20120328_lena 한글페이지 1 01.Olly + assembler + patching a basic reverseme 2011 년 12 월 1 일목요일 오후 11:00 Lena Reversing 01.Olly + assembler + patching a basic reverseme 번역자 : re4lfl0w / re4lfl0w@gmail.com Last updated: 2012.02.22 The creator of this movie or the ISP(s) hosting this movie or any content in this movie take no responsibility for the way you use the information provided in this movie. Movie 만든사람이나 ISP에이 movie를 hosting하거나이 movie 속의어떤 content에서도제공된정보를사용하는방식에대해책임지지않습니다. These file and anything else on this site and in this movie are here for private purposes only and should not be downloaded or viewed whatsoever! 이 site에서 file들과모든것들은오직개인적인목적으로 download 하거나볼수없습니다. If you are affiliated with any government, or Anti-Piracy group or any other related group or were formally a worker of one you cannot enter this web site nor see this movie,
20120328_lena 한글페이지 2 당신이어떤정부또는불법복제방지그룹또는기타관련단체와제휴하거나공식적으로하나의노동자로일할경우이 web site에접속할수없습니다. 또한이 movie를볼수없습니다. cannot access any of its files and you cannot view any of the HTML files. 어떤 file에도접속할수없습니다. 어떤 HTML file도볼수없습니다. All the objects on this site and in this movie are private property and are not meant for viewing or any other purposes other then bandwidth space. 이 movie 안의 Site에있는모든 object와개인적인재산이다. 다른목적이나대역폭을의미하지않는다. Do not see this movie whatsoever! 이 movie를참조하지마십시오. If you see this movie you are not agreeing to these terms and you are violating code 431.322.12 of the Internet Privacy Act singed by Bill Clinton in 1995 and that means that you can't threaten our ISP(s) or any person(s) or company storing these file or these movies, cannot prosecute any person(s) affiliated with this page and movie which includes family, friends or individuals who run or enter this site or see this movie. 이 movie를볼경우이약관에동의하지않습니다. 그리고당신은 1995년빌클린턴의서명이인터넷개인정보보호법의코드 431.322.12을위반하고당신이우리의 ISP들또는사람들을위협할수없다는것을의미합니다. 또는이러한파일이나이러한 movie를실행하고저장하는회사, 가족, 친구거나사이트에들어오거나영화를볼개인을포함하거나페이지및영화와제휴한다른사람들을기소할수없습니다. 번역주 ) 이부분번역이제일어려웠습니다. 이해도잘안되고. Hello everybody. 안녕모두들. Welcome to this Part1 in my series about reversing for newbies/beginners. 나의 reversing 초보자를위한 series Part 1에온것을환영해. This "saga" is intended for complete starters in reversing, even for those without any programming experience at all. 이 saga의대상은 reversing에서 Programming 경험조차없는완벽한초보자다. Set your screen resolution to 1152*864 and press F11 to see the movie full screen!!! Again, I have made this movie interactive. You screen 해상도를 1152*864로설정해그리고 full screen으로 movie를보기위해 F11를눌러 So, if you are a fast reader and you want to continue to the next screen, just click here on this invisible hotspot. You don't see it, but it IS there on text screens. 그래서, 네가이것을빨리읽고다음 screen을보고싶다면, 보이는 hotspot 여기를눌러. 보고싶지않을때는여기에두지마. Then the movie will skip the text and continue with the next screen. Movie는 text와다음 screen을 skip할수있다. If something is not clear or goes too fast, you can always use the control buttons and the slider below on this screen.
