use the jumps, comparisons and

programming similar things from ASMA.

Zero Flag - a single-bit memory allocation that can hold only

two values, or 0 or 1st Why the used zero flag? Since There are ASM

commands that compare two values, as a result of that comparison is set

zero flag due to which will the certain Command execute or not. This will you

certainly be clearer when you get to the part that explains the conditional jumps.

CMP - is the basic command that is used to compare two numeric

values. Comparison can be made between two registers or between register and

number. Thus both of these cases appear in asthma:

CMP EAX, EBX

CMP EAX, 1

Here the first case compares the content of EAX EBXa. If the EAX and EBX are equal

then the zero flag will be set to 1 and if not then it will be equal to zero flag

0th CMP is the equivalent of IF commands in various languages.

TEST - is advanced command who the used for comparison two

numeric values. Comparison is done in such a way as compared to registers

logically adding each other on the basis of the results will not be recorded either in

one register zero flag is set. The ASM command has the form:

TEST EAX, EAX

Of course, as with CMP, commands can be compared with each other or registers or

registers with numbers. In the event that I gave as an example, if EAX is 0

then the zero flag will be equal to 1, and if the EAX equal to 1 then the zero flag will be

0th This is important because the majority of checking serial numbers based on a comparison

register EAX with itself.

JMP - is one of many variants same Command for conditionally /

unconditional jumps. These jumps are jumping through the code one

to another virtual address. These jumps are mostly followers of the above

function for comparison registers and numbers. Example one unconditional jump

command that always executes is:

JMP 00401000

After execution of the ASM command the program will continue execution from the address

00,401,000th This jump is called unconditional because it does not matter what the value zero

Flaga to jump committed, that is, jump regardless of any parameter or


Page 18 of 293

register is always running. There are many variations to jumps that depend on zero

flag. JMP Command who depend of values zero Flaga (Ie of his

value depends on whether the jump is performed or not) are called conditional jumps. Examples

these are conditional jumps JE (jump if zero flag is equal to 1) and JNE (jump if

zero flag is equal to 0) List of all varieties of hops ASM:

Hex:

75 or 0F85

74 or 0F84

EB

77 or 0F87

0F86

0F83

0F82

0F82

0F83

0F86

0F87

0F8F

0F8E

0F8D

0F8C

0F8C

0F8D

0F8E

0F8F

Asm:

JNE / jnz

IS

JMP

I

JNA

JAE

JNAE

JB

JNB

JBE

JNBE

JG

JnG

JGE

JNGE

JL

JNL

JLE

JNLE

Signs:

jump if not equal

jump if equal

unconditional jump

jump if above

jump if not above

jump if above or equal

jump if not above or equal

jump if below

jump if not below

jump if below or equal

jump if not below or equal

jump if greater

jump if not greater

jump if greater or equal

jump if not greater or equal

jump if less

jump if not less

jump if less or equal

jump if not less or equal

Since We learned as the in Asthma to so-called program branching,

will use to now acquired knowledge as we resolved pair simple

mathematical tasks. Going to write program that will calculated surface

entered the triangle for two parameters of a particular site and height. If the surface

triangle is less than or equal to 6, then we add 3 to the calculated value for

surface, after which we in case any who values area take away

One of the results. Area of a triangle is calculated by the formula: P = (a * h) / 2

Solution:

MOV EAX, 3

MOV ECX, 4

XOR EDX, EDX

IMUL EAX, ECX

MOV ECX, 2

DIV ECX

CMP EAX, 6

JLE three

Jmp end

three:

end:

ADD EAX, 3

DEC EAX

In case you do not understand what is going on in the program will explain to

C language and mathematical. This would look like in C + +:


Page 19 of 293

# Include <iostream>

using namespace std;

int main (int argc, char * argv [])

{

int eax;

int ecx;

int edx;

/ / Integer variable Definisi



printf ("Enter the base of the triangle:");

cin>> eax;

printf ("Enter the height:");

/ / Enter the EAX console

cin>> ecx;

edx = 0;

eax = eax * ecx;

ecx = 2;

eax = eax / ecx;

if (eax <= 6) {

eax = eax + 3;

}

eax = eax - 1;

/ / Enter from the console ECX

/ / EDX = 0

/ / EAX = EAX * ECX

/ / ECX = 2

/ / EAX = EAX / ECX

/ / If EAX <= 6

/ / EAX = EAX Then + 3

/ / End if conditions

/ / EAX = EAX - 1

printf ("result"); / / Print result on screen

printf ("% i", eax);

return 0;

}

Mathematical solution of this task would be:

EAX = 3

ECX = 4

EDX = 0

EAX = EAX * ECX

ECX = 2

EAX = EAX / ECX

If EAX <= 6 then EAX = EAX + 3

EAX = EAX - 1

As table view from this C + + a source ASM JMP Command the appear to

places where the copper but also in other programming languages are conditional IF

clause. Unimaginable programs are without comparison or programs without conditional

rebounds. For these targets will not find in reverserske practice, so

extremely important to know how to perform jumps ...


of 293

ASM for Crackers - Part III

By now you've learned how to use basic mathematical operations

Asthma, as the to program branching, ... Now we learn as the

Stack is used.

STACK - a part Memory that the used for temporarily

accommodate the data. These data the usually used for needs different

functions contained within the PE file. The stack should be considered as

pile of plates stacked one on another. These plates are ordered so that

plate with the number 1 with the top of the pile until the last plate is

at the bottom. This means that the data is sent to the stack in reverse order,

it is that the first piped last parameter, and only to end the

forwarded first. Same as agree to a bunch of records, agreeing on a plate

another, first we set last plate, and we slowly agree plates

one to another until you get to the first plate. ASM command that

used to send data on the stack PUSH. In case this is not clear

I'll give a brief example:

Windows API functions GetDlgItemText requires the following parameters:

(1) Handle the dialog box

(2) Identifier of control from which to read text

(3) Address to which the text immediately

(4) Maximum length of text

Thus the reading of the text in asthma look like this:

MOV EDI, ESP

PUSH 00000100

PUSH 00406130

PUSH 00000405

PUSH EDI

CALL GetDlgItemText

; Handle dialog box is placed in the EDI

; PUSH (4) Maximum length of text

; PUSH (3) Address to which the text immediately

; PUSH (2) Identifier of control

; PUSH (1) Handle the dialog box

; Calling the function that returns the text

I think it's all clear example. If you complain of that relates to

handle, it simply does not observe it, it is important to understand that each

function that has input parameters prior to ASM PUSH command to it and

parameters piped in reverse order. As table the see from examples

PUSH command has only one parameter and it can be either a number or register.

CALL - surely you've wondered what to ASM function that I mentioned

at the end of the Stack. CALL sub-functions are internal

representing a separate entity code which is responsible for the execution of some

operations. These features can but and not must have input parameters to

the basis of which will be calculated within the budget of some functions. If the function

there are input parameters the CALL will precede PUSH Command and if

function has no input parameters, it will precede CALL PUSH none

command. To understand the difference between the CALL that has input parameters and

no one who will write to the two general functions CALL:


Page 21 of 293

The case - without the input parameters:

...

00403200:

00403209:

...

00401001:

00401002:

00401100:

...

CALL 00401001

DEC EAX

INC EAX

... an ASM operations

RET

As table the see in example function CALL not preceding no PUSH

commands from which we conclude that at Call 00403200 no input

parameters. Certainly You noticed that the to first at CALL, 00401001

INC EAX is command. This command and all other commands in the CALL

CALL arbitrary and can be used for anything. What you know is safe

what is used for RET command at the end of the CALL. Just as the sea

be the first command in the beginning sequence of CALL commands,

so there must be the last command in the Call of the program are to

the back from CALL and continue with execution program. There are many

variations of these same commands, such as eg. 4 RET, RET 10 and similar, but all

are done one and the same return from the CALL operation.

How to perform a written command? Simply, you first call

concerned CALL, after which the exert all Command in him conclusive with

RET command. After this the program returns from the execution of CALL and

continues from the address 00403209, that is, executes the command DEC EAX.

The case - with the input parameters:

...

00403198:

00403199:

00403200:

00403209:

...

00401001:

00401002:

00401003:

00401090:

00401092:

00401100:

...

PUSH EAX

PUSH EBX

CALL 00401001

DEC EAX

PUSH EAX

PUSH EBX

... an ASM operations

POP EBX

POP EAX

RET

As can be seen in the example preceding two PUSH CALL command

table means that function there are two input parameter. These input Parameters the

temporarily located on the Stack. You'll note that the parameters of the function of surrender in

reverse order, first being taught EAX, EBX and then. Of course this is

only here that illustrates as the Parameters surrender function, because in reality

order registers is not important, substantial is order their sending to STACK.

