<> Notes on core principles of reverse engineering ( One )——Hello World-1

<>Ollydbg Debugger instructions

Meaning of command shortcut key
Go toctrl + G Move to the specified address , Used to view code or memory , Not available at runtime
Execute till CursorF4 Execute to cursor position , That is, go directly to the address to be debugged
Set/Reset Break PointF2 Set or cancel breakpoints
Comment; Add comments
Label: Add tags
Goto command

If you want to position the cursor somewhere , Can be executed Go to command (ctrl + G) If you want to locate the code to 40104F You can use this command

Then cooperate F4 You can run the program here .

Set breakpoint

It can be used when debugging code F2 set up BP( breakpoint ) After setting breakpoints , When the program runs to a breakpoint , The procedure will be suspended

Using shortcut keys ALT + B You can call up the breakpoint box , Lists all breakpoints set , Double click this location to jump to the corresponding location where the breakpoint is set

Add comments

use ‘;’ You can add comments at the appropriate address , And the added comments can be found through the find command , The command here must be in English

Adding comments while debugging code makes debugging easier , If you need to find a comment , It can be selected from the menu displayed by right-click in the interface search for -> User-defined
comment View the defined comments in , Double click the comment to locate it :

Add tags

You can add specific functions at the specified address through the functions provided by the tag , adopt ‘:’ Symbols adding labels , Namely shift + ;

After adding labels , Right click to display the menu interface search for -> User-defined label View added Tags

<> Quickly find the specified code

It is very important to find the main function when decompiling code in reverse , But when decompiling the code main() Functions are not directly located in the EP
Position , The first is the startup function automatically generated by the development tool , So the main function that may really be needed is far away from where it started , therefore , We need some quick ways to find the main function

1. Code execution

Let's take a look at the code below to compile the program ( Code rewritten according to the original book program )

The source code is as follows :
#include<cstdio> #include<cstring> #include<iostream> #include<windows.h> using
namespace std; int main() { MessageBox(NULL, L"Hello World", L"Lpy_Now", 0);
return 0; }
Output after running program MeaasgeBox:

Next, decompile the code , Put code into OD It runs inside , Keep pressing F8 Skip some steps , Until the program pops up this MessageBox

Program to this line 1111E2 The function is called here 111000 So this is the main function , We use ctrl + G get into 111000 This function

This is the main function we're looking for

At address 111002 and 111007 There is one in each of the two places PUSH sentence , These two sentences will be Titlie = “Lpy_Now”, Text =
“Hello World” Save to stack , And passed as a parameter to MessageBox , Through the above method can also successfully find the main function .

2. String retrieval

OD When you first load the program to be debugged , It will go through a process of pre analysis , During this process, the process memory is looked at , The string referenced in the program and the API
They will be extracted , And put it into another list , Finding a string is useful for Tianshi program .

Right click , Click in the pop-up window Search for -> All referenced text strings You can see the following window :

Double click to enter the corresponding code line ,

Through the above method, we also successfully found the main function

3.API Retrieval method (1): Setting breakpoints in calling code

stay Windows in , If you need to display the content to the display , Need to use Win32 API towards OS
Request display output , In other words , When the application outputs content to the display screen , It needs to be called inside the program Win32 API
When we look at the function of a program , You can roughly infer that the API , If you can further find the Win32
API, It will bring us great convenience for program debugging , The above program will pop up a message window after running , Then we can infer that the program runtime calls
user.MessageBoxW()API

It was said in the previous description that OD The pre analysis of the program can not only analyze the string used by the program , Can also extract the program runtime calls API
Function list . If we just want to see what is invoked in the program code, API function , We can use it directly All intermodular calls command , Right click in the menu that appears
Search for -> All intermodual calls After clicking

Because what we're looking for is MessageBox
Such instructions , So on the first line is this instruction , Double click here to find the main function , So observe the behavior characteristics of a program , If we can predict what the code uses API
, So the above is also a good way to find the main function .

4. API Retrieval method (2): stay API Setting breakpoints in code

Although it was mentioned in the previous introduction OD Can be listed for executable files API
Function call list , But if you use a compressor / After the protector compresses or protects the executable file , The structure of executable file will have high edge , At this time OD You can't list them API
Call list ( It can even make the debugging process very difficult )

compressor (Run time
Packer, Run time compressor ): Compressor is a practical compression tool , Code that compresses executable files , data , Resources and so on , Same as normal compression , The compressed file itself is an executable file

Protector : The protector not only has compression function , Anti debugging has also been added , Inverse simulation , Reverse storage and other functions , Can effectively protect the process , If you want to analyze the protector carefully , So the analyst needs some advanced knowledge of reverse analysis

under these circumstances ,DLL After the code base is loaded into process memory , You can think about it directly DLL Add breakpoint to code base ,API
Is a set of functions that the operating system provides to the user's application , Used to implement some files . in short , When we write an application that does something , Must be used OS Provided API towards OS
Provide request , And then the API Corresponding system dll The file is loaded into the application's process memory

stay OD We can try to look at the memory mapping first , Click in the menu bar View -> Memory( or alt + M) Open the memory mapping window

We can see that USER32 The library is loaded into memory , Let's right-click in the window Search for -> Name in all modules Can be opened
All names window , click Name Columns are sorted by name

Search here MessageBoxW

Where the arrow points , Double click the function , The code here will be displayed , It's in USER32.dll Implementation in .

Looking at the address here, we find that it is completely different from the address of our executable file , We try to set breakpoints here (F2), Then continue to execute the code (F9)

Code execution stops here , stay 1 In the arrow register window at ESP The value of is 00EFF874 It is the address of the process stack , stay 2
You can see more detailed information in the stack window of the arrow at ESP Address 00EFFBB8 Where corresponds to an address 00FE1014 , That is, the main function is called MessageBox
After function , The program execution flow will return to this address , We press ctrl + G Get here

We found that the top part of this code is the main function we are looking for

B8 Where corresponds to an address 00FE1014 , That is, the main function is called MessageBox After function , The program execution flow will return to this address , We press ctrl + G Get here

We found that the top part of this code is the main function we are looking for

These are four ways to quickly find code

Technology