20120328_lena 한글페이지 3 무언가명확하지않거나빨리넘기고자할때, 항상 control button과이 screen 밑에있는 slider 바를사용해. He, try it out and click on the hotspot to skip this text and to go to the next screen now!!! 도전해봐. 그리고이 text와다음 screen을보기위해 hotspot을 click해. During the whole movie you can click this spot to leave immediately 이 movie 어디에서나즉시떠나기위해이 spot을 click 할수있다. Click here as soon as you finished reading(on each screen!) 네가읽기가끝났을때이곳을클릭해. ( 이번 screen에서 ) 1. Abstract Perhaps you wonder what reversing is. Well, reversing (reverse engineering) is the changing of the code of a program. 아마네가 reversing 하기를원한다면. 좋아, reversing은 program code를바꾸는것이다. This is done to change the looks of a program, to clean from virii, to enhance the program with other functions, to make it compatible with other systems 이것은 program을 Virii로부터깨끗하기위해, program 성능을다른 function들과같이증가하기위해다른 system과호환이되는좋게바꾸기위해끝냈다. But in general, to get a better insight in the working of a program. My goal with this series of tutorials is to show you some techniques in this matter. 그러나일반적으로, program에서좋은통찰력을얻기위해. 이 series의목표는이문제들에대해서약간의기술을보여주는것이다. Starting on an easy target but making this more difficult step by step. No computer knowledge is required except working in windows. 시작할때는매우쉬운목표물이다. 그러나단계를밟아조금씩어려워진다. Windows에서작업하는지식빼고 Computer 지식은필요하지않다. The end will be that you will be able to do some basic reversing (I hope). 마지막에너는약간의기본적인 reversing을할수있을것이다.( 내희망 ) Hopefully, you will exploit your new gained knowledge in a positive way. I am not responsible for what you do with your newly acquired "wisdom". 희망하건대, 너는새로얻은지식을긍정적으로이용해. 나는네가새로얻은 " 지식으로 " 무엇을하든책임지지않는다. Therefore, I will only target ReverseMe's, (very) old software or applications that are no longer updated. 그러므로, 나는오직 ReverseMe's 목표물은오래된 software나 update가오래된 application 이다. The tools we will be using will be freely available (freeware) or no longer supported. Tools은자유롭게사용할수있거나더이상지원되지않습니다. Please, purchase the software you use after trial period. Authors need money to live and deserve it for their hard work!!! 제발, trial 기간이끝나면 software를구매해. 제작자들은살아가기위해서돈이필요해. 그리고그들의강도높은노동의대가를받을만하다.
20120328_lena 한글페이지 4 All this being said for this and also for the next parts in this series, let's get this started. 이것을위해처음에말한다. 이 series의다음 part를위해. 이제시작하자. In this first part, I will have to give you some theoretical insights. 이첫번째 part에서나는너에게이론적인통찰력을줄것이다. I believe that practice is better then dry theorie. So, even in this first tutorial, we are going to reverse an easy, basic ReverseMe. 나는믿는다. 이연습이재미없는이론보다낫다. 그래서이첫번째 tutorial에서조차우리는 reverse를쉽게하기위해기본적인 ReverseMe를할것이다. Part01 till 03 may be the most difficult for starters because some basic general knowledge about reversing and assembler language is handled. Part 01에서 03까지는초보자에게는꽤어려울것이다. 왜냐하면 reversing에대한약간의기본적인지식들과 assembler language를조종한다. 2. Tools and Targets Throughout most of these tutorials, you will use Ollydebug and your brain. The first can be obtained for free at http://www.ollydbg.de 대부분 tutorial들에서, Ollydebug를사용하게될것이다. 그리고너의두뇌도. 첫번째무료로 http://www.ollydbg.de 를얻을수있다....the second is your responsibility ;) 두번째는너의책임감이다. The target(reverseme) is also included in this package. I "cut" a rather big amount of code from the reverseme to make the code very clear abut left the open space not to make it too obvious. 목표물은 (ReverseMe) 는이 package에포함됐다. 나는 reverseme로부터꽤많은양의코드를명확하게만들기위해잘랐다. INFO: Whilst at the site from Ollydebug, take a look around, especially at the "shortcut key's page". Knowing these is a big help in faster working. I also included that page. Ollydebug를얻은 site에서주변을둘러봐. 특별한 " 단축키 " 페이지가보일것이다. 우리가일을빨리하기위해그것은아주큰도움이된다. 나또한그페이지를첨부했다. During most of the Parts in this series, I will use ARTeam-Ollydbg.ini file for my OllyDbg. This file holds the options for Ollydbg. It will make that mine will look a little different from the original. However, I have included the ARTeam-Ollydbg-ini file in this package and have already renamed it into its original filename (ollydbg.ini). Overwrite the original one in ollydbg's directory with the one that I included if you want to see the same as me. 이 series의대부분의 Parts에서나는 ARTeam-Ollydbg.ini를사용할것이다. File은옵션을저