Inside CALL is the same as in the previous example, but you'll eventually CALL

notice of the new POP commands. What are the POP commands? Popovic necessary

on this basis if the data is sent at the beginning of the STACK function at its

end the all enter Parameters with STACK must remove with Command

POP. Therefore POP command mucus for Download parameters with Stack.


Page 22 of 293

Notice that the Parameters with STACK removed in reverse order of

their entry. Think of this as a reflection in the mirror registers. And at the very

Finally after the execution of CALL, the program continues with further code execution

from the first address that is under CALL, that is, from 00403209, DEC

EAX commands.

Now that we have learned how to use PUSH, CALL, POP, RET command, the time

is to write a program. Going to write a program that will multiply two

Call the number in one and come back multiplied.

Solution:

MOV EAX, 3

MOV EBX, 4

PUSH ECX

PUSH EAX

CALL multiplication

RET

multiplication: PUSH ECX

PUSH EAX

IMUL EAX, EBX

MOV EDX, EAX

POP EAX

POP ECX

MOV EAX, EDX

RET

I think everyone knows why this is a CALL structure written. It is important

just to note a few details. First and foremost is that the same command PUSH

is and front CALL and in the CALL. Else that the POP Command

apply vice versa of PUSH commands. Third that the result immediately

EDX temporarily in order only after POP EAX commands back in EAX. Why?

Because table will POP EAX command return values 3 in EAX and will result

mnozenja be lost. Therefore, only after the execution of POP EAX commands EAXu

awards his rights value. When the finally execute CALL, EAX will

contain the value multiplication, and the next command to be executed after exiting

from the other RET CALL command.

Of course there are a number of types of CALL, but this is a general example where

the can understand itself purpose CALL and as the it back values from

CALL.


Page 23 of 293

ASM for Crackers - Part IV

Last chapter on basis ASMA is intended explanation

strings and accessing memory in the ASMA.

Strings - are series ASCII letters who together make one

sentence or one word. Length strings can be arbitrary but what is

characteristic of strings is that each string must end with the same

00h byte. Since this is not a byte of every letter, strings are easily

different from stalog code. For example, here is a string:

00403040

59 6F 75 72

00403048 20 6E 61 6D 65 20 6D 75

00403050 73 74 20 62 65 20 61 74

00403058 20 6C 65 61 73 74 20 66

00403060 69 76 65 20 63 68 61 72

00403068 61 63 74 65 72 73 20 6C

00403070 6F 6E 67 21 00

Your

His name

st be at

least f

ive int

acters l

ong!.

As can be seen and each string has its own character but the address is the address of the whole

string address first letters. When the reading string that begins of address

00403040 he the reading of the first bytes and all to last 00 bytes.

We conclude that the strings are all text messages that are

in a program.

Memory - With ASMA is possible very easily access all

addresses exe's that the currently executed. There more number Command and

variations of the same so that I would mention only the most commonly used commands.

There are two types of memory manipulation:

1) Manipulation of a single byte

2) Manipulation of a series of bytes

BYTE PTR - First, I'll explain how to use a command that behaves

as a reference to a given byte. For this it uses only one command in

form:

BYTE PTR DS: [RVA address]

In it everything is constant except RVA addresses that can be either address or

register. Since this is only part of the command can be used with all other

commands that have one or two parameters. This means that the BYTE PTR

can be used with MOV, XOR, ADD, IMUL ...

DWORD PTR - Unlike the last command, this command is used to

Accession number of bytes. For this it uses only one command in the form of:

DWORD PTR DS: [RVA address]

In it everything is constant except RVA addresses that can be either address or

register. Since this is only part of the command can be used with all other


Page 24 of 293

commands that have one or two parameters. What is very important to

know that if you use the command DWORD PTR in the form of:

MOV DWORD PTR [EAX], 019EB

You must bear in mind that the bytes that will be recorded on location

EAX record shows that in reverse order. It is to the location

EAX for example, recorded 19 EB command must be designed to put the first 0

and then reverse the order of 19 bytes of EB. Note that I do not look

numbers of bytes, but only their order. Of course this is not the case when

BYTE PTR used command because it applies only to one byte.

Analyze one example that we understand as to this manipulation

memory.

00401154

00401156

00401158

0040115A

0040115C

0040115D

0040115E

|> / 8A10

|. | 2aD1

|. | 3813

|. | 75 18

|. | 40

|. | 43

|. ^ \ E2 F4

/ MOV DL, BYTE PTR DS: [EAX]

| SUB DL, CL

| ADD DL, 1

| 00401174 jnz

| INC EAX

| INC EBX

\ JNE 00401154

Let's say that the in EAXu is a address to where the is string 'Ap0x'

of course without the quotes. Since the at command that uses 00401154

in the DL register will only set up one byte, we see that it is a simple

byte case. You'll note also that the EAX register constantly

increases by one, using the INC EAX commands. This means that for every

passage of this loop in the register DL to put one letter from our string

until all the letters in the string are not used. When this happens the program will

continue to execute code located below the address 0040115E.

Why is it important to understanding the manipulation of memory?

It is on this basis that with direct access from the ASM code exe

pieces of code file can be edited or polymorphno can check whether the

I at to a at modified, can the make features whose will

execution depend on the content code and so on. But if only

want to deal with strings and reversing the manipulation of memory, you

bit because the most algorithms that the used for check serial numbers

based on the accession of the whole or parts of a string entered data.

This data can be the name, serial number ... * PTR as a command

substantial reverser for ...


Page 25 of 293

ASM for Crackers - Part V

So far we have met with the standard commands that are used

to manipulate the registers, and now we will expand our horizons and you will learn what

the FPU registers and how they are used.

First: "What are the FPU registers?". They are a function of processor

handling of floating point numbers. These figures are in contrast to 32bitnih

registers (EAX, EBX, ¼) represented in decimal form. It is extremely important

you know that 32-bit registers are represented in hexadecimal form, and that

FPU registers are represented by decimal. Regardless of this difference FPU registers

have a lot of similarities with the 32-bit registers.

The first similarity is that as and at 32bitnih registers and FPU Registries have

memory location who the can meet numbers, over where the

can later execute mathematical operations. When these registers 32bitnih

memory locations were called EAX, EBX, and ¼ of FPU registers and the location is

called ST0, ST1, ST2, ST7 ¼. They can see in the same area as Olly and 32

registers only if the title of the window is set to Registers (FPU),

and this can be done by clicking on the name of that part of the window. The difference between these

two types registers are in size number that can that hold. 32 bits Registries

can take values from 0000000 - FFFFFFFF, and FPU registers can

have much higher numbers as values.

The following similarities between these two types of registries is that over

both types of registers can perform a similar mathematical operation. Let's start from the

easiest:

Basic Math operands

Initialize FPU - FPU is the basic command that is used to

program announced processor that follows series Command who will access FPU

registers. Although the this Command Finite, used and for directly setting

initial FPU flags, it can be omitted and the FPU registers can be

access without it.

Assigning values - the basic FAA command that is used to

to some variable (ST0, ST1 ,...) whose names are defined by constant

assigned a value. This command looks like this:

FLD source - REAL load variable [eg 1.22 or 1.44 ¼]

Field source - load INTEGER variable [integer, eg 1, 2]

where FLD is a command source destination from which to read the sequence of bytes that

turns in real variable and immediately by default in first The available

memory space, which in this case ST0. Of course, if you execute another FLD

ST1 will receive a new value. An example of these commands in practice would be:

FLD TBYTE PTR DS: [403197]


Page 26 of 293

The meaning of the command is transferred from the address table 00403197 bytes in ST0

Memoriski register. Table bytes is form similar DWORD but is more because

a sequence of bytes is greater than four.

Addition - the basic mathematical FAA command that is used to

to add up the two variables. Example can be gathered to ST0 and ST1 so

ST0 to hold the result of addition. To use this command:

Fadda destination, source - Adding a REAL variable

FIADD destination, source - Add integer variables [source]

Example usage of this command would be:

Fadda ST (0), ST (1);

who in ST0 register puts result addition registers ST0 and ST1. If the

instead of Fadda Command used FIADD then the source parameter first

into ExtendedReal and then gather with ST0.

Revocation - the FPU core Mathematical command that is used

to be confiscated two variables. For example one can take away from ST0

ST1 to ST0 holds the result of subtraction. To use this command:

FSUB destination, source - Withdrawal of REAL variables

FISUB destination, source - Subtract Integer variables [source]


FSUB ST (0), ST (1);

which puts the result register ST0 ST0 seizure - ST1. If instead

FSUB used FISUB source parameter is then converted to a type ExtendedReal

then be subtracted from the destination parameter.

Multiply - is the basic mathematical FAA command that is used to

to multiply two variables. For example ST0 and ST1 can multiply

multiplied by ST0 contains. For these commands are used and FMUL

FIMUL.


