本教程的目的是教你如何在OllyDbg+WinXP情况下下API Hmemcpy断点,就像在Windows 98里一样。Hmemcpy就是那个显示哪里存放了你的用户名和序列号数据的函数的断点。
That point (from now denominated " point-h ") it is unique for each machine and it is found in USER32.DLL. Once found we can apply the point-h in C++, VB, Delphi, ASM, or any other programming language simply placing a breakpoint memory on access in the point-h.
那个断点(暂称point-h)在每台机器里都是唯一的,在USER32.DLL.可以找到。一旦找到我们就可以用于C++, VB, Delphi, ASM,或者其他编程语言,只要简单的下一个断点在内存的存取上。
How to find the point-h in my computer
如何在我的电脑上找到point-h
In first place we should locate the point-h. For that, we will use the crackme of Cruehead once that crackme doesn't generate exceptions and it is quite simple (but obviously any other program can be used). The step-for-step procedures are described below:
首先我们需要定位point-h,这样我们Cruehead的crackme因为crackme不会产生其他信息而且非常简单(当然你也可以用其他程序)。接下来给你一步一步讲述过程。。。。
1) Open Cruehead crackme in Olly
1)用Olly打开crackme
2) Search for Name (Label) in current module and choose API TranslateMessage (FIGURE 1)
2)在当前模块搜索名称(标签),选择API 翻译信息。(图1)
译者注:对于中文版,你可以这样做,查看==》执行模式,名字列中选中当前模块USER32,按CTRL+N。
图 1
3) Once on API make right-click with the mouse, chose CONDITIONAL LOG BREAKPOINT ON IMPORT and setup the window as show in FIGURE 2
3)打开后,右击TranslateMessage函数,选择“在导入中条件记录断点,设置如下图的信息。
图 2
NOTE 1. In some systems MSG==201 doesn't work for the determination of the point-h. In this case we should use MSG==202.
提示1。在某些系统里MSG==201对于point-h.没有作用,你可以尝试用MSG==202
4) RUN (F9) the program.
4)RUN(F9)
5) Put values in the edit boxes (FIGURE 3)
5)输入信息(图3)
Name : narvaja
Serial: 1A2B3C4D5E
图 3
NOTE 2. Of course you can put any value for name and serial but the 1A2B3C4D5E serial it is a value easy to look for in the memory and that doesn't repeat.
提示2。当然你可以输入任意值作为姓名和序列号,但是1A2B3C4D5E作为序列号更便于在内存中查找,而且不容易有重复。
6) Press the OK button
6)按下OK。
7) Olly stops in the conditional breakpoint (FIGURE 4)
7)Olly在条件断点断下程序。(图4)
图4
8) Open MEMORY in VIEW menu (Alt+M), make right-click in MEMORY MAP window and choose SEARCH. In ASCII field put the 1A2B3C4D5E serial (FIGURE 5).
8)打开查看==》内存(ALT+M),右击内存列表,选择“搜索”,在ASCII区域填写1A2B3C4D5E(你的注册码)。(图5)
图 5
9) Olly will stop when it finds the sought serial (FIGURA 6). Then we marked the serial and we put BP MEMORY ON ACCESS.
9)Olly找到符合的字串后会停下来(图6),然后我们标记信息,下BP MEMORY ON ACCESS.
图 6
10) RUN (F9).... Olly will stop exactly in the point-h (FIGURA 7).
10)运行(F9)Olly会在point-h断下。(图7)
图 7
77D29303 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
This is it point-h for my system. The crackme of Cruehead was used only to find the point-h. In the follow examples we will see that we can set a breakpoint in the point-h in a similar way to the that we do with hmemcpy in Win98.
这个就是我系统的point-h。我们用的Cruehead 的crackme仅仅是为了找到point-h。在接下来的例子里面我们就可以在point-h下断,相当于在Win98里下hmemcpy断点。
EXAMPLES OF USE OF THE POINT-H
关于如何使用POINT-H的几个例子
EXEMPLE 1. In this first example we will use the Cosh´s crackme2. The procedures are described below:
例子1。我们用Cosh´s crackme2作为第一个例子,过程如下。
1) Open crackme2 in Olly. Put the name and the serial as shown in the FIGURE 11
1)用Olly打开crackme2,输入用户名和序列号。(图11)
图 11
2) In the sequence, if we used Windows 98 we would put a HMEMCPY. However, in our case, we will place a BPX in the point-h. As the point-h is located in USER32.DLL, we have to go to the menu VIEW-EXECUTABLE MODULE, make double-click in USER32 (the USER32 window will open), GO TO (Ctrl+G) 77D29303 (point-h of my system) and set breakpoint mermory on access (FIGURE 12).
2)接下来,假如我们用Windows 98我们就要下HMEMCPY,而现在,我们在point-h下BPX。因为point-h是在USER32.DLL里的,我们必须打开菜单==》查看==》执行模式,双击USER32,GO TO (Ctrl+G) 77D29303 (我系统的point-h),设置内存存断点(图12)。
图 12
3) Goto to crackme2 window and press CHECK
3)回到crackme2的窗口,按下CHECK。
NOTE3. If you press PAUSE and setup BPX in point-h then press RUN (F9) and CHECK.
提示3。你可以按“暂停”然后在point-h下BPX,然后运行(F9),按CHECK。
4) Olly stops in point-h (FIGURE 13).
4)Olly在point-h断下。(图13)
图 13
This pause is exactly equal that HMERMCPY in Windows 98. The first stop in point-h is related with NAME (observe the name "narjava" in the register ESI). If we press RUN (F9) one more time the program stops again: this time the stop is related with SERIAL (ESI = ASCII "989898" , FIGURE 14).
这个断点和Windows 98里的HMERMCPY完全一样。第一次在point-h被断下和用户名有关(从ESI寄存器获得名字"narjava")我们再一次按下“运行”(F9),程序又一次被断下,这次和序列号有关(ESI = ASCII "989898" , 图14).
图 14
This stopped it happens so that it is possible to insert the name in program: the instruction REP MOV [EDI],ESI tells us that the serial will be inserted in EDI. Therefore, we should mark FOLLOW IN DUMP in the registration EDI and press F8 until the serial is loaded in DUMP (in other words, F8 until the call USER32.77D28C15 (or equivalent in your machine), as show in FIGURE 15). Go to the dump, mark the fake serial (393839383938), set breakpoint memory on access and RUN (F9).
这个断点让我们有机会输入用户名:指令REP MOV [EDI],ESI告诉我们序列号存在EDI里面,所以我们让寄存器EDI“在转存中标记数值”(注:右击寄存器,然后选择),继续按F8知直到序列号被载入,(相当于直到call USER32.77D28C15(你机器上的相同的数值),如图15所示)。然后打开转存,标记伪序列号(393839383938),设内存读取断点,“运行”(F9)。
图 15
Olly will stop in kernel32. Make RUN (F9) until the program go to crackme2 module.
Now we can observe that Olly stopped exactly in the check point of crackme. ?
Olly会在kernel32断掉,按“运行”(F9)直到回到crackme2模块。现在我们看到的是Olly准确的停在crackme的验证点。