20120328_lena 한글페이지 5 장하고있다. 그것은 original 과약간다르다. 그러나, 나는 ARTeam-Ollydbg.ini 파일을첨부 했다. 그리고이미이름도 original 과같이바꿔놨다.(ollydbg.ini) Ollydbg 의디렉토리에있는 original.ini 에덮어씌우면된다. 3. Ollydbg and some general info Ollydebug, hereafter often called "Olly", is a Ring3 debugger. It means that Olly works at windows application level, but still can control other applications. In human language: with this magnificent tool(thanks Oleh Yushuk), we can find the "bugs" in a program. Not only find but also correct the program. Ollydebug는자주 "Olly" 로불리고 Ring3 debugger 다. 이것은 Olly가 windows application level로일할수있다는것을뜻한다. 다른프로그램들도컨트롤할수있다. 사람이이해하기쉽게말하자면 : 유용한툴과함께할수있다.(Oleh Yushuk님고마워요 ) 우리는프로그램에서 "bugs" 를찾을수있다. 찾는것뿐만아니라프로그램이정확한지도볼수있다. You probably already noticed the "weird" background? That is because I have already opened the ReverseMe in Olly. Let's have a look at it. 내화면뒤에이상한게있지? 맞아. 내가이미 ReverseMe를 Olly에열어놨기때문이야. 어떻게생긴것인지보자. Do not forget that you can click here as soon as you're done reading!!! (On each textscreen) 모든것을다읽었을때이곳을클릭하는것을잊지말아줘. So, have you downloaded Olly yet? Ok, Olly doesn't need installing. Just unzip to a directory of your choice.et voila...start Olly. Olly를다운로드했어? Ok, Olly는 install이필요하지않아. Directory에압축풀고 Olly를시작해. At first startup, Olly will ask for the UDD and Plugins directory. Solve this like this. 먼저, Olly 는 UDD 와 Plugins 디렉토리를물어. 이렇게해결하면돼.
20120328_lena 한글페이지 6 Olly needs the UDD dir path because it keeps the breakpoints and other info there. Olly is a very versatile tool because it supports the use of plugins that enhance the possibilities of the program. So, "show" Olly the paths for both directories here. Olly에게 UDD 경로가필요해. 왜냐하면그것은 breakpoints와다른정보들을저장하고있으니까. Olly는다재다능한 tool이다. 왜냐하면그것은다양한 plugin을지원하니까. 그것은프로그램의가능성을증가시킨다. 그래서 Olly의경로가 2개의디렉토리에있다는것을보여주는거야. After changing the path, you need to restart Olly and Open the ReverseMe 경로를바꾼후에는 Olly를재시작하고 ReverseMe를열어. to get the same view as me. It may be that you need to rearrange the windows. BTW, all the buttons you see above will be explained during the tutorials, but you may want to play around a bit with them to explore a little. 나와같은화면을볼거야. Windows 재정렬할거야. 걱정하지마. 이 tutorial에서모든버튼을설명할거야. Olly 주변이어떻게생겼는지살펴봐. INFO : always leave your mouse pointer here and click here if you want to continue to the next screen!!! 클릭하면넘어가니까마우스여기에갖다놓지마. 다음 screen으로넘기기위해서이곳을클릭해. Let's look a little closer at the windows that are visible. 좋아. Windows 의보여지는부분을조금자세히살펴보자. INFO: If you are completely new to all this and in case you have had no previous assembler education at all, then then all this may be a bit overwhelming at first sight. All will eventually become clear though. Just let it soak in 네가완벽히모든것에처음이고 assembler 교육이이전에없더라도. 걱정하지마. 처음에는
20120328_lena 한글페이지 7 적응하기힘들거야. 결국모든것이완벽해질거야. 리버싱의마법에빠져보자!! The main windows is the CPU windows. We see 우리가보는 Main windows 는 CPU Window 야. The VA's. (Virtual addresses) When starting a program, the windows loader loads the program at a certain memory location. (Not always the same, see later) 가상메모리이다. 프로그램시작할때, 윈도우로더는프로그램을정확한메모리장소에로드한다. ( 항상같은장소는아니다.) The opcodes. In fact, these are the codes that the computer reads and can understand. 명령코드. 사실, 이것들은코드다. 이것은컴퓨터가읽고이해할수있다. 번역주 )opcode: Operation code. 즉, 명령코드.