FMUL ST (0), ST (1);

and its result would be ST0 = ST0 * st1; If you instead use FMUL FIMUL

then the second parameter into ExtendedReal first and then multiplied by

ST0.


Page 27 of 293

Sharing - the basic mathematical FAA command that is used to

would be shared by two variables. For example ST0 and ST1, so we can share

ST0 to get the value quotient. For these commands are used and FDIV FIDIV.


FDIV ST (0), ST (1);

and its result would be ST0 = ST0 / st1: if the FDIV used instead FIDIV

then the second parameter into ExtendedReal first and then shared with

ST0.

Square root - a mathematical operation that results in such a number

that multiplying the number of self-giving that is extracted from the root. So if

5 * 5 = 25, the square root of 25 is 5 This operation calls the ASM

with one parameter that is both destination and source. This command is

FSQRT called.

Absolutely - is matetaticka operation who maps sets

negative values in their positive image. This means that after application

this Operations to any that number value the number always have positive

values. So if the number was -1.22 after applying this command to

this number result will be 1.22. This command the called FABS and can the

apply individually to the numbers and the FPU registers.

Change the sign - the equivalent mnozenja any number with a value

-1. Therefore if is some number or register was negative, will become positive and

vice versa. This command the called FCHS and for parameter there are only one

value, or a number or an FPU register.

Sine / Cosine - are basic trigonometric commands in asthma

looks like this:

FSIN ST (0);

FCOS ST (0);

So these commands have only one parameter, which also represents the

source and destination execution command. Therefore sine / cosine the Account to

ST0 register (in this case) and the result is also immediate command in the same

register. There is also a combined command FSINCOS.

More operands

No Operation - is known ASM command who the used for

filling the empty space and called FNOP, a functional equivalent

ASM NOP commands that we already know.


Page 28 of 293

Test - ASM command is known to be used for logical comparison

value and is commonly used in ASM in the form TEST EAX, EAX where the course

instead of EAX can use any that other register. As result this ASM

Command the gets setting zero Flaga to 1 if is EAX equal 0 and

vice versa. As the equivalent of this command is used for FPU FTST.

Replacement - is known ASM command who the used for exchange

values between two registers. This command has its own equivalent of the FAA and is

FXCH. It will be used as follows:

IF number-of-operands is a

THEN

temp <- ST (0);

ST (0) <- SRC;

SRC <- temp;

ELSE

temp <- ST (0);

ST (0) <- ST (1);

ST (1) <- temp;

Comparison - ASM command is known to be used for comparison

two values or two registers. It has its own equivalent of the FAA when it comes to

compared to integer or real value. If you compare an integer value then

Fico used the command and if we compare the real value then is used Fcom

value.

FPU registers are important for mathematical operations with floating point or

computation values who are know higher of standard integer values.

Although the FPU registers have their strengths and their application they are not applied

often in reverserskoj practice. This short table usually of used FPU

commands are added to the book because it is possible that you will meet some of these

commands in some reversovanja crackmea and / or some encryption.

NOTE: If want that understand all table the is in book understanding

ASM basic commands necessary for further reading books. If you are not all

understand or have missed something I suggest you go back and read this part

books again.


of 293

Reading this table:

Chapter

Intro to Cracking

NAG Screens

Cracking Serials

Making Keygens

CD Checking

Code Hacking

"Getting Caught"

Cracking it

Decrypt Me

Unpacking

Patching

Nightmare

Tricks of Trade

Required Level

newbie

newbie

newbie

advanced newbie

advanced newbie

advanced coder

advanced newbie

newbie

expert coder

advanced newbie

advanced newbie

reverser

newbie

The minimum reading time

4 days

1 day

2 days

1 week

1 day

3 days

3 days

2 days

1 week

1 week

1 day

1 week

1 day

1 week

1 week

1 week

2 weeks

5 days

1 week

1 week

1 week

3 weeks

3 weeks

3 days

4 weeks

1 day

Download links:

Debugger - OllyDbg v1.10 http://www.Ollydbg.de

Disassembler - W32dasm89 http://www.exetools.com

PE identifier - 0.93 peido http://peid.has.it

Hex Editor - Hiew 6.83 http://www.exetools.com

Resource Viewer - Res. Hacker http://rpi.net.au/ ~ ajohnson / resourcehacker

Rekonstrukter Import - Import Reconstructer 1.6 http://www.wasm.ru

Process Dumper - LordPE 1.4 http://y0da.cjb.net

Other tools:

. Ap0x Patch Creator RC3 - http://ap0x.headcoders.net

Olly2Table 0.1alfa - http://ap0x.headcoders.net

HexDecChar 0.4alfa - http://ap0x.headcoders.net

The Ape 0.0.6beta - http://ap0x.headcoders.net

Note: This are only some Tools that will be koriscena in book. Them

I think basic and before than table start with further reading this books

you should get them.


Page 30 of 293

Tools of Trade

As with any other activity on the computer for the reverse engineering

you need some tools (programs) to be able to Quickly and Easily to come

the information you need. Most of the tools that I am here to recommend you

can be freely downloaded from the Internet as freeware products used

distributed. Before than table pocnem with list program who will have to

downloaded from the Internet in the first few sentences I will explain to us what the tools

needed for what they serve.

Debugger - This is basic tools each reverser but and each

programmers who want to quickly and easily eliminate errors from your code. What

us debugger provides is possibility that monitor execution our or

someone else's code exactly as seen by the processor. Yes, that means you have to

learn the basics of Assembler (machine language) to be able to understand and

control the execution code. Like this text I but wrote and published to

www.EliteSecurity.org site located in this edition of the book on page 9

(This is supplemented edition), whose reading is necessary for ease of reference and

understanding of texts in this book.

Disassembler - This is additional tools for debugger. Namely if you

debugger that is not enough information about the "target" then you can use some of

disassemblera as To easier observed information who you needs. With

time will all less use this tools percent will the used to

asemblerov code so that these tools you will be required.

PE Identifiers - Do not be confused by this title, the PE files

only ordinary exe Files that can that contain some additional code, that is

packer, which usually serves to reduce the size of the exe file. Since there are large

number such packers and enkriptera and required are special Programs for

recognize them. Of course this can work and partly manually, which will give you

also learn.

Hex Editors - are tools that give us the exact appearance of the file to your hard disk and

are used to modify the physical source as opposed to changing the code in the memory table

We allow the debugger.

Resource Viewer - Serve for Review, extraction, change or

exe add resources. Resources are data that are included within the executable file and

can be images, dialogues, multimedia, strings or other data types.

These programs are generally not necessary, but we can make the job easier.

Process dumper - They are served primarily by unpacking packed

PE files and allow us to complete "picture" of an active program

recorded on the hard disk.

Import rekonstrukteri - are Programs that serve for fixing

undefined or erroneous calls to Windows API functions.


Page 31 of 293

Configuring Tools of Trade

Most of the tools listed above is already configured properly and therefore

we just need to change some little things to make yourself even easier operation

with these tools.

OllyDbg v.1.10

Will set the following options in OllyDbg program. Open and go to Olly

debugger configuration menu [Hint: Options -> Debugging options, or Alt + O ]

We're going to need the Exeptions and exclude all otkaceni options. Further we

to Strings and there shall that log off: Decode Pascal strings and Dump non

printable ASCI codes as dots, of Fashion of string decoding option select

Plain option. In Disasm option as syntax select MASM, and in CPU taboo

select following: underline fixups, show directions of jumps, show jump

path, show grayed path if jump is not taken, show jumps it selected

command.

Next you can adjust the color scheme is what is known to us

to more easily noticeable dissasemblovanom certain commands in the code,

such as jumps and call functions. Let's go to Options -> Appearance and there in

implementation taboo [Hint: General] to exclude and restore window position

appearance. Later in the defaults, you can choose a theme that suits you. I

prefer Black he White as theme, and Christmas tree as highlighting

syntax. You can choose any that but are by my opinion this two

najpreglednija. That's all you need to be configured in Olly.

Note: OllyDbg is just one of many debugger that you can

found on the Internet. Among the more popular you can use Softic,

TRW2000 or some debugger that the used specially for certain types

Compiler (programming languages such as Visual Basic, Delphi,. Net, etc..), but

only is Olly free, universal and simply best debugger for

beginners and for experienced cracker. I recommend using it because it will

later in this book, he very often mentioned and used.

W32Dism + + / W32Dasm 8.93

Schedules the next option W32Dasmu to ensure correct

display dissasemblovanog file. They click to Dissasembler -> Font ->

Select font ... choose in the list of fonts Courier New, after which we will choose

Save Default Font option. Despite this there are plenty of bugs W32Dasm:

1) If you open the file, W32Dasm not move the file to c: \

2) If W32Dasm is found in the file dialog to download any new version

3) If no representations W32Dasm disasemblovan this means that the file is packed

is that some packers and therefore nemoze dissasemblovati (this is not a bug).


Page 32 of 293

Numega Smart Check v.6.03

Smart Check is a special debugger that is used for debugging

in programs that are written in Visual Basic (versions 5 and 6). It is a useful

in most cases is clearer and easier to process data from Olly's. Therefore

if is program that trying that "Break" written in Visual Basic first

try with Smart Check and then with other tools.

Let's go to Program -> Settings -> Error detection

Tick all the checkboxes except Report errors immediately.

Let's go to the Advanced:

Tick only the following:

- Report errors caused by other errors

- Report errors even if no source code available

- Report error only once each

- Check all heap memory blocks on each function call

Everything else should not be chekirano, press [OK] and move on ...

Let's go on reporting:

Otkaci anything but - Report MouseMove events from OCX, [OK], the close

configuration menu.

We're going to Program -> Event Reporting

Press the green arrow in the toolbar to start the selected program. This

can be any that program written in Visual Basic and then only shall that

otkaci following menus:

View -> Arguments ...

View -> Sequence Numbers ...

View -> Suppresed Errors ...

View -> Show and specific errors ¼

Window -> [2] ... - Program Results

Peido v.0.93

Peido is a program that we use quite often through this book as a

what its name says file its main use is to show us the information

on "Target" by trying that reversujemo. You data include version

compiler and whether the program is packed some packers and which version

if so. This program is by default in the correct mode but will only

a couple of things set in order to facilitate life itself. Start the program and go to

options. There needs to select Scan Hard Core and Shell Extensions Register.

Click Save and the program has been successfully configured.


Page 33 of 293

My first crack

Since we set up the tools we need now we will go

with their using. Start myCrack.exe that the is in folder

¼ \ Classes \ Cas01. What we see is this message on your screen:

As table the see to

Figure this will be

simple example

where we only

remove first order,

so that the program

to screen throw

only Message who

is currently in

the second row.

This task may beginners seem complicated but with the help of the first

pair tools will not have no problems that successfully and quickly resolve this

problem whose successful resolution we will need only two tools: W32Dasm

and Hiew. But before we start with a cracking I have to explain

the basics of cracking.

Cracking technique is already changing kompajlovanih (final) zip (and

other types) files. Modifying files is the assembly level, which

means that it is desirable to know the basic principles of operation asemblerskih

commands. Of course this is not necessarily because we know what is a

assembler command with a logical understanding of the command. This is the

simplest example of logic means that we can come to the conclusion what

to this Command: MOV EAX, 1 .. Of course guess that is this command

equivalent mathematical funckiji EAX = 1 The main command that we will

need for this first period NOP. It is the basic command and means crackerska

to the order in which it is not just nothing happening. This means that

program go through it just will not do anything. Why is this important?

When cracking There are Command who want that alter or that

contours. Since the cracking is desirable to remove part of the file because it would something like that

below Order that delete could that the disturbed, because use this NOP

command to delete the places that we do not need. Of course, these places will not

be physically removed, but the program simply will not do anything at the place

where the there command by We delete and continue on. Displayed

assembly to look like. If we have the following assembler command:

MOV EAX, 1

INC EAX

ADD EAX, 5

we can assume what is going on. Mathematically it looks like this:


Page 34 of 293

EAX = 1

EAX = EAX + 1

EAX = EAX + 5

I think that is all clearly that is result EAXa after execution this three

command. Let's say that our result is that we want to EAX the

end of the performance of these three commands is lower than the one now.

Simply we prevent that the EAXu add 1 in other OK and villi

problem. Now it looks like this:

MOV EAX, 1

NOP

ADD EAX, 5

Vidmo we simply NOPovali second row and he gets the time being

as INC EAX than as NOP, for which the result EAXa not changes after

execution of that order.

First, open this "target" in W32Dasmu and look up the text

want that remove. When the program load in W32Dasm then over Find

search for text messaging options we need to remove. Go to Search ->

Find -> This line -> OK.'ll See this:

As table see first order below discovered text is charge for show

message on the screen. What we conclude is that if only the red NOPujemo

then we remove the message from the screen. WRONG! Here arises one

problem, if only NOPujemo that line then we get the bugs and

program will the destroy because him we right modified. Problem lies in

fact that is for show text to screen in charge more lines.

Understand this as a function has more parameters. For example:

prikazi_tekst_na_ekran (parameter1, parameter2, parameter3 ,...)


Page 35 of 293

this function to display text on the screen has three parameters to it

needed to display text on the screen. What we want to do is

Her subtract one argument why the program crashed. The problem lies

that each function must have a sufficient number of parameters, this number does not

must be no more nor less than required for the function. For convenience in

assembler is that we need to know about the function of the parameters that need.

You'll note pair PUSH Command who precede a CALL commands. These

commands are what I am explaining the example above, where

PUSH Command are parameters features and I CALL a

function. It table is also substantially that remember is that the in assembler

parameters of functions piped in reverse order. The first is forwarded

last parameter, and before the calling features piped the and first

parameter. This means that we must not only NOPujemo CALL, or just to

NOPujemo PUSH function, we took shelter in order to print a message on the screen

NOPujemo all we have to push and in the end I CALL. Notice that the

three Order below Message by want that remove with Screen is CALL that

serves to display the message on the screen. Before him there are not two but three

PUSH, two below the message, and one above. Do not be confused as to

the between PUSH Command are some other ASM Command they us not

interest, we are interested only PUSH and CALL. Before we start with

therefore cracking more I explain window that currently view in

W32Dasmu. What we see is this:

Red framed piece of code means virualne addresses containing the same

lines of code. Posmarajte these numbers as if they were numbers 1,2,3 and may

order execution program. In this example first address of who moves

execution of. OEP (original entry point) is 0,040,100, and all other addresses are


Page 36 of 293

increase for certain number. This number not must be always one, very

often is not one. This number depends directly on the content of which is framed

blue in the picture. These numbers represent the hex commands are written to the file

in HEX format. That is equivalent to 55 decimal hexa ASM PUSH commands

EBP. You'll note that these numbers HEX write only in pairs of two. Only

digit HEX numbers are Command who are equivalent those

that the picture framed in green. Us for this example is important that

ASM NOP command is in HEX format writes as 90th This means that one 90

equivalent to a NOP command. To NOPovali one line must

replace all digit HEX numbers from the Order with 90th To example if

delete order that the is to at 004012E0 we will have that replace

contents of this address (83EC0C) with three NOP command (909 090) because there are three

pair of two-digit numbers in this line. Notice how it addresses increase,

you will see that for example after an address 004012C0 004012C3 located. It is logical for

expected to be located behind 004012C0 004012C1, but here is 004012C3.

This is because in any two-digit number of asthma is only awarded

one address. So if the address 004012C0 then at that address is

only one-digit number and 83, at 004012C1 is E4 and the

004012C2 at F0. The only reason why these three addresses connected to one

red is because these three addresses are the only one ASM command, and the

more is first next address, to where the is next ASM Command

004012C3. Addresses lines correspond at first double-digit hex number

(Bytes) contained in the "line" code.

Since We learned as that patchujemo (Modify) program

skip to modify itself. You can edit the program and in any Hiew

any other hex editor. Since Hiew best for beginners all the explanations

in first chapter will be related for him. Therefore start Hiew in open

myCrack.exe with him. The original show in Hiew is incomprehensible to us, so

This show will turn into a view that is identical to the W32Dasma.

We do this by pressing F4 and selecting Decode mode. Now we see but ASM

command. If not remember look top image again and rewrite

address who shall that NOPujemo, and address are: 004012DB, 004012E3 and

004012E8 and 004012ED. If you want to go to these addresses should be in Hiew

pressed button F5 and I type first point and address to by want that

leave. When you go to the first address we'll see the same one from the command PUSH

W32Dasma. Since we learned that we should all two-digit numbers NOPujemo

from the order, remembered as two last bytes. Therefore last two bytes who

NOPovati we were 42 and 00th Now press F3 to enter the Edit mode and type

new byte which you want to replace the old, these are the 90th byte We will have to

enter 5x 90 that we NOPovali all order. Set cursor to next

address should NOPujete, that is the next PUSH command and with it

do same. Same procedure repeat and with back PUSH command and with

CALL. When you have finished result should look like the following picture:


Page 37 of 293

So all the addresses with a PUSH and CALL commands are NOPovane. To capture

changes push F9, and for exit from program press F10. Try

feel free to start a program that you just patchovali and you'll see that on

will not work! Although we have all done well, we all patchovali PUSH and CALL

command program is making a mistake. What we expect, and should, to the

This DOS program, and after writing the message on the screen switches to the program

cursor to the line. This is happening right under the printed message that we

removed, which means that the next Call of mucus just for this. Hiew's open again and

ukucajmo address 004012F2. Immediately below the addresses we'll see a PUSH

and a CALL command.