20120328_lena 한글페이지 8 The assembler mnemonics. In fact, this is a translation (readable for humans) from the opcodes. This is something WE can "read". In fact, the computer only gets the opcodes as indeed, Olly has made the "translation" into the mnemonics so that we understand! 어셈블러상징어다. 사실, 이것은명령코드가번역됐다.( 인간이읽기쉽게 ) 이것은우리가읽을수있다. 사실, 컴퓨터는바보라서오직명령코드만이해해. Olly는 " 번역 " 을상징어로만들었어. 그래서우리는그것 ( 명령코드 ) 을이해할수있다. 번역주 )Olly는 opcode( 컴퓨터가이해하는 ) 을인간이읽기쉽게바꿔주는것. 예를들자면 6A 00(opcode) 을우리가이해하기쉽게끔 PUSH 0으로바꿔주는것. The comments. After Olly has analyzed the code, he puts comments here to ease our lives ;) 이 comment는 Olly가해석한 code다. Olly는우리가쉽게사용할수있게 comment를넣는다. And then at last : the pane window where we can see some info on what is executed in the next instruction. We have not started yet, so, it's still empty 다음명령어가실행되는동안 Pane windows에서약간의정보를볼수있다. 우리는아직시작하지않았기때문에아직비어있다. INFO: Some essential info regarding sizes first. Make sure you do understand these before continuing Code를이해하기위한 size의필수적인정보다. 진행하기전에이해해야한다.
20120328_lena 한글페이지 9 2digits == 1byte 1byte == 8bits 1 opcode == 1byte 2bytes == 1word 4bytes == 1dword 번역주 )dword = Double word 2words == 1dword 번역주 )dword == double word Let's continue looking around in Olly. First, I advise you to download the win32.hlp file. This will be a good help understanding API's and their working in a program. 계속 Olly를살펴보자. 첫번째로 Win32.hlp file을다운받아. 이것은프로그램에서작동하는 API를이해하는데좋아.
20120328_lena 한글페이지 10 BTW, API's(Application Programming Interface) are the way in which a program interacts with the kernel. By the way, API는 kernel과 program이대화하는방법이다. Install this helpfile in a dir on your HD and show Olly the path towards it. Olly is then able (rightclick) to easily show you help on API's. Helpfile을 directory에 install 해. Olly path를알려줘. 그후에 Olly에서 rightclick 하면쉽게 API에대한정보를얻을수있어. See further. Download here: Download는여기에서해. http://www.tuts4you.com/request.php?258 The extended winapi helpfile is here: 확장된 winapi help 은여기. http://www.tuts4you.com/request.php?1499 Show Olly the path to Win32.hlp clicking here ;) Olly 는 Win32.hlp 경로를보여준다. If you want some indepth reading, then I strongly advise to read Goppit's tutorial "Portable Executable File Format Compendium" for a better understanding and winter evenings read and also gabri3l's "weakness of the Windows API" Search for those title here: http://arteam.accessroot.com/tutorials.html 만약에네가깊이있는것을읽고자한다면, Goppit's tutorial "Portable Executable File Format Compendium" 을강력히추천한다. 좀더이해하기좋다. 그리고이것도좋다. "weakness of the Windows API"
20120328_lena 한글페이지 11 But for now, let's focus on the next window : the register's window. 이제는다음 windows 에포커스를맞추자. : register's window First of all : notice the "weird" values for all data. This is due to the hexadecimal system. I'm not going to explain this in this Part because we won't need it yet. 처음으로 : 모두이상한값이들어있다. 이것은 16진수시스템으로되어있다. For more info : see Part 2 where I'll explain briefly. Just remember from this point on that computers ALWAYS work in the hexadecimal system. Or find more info googling for hexadecimal system. 좀더많은정보 : Part 2를봐라. 그곳에서간단히설명한다. 이곳에서컴퓨터는항상! 16진수시스템으로일한다는것을기억해. 16진수에대해좀더많은정보는구글링을해. Registers are "special places" in your computer's memory where we can store data. You can see a register as a little box, wherein we can store something: a name, a number, a sentence. You can see a register as a placeholder. 