It is obvious that this CALL and PUSH command to NOPovati because the program does not

can shift the cursor to the next line without printing messages on the screen. Signs

NOPovacemo and address 004012F5 004012F6 and are going to make the file and will try

again to start the program. We will see that we are now managed and that the message

no longer appears. We managed to crackujemo our first program.


Page 38 of 293

My second crack

Since we set up the tools we need now we will go

to use them. Start myFirstCrack.exe that is in folder

¼ \ Classes \ Cas01. What you see is a plain DOS window that says that it is not

crackovan. This will not change. Let's open this program in W32Dasmu

[Hint: Disassembler -> Open File to disassemble], let us wait a moment to

the appeared disassemblovani program. Since is this other cas I will much

analyze, but we do only what is necessary in order to crackovali

this program. Recall those messages that we launched the program, now

we should find out where she calls. This can be done in two

ways. The first is through find options in the program, while others are of little more useful, the

over Options String Reference in W32dasmu. Signs push penultimate

button in the toolbar that says Pages Ref and new window will open. In this

window, we find the message that the program is launched (I crackovan: P) and

2x they click on it, which will take us to the exact place in this zip code

file from which this message is a call. The program will take us here:

* Referenced by a (U) nconditional or (C) onditional Jump at Address:

|: 0040128C (C)

|

: 004012EF 837DFC00

: 004012F3 754C

: 004012F5 83EC08

: 004012F8 6848284200

: 004012FD 83EC0C

cmp dword ptr [ebp-04], 00000000

jne 00401341

sub esp, 00000008

push 00422848

sub esp, 0000000C

* Possible StringData Ref from Code Obj -> "I crackovan: P"

|

: 00401300 6880124000

: 00401305 6850534300

: 0040130A E84D1E0200

push 00401280 <- We are here

push 00435350

call 0042315C


|: 004012A8 (C)

|

: 0040130F 83C414

: 50 00401312

: 00401313 E8D82A0100

: 00401318 83C410

: 0040131B 83EC08

: 0040131E 6848284200

: 00401323 83EC0C

add esp, 00000014

push eax

call 00413DF0

add esp, 00000010

sub esp, 00000008

push 00422848

sub esp, 0000000C

We see the message "I crackovan: P". The signs here are calling this message.

It table is subject this casa is that you learn as that the instead of this


Page 39 of 293

message is another message that is already in the same zip file. If

look just above this message you will see one conditional jump:

: 004012F3 754C

jne 00401341

This means if something is not equally program will jump to 00,401,341th If

go down a bit to see what is at that address will see the following:


|: 004012F3 (C)

|

: 00401341 837DFC01

: 00401345 754C

: 00401347 83EC08

: 0040134A 6848284200

: 0040134F 83EC0C

cmp dword ptr [ebp-04], 00000001

jne 00401393 <-important leap that when you execute

sub esp, 00000008; messages are skipped.

push 00422848

sub esp, 0000000C

* Possible StringData Ref from Code Obj -> "Successfully crackovao me:)"

|

: 00401352 68AE124000

004012AE push

You'll note that this is the message "Successfully crackovao me:)" that

will the show to screen only if the jump with address 004012F3 always

executed. But we must note that the addresses between 00401341 and

00401352 addresses is another leap that needs to change. To

successfully crackovali this program shall that alter that jump to at

004012F3 to JNE (75 hex) JMP (EB hex) to be executed that is still to

progam would always transferred to the address 00401341 and 00401345 jump at the

change so that it never executes, that is to change it in two

NOPA (No Operation). When this finish always will the to screen show

message on successful cracking. If you this part is not clear contact

attention to the hex address to which the water jumps. You will see that they lead us below

over the messages that we want to display on the screen. We need to change

This jumps to the screen always shows the message that we want. This

is perhaps the most important part of the book, the very foundation. To successfully progress

further have that understand as change certain Command affect to

behavior program. Therefore suggest that if the first time encounter with

cracking do this first area thoroughly and not to switch to other

area without prior understanding of the independent resolution without first

exercise which is located at the end of this chapter. Doing the exercises is recommended

because will you help that the osamostalite and that yourself solve problems, who

not previously seen and processed.

To carry out these changes in the program should you copy it to

directory where the Hiew and open it with him.


Page 40 of 293

Since us this original display is not bass understandable, pressure to F4 2x

Decode the form of cross that is the same as the one we saw in W32Dasmu.

We may have to scroll down to address 004012F3 that we want to change

and we can go to that address with the GoTo command. Press F5 and the first

enter point, and address 004012F3 and then enter. Now when We to the

address, it can be changed by switching to edit mode with F3. Put the cursor on

first byte 75 and EB type. Here's how it should look like:

With F9 save the changes. Now we need to change the other jump. Press

F5 and enter the point, and the address 00401345 and then press enter. Now that

we are here, we can alter it by switching to edit mode with F3. Place

cursor to the first 75 bytes and type 9090th Here's how it should look like:

With F9 save the changes and exit the F10 with a Hiew. Now you can start

this exe file and you will see that he will always show the same message, "Successfully me

crackovao:) "


Page 41 of 293

You look file ¼ \ Classes \ Cas1 \ main.cpp that view as that program

appears in C + +. As you can see:

# Include <iostream>

using namespace std;

int main (int argc, char * argv [])

{

int i;

i = 0;

if (i == 0) {

court <<"I crackovan: P" <<endl;

court <<"Press ENTER to continue ..." <<endl;

}

if (i == 1) {

court <<"Successfully crackovao me:)" <<endl;

court <<"Press ENTER to continue ..." <<endl;

}

cin.get ();

return 0;

}

There are two conditions. If is I equally zero then the shows message that

crackovan program is, and if just one then I will show

that is program crackovan. Since is I always equally zero it table We we

done is as that We replaced conditions, it is as that is for first Message

I need that just for one second that I just zero. This is a small

complicated example because it is necessary to change two rebounds but when mastered

This will be able to crackujete large number of programs for beginners because it is almost

all based on this or a similar principle.

Exercise:

If you want you can check the knowledge acquired to date on the same example or

similar to those already prepared to file. ¼ \ Classes \ Cas1 \ myFirstTest.exe the file

shall that crackujete alone. I procedure the not different much of

previous example. In this test should be corrected only one jump. For those

who know little or understand C + + there is a ¼ \ Classes \ Cas1 \ test.cpp to see

differences between first examples and this test and file

¼ \ Classes \ Cas1 \ myFirstTest.cracked.exe is an example of how to layout the final

crackovan program. To-do Exercise through this book is recommended as

procedures easier to remember cracking on similar examples.

Solution:

You need to change a jump at 00401391 to JNE (755E) to JMP (EB5E).


Page 42 of 293

OllyDbg from beginning

Before than table begin with serious reverserskim problems

you'll learn how to work debugger and most importantly how to use Olly.

As table is but said to beginning books debugger are Tools that are

designed so that us enable monitoring execution each ASM

instructions of any program. There is clear advantage Debuger

have over disassemblerima that us allow simple review

"Dead code". Of course the dead is just slang term for static ASM

at whose detailed overview we can see but can not see how the

it acts in its execution, that is, we can not know when and why

carry out jumps that take parameters ¼ CALL For this reason, the

best use of routine monitoring debugger like Olly.

Debugging basics - Breakpoints

It has been said that the debugger has the power to stop all the observed

programs and to carry out their instructions in a row, one by one. But how

actually pauses the program?

For this to happen, or that the program stopped debuggovani bass on

to a specific address, it is necessary that one of the following two conditions is

fulfilled: 1) To set an ordinary software breakpoint at that address, or 2)

That is appointed hardware breakpoint to the address. But what is it in things

break-point?

Logical to any that are thinking on break-point as Command by we

I give our debugger as to he stopped to desired address. But

software break point is not only our internal command in the debugger, it is

actually changing the contents of physical memory in such a way that our debugger

can detect this change and stops just when it happens. Of course

after this pause program original content Memory becomes

recovered due to which we are unaware of the modification of memory although in

things happening. Since each virutualnoj address, or commands, in one

program assigned to exactly one address can be set on the breakpoint

every single byte in memory. But here another problem arises. Namely

percent each byte in file can have only values in range 00h - FFh,

or from 0 to 255, what is being written to a byte in memory so that we

debugger recognize break-point. Reply to this question lies in architecture

processors that is designed so that each byte I by themselves or in group

bytes, makes one whole respectively command. So will processor byte 90

assign command NOP, byte C3 command RET and so on. Just one of these

byte that has such a purpose hardware-ski program execution pauses and

control over process before initiator-owner process. This byte is

marked with the CCH and the assembly has the interpretation as INT3 command. When

it is carried out debug exception handler gets called and all control

further execution of the program is being left to the debugger. Of course all this is

relations only to Software break pointe who set with our

debugger.


Page 43 of 293

As opposed to to them There are and so-called hardware break-point that are

special possibility each processors. They the for Unlike of softwareskih

breakpoint carry out to direct the hardware level processors

allowing so pause any by program directly, without any

modification of the active memory file. This is possible on this basis that each

process is executed in the manner in which the processor knows exactly which address command

currently running and therefore can, if necessary, to stop at every command.

Since no modifications Memory such break-point not can be

detected as a modification of a program memory.

Debugging basics - User vs kernel mode

More accurate title of this chapter would be ring3 vs ring0. What is actually

user and kernel mode debugging?

® tm

access to all available memory. There are two levels of access

Programs can that have, ring3 and ring0. Main, respectively kernelski, level

approach is called ring0 and it can access only the system programs

that directly make Operating system. All Other Programs have only

limited access to system components forming part of a user mode, or otherwise

ring3. To help you imagine what kind of access they have different file Think

as follows: Internet Explorer has only direct access ring3

while using the system. dll files associated with ring0. These system files

for instance kernel32.dll user32.dll and who have access to native Windows API

calls that are still directly related to processor functions.

This division access system memory is caused division

debugger in user mode and kernel debugger. Although the kernel mode debugger

more powerful from reasons table they have access all parts system in every

time we we the through this book satisfy work with user Fashion

debugger for reasons we shall reversovati applications that have no direct

access to the system.

To determine the differences rapport advantages of a fashion in relation to

others consider the case when we have to set breakpoint on the API

the used for reading text from a window. Problem at setting

such a break-point is that more API functions can read data from

window so you need to correct or isolate the API that is used for reading

data from windows or set breakpoint to all APIs. In such

cases kernel Fashion debugger have advantage over user Fashion

Debuger because they can that set breakpoint to low-level at that the

used for reading data from windows allowing us so that locate

correct API that accesses a window and read the text.

Introduction to OllyDbg

For reverser OllyDbg, that is wrote Oleh Yuschuk, a

basic and unavoidable tool. Although the can happen that is for some specific

reverserski problem required the use of kernel mode debugger, Olly almost

I have Windows

is designed in such a way that not all programs


Page 44 of 293

always the right choice when we approach a problem. This means that

Olly, although access is limited to ring3 remains more than enough

reversersko tool. But what makes it so good Olly?

Primarily Ollyjeva power lies in his exceptionally powerful

disassembleru with by is analysis ASM code raised to highest

possible level. This means that Olly can detect loops, switches, can

to show us the sites that link jumps, he knows all the parameters that take

any standard Windows API functions. What more can be said that

Olly is one of the best, if not the best debugger ever made. For this

reasons will the author this books when Debugging application primarily

concentrate on its use.

OllyDbg's Key Features

What you first see when you open a program in Olly's next

® tm

This window is the main window that Olly was called the CPU window on this basis

shows ASM Command who processor executes and table is with him

possible to monitor and execute the command by command.

As table the see to Figure above this window is divided to five whole who

together they make a very functional unit. The picture of the whole but

marked and now we cross over one by one entity.

CPU window is main window in Olly and his purpose is monitoring,

respectively gradually execution code debugovane targets. This the achieved

with Command Step over and Step into. These two Command allow


Page 45 of 293

ASM code execution on command, so that when you step over the execution

or step into Command execute true one ASM command from CPU window.

Of course, the commands are executed in a linear fashion, one after another, making

only together one functional whole. Commands step over and step into the

functionally differ only in the execution of ASM command CALL. When this

ASM command executes step over an invisible breakpoint immediately after

CALL, or at the following commands, and step into the set breakpoint

the first command within CALL. This means that if a program and debugujemo

we get to the command CALL, next ASM command to where We will finish

depends of election traceovanja through code. If choose step over (F8)

finish to Command who the is immediately after CALL, with team table will

CALL contents be made without our oversight, if we choose a step into

(F7) will finish in the Call and will be able to monitor its implementation.

[01] Reset the currently open targets

[02] Close the currently open targets

[03] Run (F9), start and target its enforcement until the first break-point

[04] Pause, pause command to execute the program

[05] Step into (F7)

[06] Step over (F8)

[07] Trace into

[08] Trace over

[09] Execute till return (CTRL + F9)

[10] Go to address (CTRL + G)

Command step into and step over the picture above are numbered 5 and 6 and

should be differentiated from the trace commands into the water over one percent have a similar

but not and same use. By this this Command we that use and

shortcut F7 and F8.

In addition to the functions described step over and step into Olly has a few more

traceing basic functions that are designed to facilitate our analysis

excellent files. One such option is to execute an option till retun to us

you to execute any code CALL where we are and that after

find the execution of his commands that ASM is located just below

CALL.

It has been said to trace into the trace over the commands are different from them

similar Command step over and step into. These Command the used for

traceing automated through code. This type allows us to quickly traceinga

transition over code respectively HIS execution all while some condition not

be executed. In order to set a condition for traceovanje must go to menu

Debug -> Set condition (CTRL + T) where we adjust different types

logical conditions that will represent pause in traceingu if any that of these

conditions is met. Three main menu options related to the EIP and


Page 46 of 293

custom requirements that we can ask. EIP is a register where we do not have

direct access, or approach it in read only mode. This means

it is impossible to directly access the commands with ASM because the EIP register

he directly adjusts at commission ASM code so that gets value

ASM addresses the following command to be executed. The only possible manipulation

EIP register is through the stack. Just because of this we can set conditions

traceovanje the EIP register. So we can "say" pause Ollyju

execution program to first Command who the is in or out a

range. Of course extent we base to EIP Register because us he always

says that will execute the following command, and points to the byte

last executed. Therefore, if the conditions as set in the following picture:

we that choose mod execution traceovanja and so the for longer or less

find the time to address 004012C0 or 00401000 between an address and

00,402,000th Depending on whether we choose water over or into water Olly will

follow the code that is executed but the trace over the case will not go into CALL.

This means that the trace over the command will always be carried out quickly but will not be

reliable as a trace into the command. This is especially noted if the scope

for which we look very small.

The last command that enables us to manipulate addresses

Go to the options that we can address that we use whenever we know where

the address is a command that we are interested. Shortcut you can use to

you have activated this option is Ctrl + G.


Page 47 of 293

NAG 02 Screens

In the first chapter We have mastered the basic techniques finding a date

exe file information and altering the same, and in another we will learn how to

deal with basic problems in reversovanju.


Page 48 of 293

Killing NAGS - MsgBoxes

NAG screens are they boring Message who the appear before entry in

a program or at the exit from it, and their main function is to

remind you that you have not paid for the program you use. There are many types of inducements

but they are usually represented two standard types, message boxes and dialozi. In

this example I you show as that the solve ordinary message box

Naga. He looks just like this:

located in the file ¼ \ Classes \ Cas2 \ NAG.exe. For this example we will use

same tools (W32Dasm and Hiew) as well as the first example.

In W32Dasmu open the exe file and wait until disassembluje.

The easiest way for killing this NAGA is search text that the in him

appears. Open again String Reference and Find text from this message

box. Double click on the text will end up here:

* Reference To: user32.SetWindowTextA, Ord: 0000H

|

: 00407F05 E8F6C6FFFF

: 00407F0A 891D50A84000

: 00407F10 6A40

Call 00404600

mov dword ptr [0040A850], ebx

push 00000040

* Possible StringData Ref from Code Obj -> "NAG"

|

: 00407F12 68407F4000

00407F40 push

* Possible StringData Ref from Code Obj -> "This is a NAG screen, which should"

-> "Kill!" <- We are here

|

: 00407F17 68487F4000

: 00407F1C 53

00407F48 push

push ebx

* Reference To: user32.MessageBoxA, Ord: 0000H

|

: 00407F1D E8C6C6FFFF

: 00407F22 EB05

Call 004045E8

jmp 00407F29

What is specific to the message box is to persuade those in any

any programming language called the same way:

MessageBox (handle [hwnd], Text, Title, MB_TIPMESSAGEBOXA);


Page 49 of 293

table means that the CALL function who generates this message box piped

four parameters. This forwarding is going in reverse order so that before

CALL features to at 00404F1D are four PUSH features who

forwarded to the parameters in reverse order. If this is not clear

I suggest you read the part about the eighth STACK As you can imagine

this function should not be executed because it never should NOPovati. Contact

attention only to one thing and that is that if you just CALL NOPujete then there will be

errors in the program. The real way to kill these NAG screen is that you need

PUSH NOPovati all functions that precede the CALL and then I CALL. In

Hiew should look like this:

All of the addresses to the address 00407F10 00407F21 should be a NOP. Now

You can start and you'll see that NAG.exe NAGA gone.

Exercise:

If you want you can check the knowledge acquired to date on the same example

So what will kill the text that appears when the user clicks the button?.

when it occurs About the dialog box.

Solution:

All of address 00407EA0 and to address 00407EB3 shall that be

NOPovano.


Page 50 of 293

Killing NAGS - Dialogs

In the last example explains how to remove the messagebox Nagovori

and this will be explained how to remove Nagovori dialog. This dialog can

look just like this:

The difference is probably unnoticeable but unlike messagebox persuaded, the NAG

is made in the same manner as other dialogues in the program. Why has this

important? Ordinary users and it does not matter but this tells us is in any way

generates this NAG and as we that him the resolve. Us open program

¼ \ Classes \ Cas2 \ NagWindow.exe in W32Dasmu. Since this dialogue will seek

all dialogue in this exe file. Let's look little down of beginning

disassemblovanog file and you see the following:

+++++++++++++++++ DIALOG INFORMATION +++++++++++++++++++

Number of Dialogs = 1 (decimal) <- Why?

Name: DialogID_0064, # of Controls = 008, Caption: "F ½", className: ""

001 - ControlID: 0000, Control Class: "EDIT" Text Control ""

002 - ControlID: 0000, Control Class: "EDIT" Text Control ""

003 - ControlID: 0000, Control Class: "BUTTON" Control Text: "& Check"

004 - ControlID: 0000, Control Class: "BUTTON" Control Text: "& Exit"

005 - ControlID: 0000, Control Class: "BUTTON" Control Text :"&?"

006 - ControlID: 0000, Control Class: "STATIC" Control Text "Name:"

007 - ControlID: 0000, Control Class: "STATIC" Control Text: "Serial"

008 - ControlID: 0001, Control Class, "" Control Text: ""

There is something wrong! The dialogue, which here is the other one is a dialogue that

appears after you click OK in the NAG window. But where is that first, NAG

window? 'll Reveal it. For now only remember that is name this dialogue

(DialogID_0064) Since W32Dasm DialogID_ really adds a prefix of the name

Dialogue is the number 64H in hex format and the same is 100 in decimal. This was

CALL important because that is responsible for displaying the dialogue that is needed

ID in order to know which dialog to display. To find out where the call

this dialogue go up in me to button DLG Ref (Dialog References) and

double-click on the dialogue will end up here:

: 00407FCF E8DCC5FFFF

: 00407FD4 6A00

: 00407FD6 68647E4000

: 00407FDB 6A00

: 00407FDD 6A64

: 00407FDF FF354C984000

: 00407FE5 E8C6C5FFFF

: 00407FEA E8D5B4FFFF

Call 004045B0

push 00000000

00407E64 push

push 00000000

push 00000064 <- We are here

push dword ptr [0040984C]

Call 004045B0

Call 004034C4


Page 51 of 293

If we count parameters preceding the first CALL at the next

00407FE5 we'll see how much parameters there are function for call dialogue.

We concluded that it takes 5 parameters for this function and that the penultimate

respectively other dialog ID. Since the NAG appears before appearance this

dialogue we conclude that the same function must be located and where we are beyond this

Now, just a difference in IDs in the dialogue that call. And we were right.

: 00407FBE 6A00

: 00407FC0 68647E4000

: 00407FC5 6A00

: 00407FC7 6A65

: 00407FC9 FF354C984000

push 00000000

00407E64 push

push 00000000

push 00000065 <- Another dialogue ID

push dword ptr [0040984C]

* Reference To: user32.DialogBoxParamA, Ord: 0000H

|

: 00407FCF E8DCC5FFFF

Call 004045B0

The same number of parameters preceded by CALL at 00407FCF. The signs are certainly

CALL to at 00407FCF used for show Naga. These Nagovori the

removed in the same way as the message box Nagovori. All trademarks and PUSH commands

CALL ultimately must be NOPovane, and that means all of the addresses 00407FBE

00407FCF address. This is how it looks:

Not give that you numbers with the confused, 73BE is exact position virtual

00407FBE addresses that correspond to the real 73BE only in memory. These real

positions bytes will appear to you only when you press F3 and enter the Edit

mode.

NOTE: In most cases all appear in the dialogues but now W32Dasmu

although the occurred a error in W32Dasmu managed We that we find all

dialogue and to eliminate NAG screen.


Page 52 of 293

Killing NAGS - MsgBoxes & Olly

Since we have already demonstrated almost everything that was important to show in relation to

W32Dasm, now we will learn how to look Nagovori with Olly and how

NAG to all be removed. The target we will reversovati located in the folder

Cas1 vct_crackme1.exe and called on its OEPu is the following code.

00401000 . 6A 00

00401002 . 6A 03

00401004 . 6A 00

00401006 . 6A 00

00401008 . 6A 00

0040100A . 6A 00

0040100C . 68 9C314000

00401011 . E8 24020000

00401016 . 83F8 FF

00401019 . 74 06

0040101B . 50

0040101C . E8 1F020000

PUSH 0

PUSH 3

PUSH 0

PUSH 0

PUSH 0

PUSH 0

PUSH 0040319C

CALL 0040123A

CMP EAX, -1

THE SHORT dmp.00401021

PUSH EAX

CALL <ExitProcess>

; / HTemplateFile = NULL

; | = ReadOnly Attributes

; | Mode = 0

; | PSecurity = NULL

; | ShareMode = 0

; | Access = 0

; | Filename = "\ \. \ Sice"

\ CreateFileA

; / ExitCode

\ ExitProcess

This at not a nothing specifically, this is only standard

way to detect

By vxd references

Softić debugger with CreateFileA command.

to SotfICEu \ \. \ Sice also the appears and

reference \ \. \ NTIC if the case of NT systems. To make this detection

work around, of course if use Softic enough is patchujete that the jump

with address 00401019 in JMP. A if look little below these pair

commands you'll notice that this is the first NAG. This piece of code looks like this:

00401021 > \ 6A 00

00401023 . 68 20304000

00401028 . 68 00304000

0040102D . 6A 00

0040102F . E8 E2010000

PUSH 0

PUSH 00403020

PUSH 00403000

PUSH 0

CALL <MessageBoxA>

; / Style = MB_OK

; | Title = "... naked ..."

; | Text = "..."

; | HOwner = NULL

\ MessageBox

Of course killing NAG screen is very easy, in fact it is necessary to

only NOPovati all PUSH Command who precede CALL that the used

to show NAGA and finally I CALL. Operation NOPovanja the

to double click on the selected command and entering words in the NOP

newly opened window. After clicking to OK or <ENTER> Olly will be the selected

change in the NOP command after which it would no longer execute. Therefore

NOPovanja after all these commands will have the following situation:

00401021

00401022

...

0040102F

00401030

00401031

00401032

00401033

90

90

90

90

90

90

90

NOP

NOP

NOP

NOP

NOP

NOP

NOP

Since there is another NAG in the program will seek it traceovanjem

throughout the code, that is, pressing F8 until you get to the next CALL:


Page 53 of 293

0040104A . 0A 6A

PUSH 0A

0040104C . FF35 AC314000 PUSH DWORD PTR DS: [4031AC]

00401052 . 6A 00 PUSH 0

00401054 . FF35 A8314000 PUSH DWORD PTR DS: [4031A8]

0040105A . E8 0B000000 CALL 0040106A

After execution this CALL main window targets will appear on

screen. Since know that the NAG executes after exit from the target

assign an ordinary break-point (press F2) to the following address

who the is immediately CALL below who was in charge of this show

window, assign a break-point at the address 0040105F.

0040105F |. E8 61010000

00401064 |. 50

00401065 \. E8 D6010000

CALL 004011C5

PUSH EAX

CALL <ExitProcess>

; / ExitCode

\ ExitProcess

Of course After closing the main window to finish our targets

our break-point. This time we press the F7 in order to enter in the CALL

at 0040105F. Why? Because table the after this CALL is more

only kernel32.ExitProcess CALL that mucus for shutdown our targets. From

this reasons conclude that the other NAG is in CALL with address

0040105F. When we enter the CALL will see the following:

004011C5 / $ 6A 00

004011C7 |. 68 66304000

004011CC |. 68 40304000

004011D1 |. 6A 00

004011D3 |. E8 3E000000

004011D8 \. C3

PUSH 0

PUSH 00403066

PUSH 00403040

PUSH 0

CALL <MessageBoxA>

RET

; / Style = MB_OK

; | Title = "..."

; | Text = "... naked ..."

; | HOwner = NULL

\ MessageBox

I as table see were We in right! Sought NAG the really is in

This CALL and him we as and first NAG removed in the same way, and after

patchovanja our target will be as follows:

004011C5

004011C6

004011C7

004011C8

004011C9

004011CA

...

004011D1

004011D2

004011D3

004011D4

004011D5

004011D6

004011D7

90

90

90

90

90

90

90

90

90

90

90

90

90

004011D8 \. C3

NOP

NOP

NOP

NOP

NOP

NOP

NOP

NOP

NOP

NOP

NOP

NOP

NOP

RET

By this ways patchovanja Inducements there and other way

patchovanja. This other way the used in case that program counts

NOPove contained in his code. This patcherski trick is reflected in

patchovanju desired Command in new series Command who make two ASM

EAX commands INC, DEC EAX ... The first command increases the value EAXa

and the second one reduces the value for one. Here, just make sure that


Page 54 of 293

if EAX has an impact on further execution Command be same number DEC

EAX and EAX commands INC. Applied in this instance it looks exactly like this:

004011C5

004011C6

004011C7

004011C8

004011C9

004011CA

004011CB

004011CC

004011CD

004011CE

004011CF

004011D0

004011D1

004011D2

004011D3

004011D4

004011D5

004011D6

004011D7

40

48

40

48

40

48

40

48

40

48

40

48

40

48

40

48

40

48

40

004011D8 \. C3

INC EAX

DEC EAX

INC EAX

DEC EAX

INC EAX

DEC EAX

INC EAX

DEC EAX

INC EAX

DEC EAX

INC EAX

DEC EAX

INC EAX

DEC EAX

INC EAX

DEC EAX

INC EAX

DEC EAX

INC EAX

RET

By this there and more one way patchovanja that will you

allow you to remove the NAG to change only one byte! This method is

can always apply and that change would look like this:

004011C5 / $ 6A FF

004011C7 |. 68 66304000

004011CC |. 68 40304000

004011D1 |. 6A 00

004011D3 |. E8 3E000000

004011D8 \. C3

or

004011C5 / $ 6A 00

004011C7 |. 68 66304000

004011CC |. 68 40304000

004011D1 |. 6A FF

004011D3 |. E8 3E000000

004011D8 \. C3

PUSH FF

PUSH 00403066

PUSH 00403040

PUSH 0

CALL <MessageBoxA>

RET

; / Style = MB_OK

; | Title = "..."

; | Text = "... naked ..."

; | HOwner = NULL

\ MessageBox

00 PUSH

PUSH 00403066

PUSH 00403040

PUSH FF

CALL <MessageBoxA>

RET

; / Style = MB_OK

; | Title = "..."

; | Text = "... naked ..."

; | HOwner = NULL

\ MessageBox

As you can see, you just change the MessageBox type in a number

for which there is no real type of MessageBox or alternatively you can program

forward HWND that not there. This other way, patchovanje only

one byte, is much more cost effective if you work inline patching a packer!

Finally when we finish making the changes with a simple click in the CPU

Olly window to Right button -> Copy to executable -> All modifications -

> Copy All -> Right click -> Save file ... lowest total all changes directly

with Olly. This technique patchovanja abolished need for some Hex

Editor with which to directly change file!


Page 55 of 293

Killing NAGS - Dialogs & Olly

Of course ordinary MessageBox NAG is very easy to "kill", but what if

instead MessageBox calls to NAG is used as a dialogue? In this case not

we look for characteristic strings that appear in the window because

This text is a dialogue in the form of resources. But knowing that the dialog resource

program calls tells us two things: 1) to be found in the file

using the resource editor and 2) that is static or that a resource can

represent only one window (or some other type of data).

Our target who the behave bass to up described way the is in

folder Cas02 and is called editor.exe. This target will open with Olly and

Thanks to him we will remove this NAG.

We have already said they will be targeted by NAG in this show as a separate window,

which means it probably uses a separate part of the resource (. res) located in

this. exe file. Because of this we iskorsititi Olly to look at all the resources

contained in this file by clicking ALT + M, to see that all. dll

Call us files. exe file, still the main selection. exe file and the final

clicking the right button and the View all resources, after which we will see this:

We will see that the file is an exact dialogue, whose name and ID 384h-NAG

SCREEN. Things here are very obvious, but now the question is how

find a place from which to call this dialogue? If you remember the previous example

and dialogues with W32Dasmom mean that we have used the ID of dialogue in order to

NAG found the dialogue. This will be used here, except it will here as opposed to

examples from the last search will be much easier.

Pritisnucemo ALT + C to go back to the main CPU window, after

which we press CTRL + F in order to command that displays sought

the NAG screen. It remains only to consider carefully what command should

to look in the file. This is very easy (if they remember the previous dialog

examples) percent the API function must forward ID Object over which the

executes a command need is only seek PUSH 384 command

with Olly. Our search will lead us to file here:

00401416 |. 6A 00

00401418 |. 68 2B124000

0040141D |. 53

0040141E |. 68 84030000

00401423 |. 6A 00

00401425 |. E8 F28B0000

0040142A |. 50

0040142B |. E8 C68C0000

As table see to

PUSH 0

PUSH editor.0040122B

PUSH EBX

PUSH 384

PUSH 0

/ LParam = NULL

| DlgProc = 0040122B

| HOwner

| PTemplate = 384

| / PModule = NULL

CALL <JMP.&KERNEL32.GetModuleHandleA>

PUSH EAX | Hinšt

CALL <JMP.&USER32.DialogBoxParamA> \ DialogBoxParamA

at 0040141E the ID dialogue piped

DialogBoxParam APIs for which conclude that the in this part code

shows NAG. Since the and GetModuleHandleA API relations to show

NAGA (On determined value Register EAX) we and him that remove

together DialogBoxParamA API call. Therefore that we remove this NAG

NOPujemo need to address all of the address 00401416 and 0040142B,

conclusive with latest command to at 0040142B, respectively with

Call to DialogBoxParam-in.


Page 56 of 293

03 Cracking Serials

The next chapter deals with the problem usually happy when reversing.

Very often the going that is whole application or that are some its Parts

locked for use and that the can unlock only right serial

number. Here will be speech on more types check serial numbers and on

ways of solving these problems. It is important to note that from this

chapter uses only the most important reverserski tool, OllyDbg. Unfortunately this

chapter is specifically because the when "Phishing" serial numbers must

monitor working memory and not content disassemblovanog File to disk.

For ease of getting used to all this is the first I will explain one example of

W32Dasmu.


Page 57 of 293

The Serials - Jumps

By NAG Screen one of obstacle related for cracking is and

registration or unlock certain functions of the program with routine

check serial numbers. This is very often a happy problem when reversing

therefore the this chapter can consider one of key. First part this

Chapters will you learn as the such Programs crackuju, other as that

find the real serial number for your name, and the next chapter how to write

keygenerator for this example. This example the is in folder

¼ \ Classes \ CAS3 \ Serial.exe Initially we will start the program and we'll see what

happens. This is a required step that allows us to collect what is

much information as possible about the "target", that would be easier reversovali. Start

"Target" and enter as a name and a serial ap0x 111111, click Check. Will appear

this:

What we learn from this test is that when you enter the wrong serial number,

program throw Message "Bad Cracker. " This will help when search for

place where the checks accuracy serial number. Open this "Target" in

W32Dasmu and find the string "Bad Cracker". You'll note that in addition to the string

"Bad Cracker" is this:

"About ..."

"AMPM"

"Bad Cracker"

"Cracked ok"

"Eeee"

"Enter name!"

"Error"

This is very interestingly because as seems maybe is message who will be

displayed if the serial number of the correct "Cracked ok". Nevertheless we will

2x click on the "Bad Cracker" message and ends here:

: 00407DE9 E806BBFFFF

: 00407DEE 7517

004038F4 call

jne 00407E07

* Possible StringData Ref from Code Obj -> "Cracked ok"

|

: 00407DF0 684C7E4000

: 00407DF5 68B90B0000

push 00407E4C

push 00000BB9


Page 58 of 293

: 00407DFA A150984000

: 00407DFF 50

mov eax, dword ptr [00409850]

push eax

* Reference To: user32.SetDlgItemTextA, Ord: 0000H

|

: 00407E00 E8F3C7FFFF

: 00407E05 EB15

Call 004045F8

jmp 00407E1C


|: 00407DEE (C)

|

* Possible StringData Ref from Code Obj -> "Bad Cracker"

|

: 00407E07 68587E4000

: 00407E0C 68B90B0000

: 00407E11 A150984000

: 00407E16 50

push 00407E58 <- We are here

push 00000BB9

mov eax, dword ptr [00409850]

push eax

Let us attention to this line just above the message the wrong serial

number:


|: 00407DEE (C)

This means that there is a conditional (because of C, that is to be the unconditional

jump) jump to at 00407DEE that water to address 00407E07. If

look at what is at that address will see the following:

: 00407DEE 7517

jne 00407E07

* Possible StringData Ref from Code Obj -> "Cracked ok"

|

: 00407DF0 684C7E4000

push 00407E4C

This means that if something, in this case serial number is not correct to jump

Message on wrong serial number. If this order delete (Read:

NOPujemo) then will program always show Message on exact serial

number regardless of the name entered or serial number. It is one and also the easiest

The way to solve this problem.

Exercise:

As we did with this example W32Dasma it would be good that this

also do and

dich

Documents