레지스터는 " 특별한장소 " 너의컴퓨터메모리에우리는데이터를저장할수있다. 이레지스터는작은박스같아. 이곳에무언가를저장할수있어 : 이름, 전화번호, 문장. 너는지갑같은레지스터를볼수있다. ASEMBLY INFO: On todays average WinTel CPU you have 9 32bit registers (w/o flag registers). Their names are : 오늘날평균적으로 WinTel(Windows/Intel) CPU는 9개의 32bit 레지스터를사용한다. (w/o flag registers) eax : Extended Accumulator Register ebx : Extended Base Register ecx : Extended Counter Register edx : Extended Data Register
20120328_lena 한글페이지 12 esi : Extended Source Index edi: Extended Destination Index ebp : Extended Base Pointer esp : Extended Stack Pointer eip : Extended Instruction Pointer 번역주 ) EAX : 함수리턴값저장. Win32 API 함수들은모두 return value를 EAX에저장한후 return 합니다. EBX : DS segment에서 data를가리킬때사용합니다. ECX : 반복문명령어 (LOOP) 에서참조카운트로사용됩니다. ( 루플돌때마다 ECX를 1씩감소시킵니다.) ESP : stack memory address를가리킵니다. 어떤명령어들 (PUSH, POP, CALL, RET) 은 ESP를직접조작하기도합니다.(stack memory 관리는프로그램에서매우중요하기때문에 ESP를다른용도로사용하지않는것이좋습니다 ) EBP : 함수가호출되었을때그순간의 ESP를저장하고있다가, 함수가 return하기직전에다시 ESP에값을되돌려줘서 stack이깨지지않도록합니다. ESI, EDI : 특정명령어 (LODS, STOS, REP MOVS, etc) 와함께주로메모리복사에사용됩니다. 출처 :reverscore.com ASSEMBLY INFO: Generally the size of those registers is 32bit(= 4bytes). They can hold data from 0- FFFFFFFF (unsigned). In the beginning most registers had certain main functions which the names imply, like ECX = Counter, but in these days you can -nearly- use whichever register you like for a counter. 대부분의레지스터들은 32bit다. 그들은 data를 0000 0000 - FFFF FFFF까지가지고있다.(unsigned). 대부분의레지스터들은시작하는데있어중요한 function이있다. 이름은 ECX처럼 = Counter을암시한다. 요즘은 counter처럼사용할수있다. 번역주 )unsigned: -가없이 + 만있다. 즉 32bit sign( 부호있음 ) 일때는 -2^31 ~ +2^31 까지표현할수있고 unsigned일때는 +2^32 까지표현할수있다. There's one more thing you have to know about registers: although they are all 32bit large, some parts of them (16bit or even 8bit) can not be addressed directly. 좀더생각해볼게있다. 네가알고있는레지스터들은큰 32bit 이다, 하지만약간의작은부분도 (16bit or 8bit) 있다. 작은부분 (16bit or 8bit) 에는주소에직접적으로접근할수없다. Accessible are : 32bit register 16bit register 8bit EAX AX AH/AL EBX BX BH/BL ECX CX CH/CL EDX CX CH/CL
20120328_lena 한글페이지 13 ESI SI - EDI DI - EBP BP - ESP SP - EIP IP - This is all very theoretical, an example will make it clear : 이것은매우이론적이다. 이예를보면명확해진다. For example : 7C 90 EB 94 EDX == 7C90EB94 DX == EB94 DH == EB DL == 94 You can find this and more about it and most other subjects in the Basics of assembler.doc that is included in this package. Basics of assembler.doc에서그것에대한많은정보를그리고다른주제들을찾을수있다. 그것은이 package에포함되어있다.
20120328_lena 한글페이지 14 That brings us to the Stack window Stack window를가져온다. The Stacks is a part in memory where you can store different things for later use. See it as a pile of books in a chest where the last put in, is the first to grab out. Or imagine the stack as a paperbastet where you put in sheets. 스택은메모리의부분이다. 그곳에다른용도로저장할수있다. 비스킷통처럼보인다. 비스킷통에마지막으로넣는것이먼저나온다. 스택은비스킷통같으니까상상을해봐. The basket is the stack and a sheet is a memory address(indicated by the stack pointer) in that stack segment. 통은스택이고 sheet 는 stack segment 의메모리주소다.( 스택포인터에의해가리켜진다 ) Remember following rule: the last sheet of paper you put in the stack, is the first one you'll take out! "Top is first off". 이룰을기억해라 : ' 마지막통 sheet는stack에넣은것 ' 은첫번째로나온다. " 제일위에있는놈이먼저나온다." The command 'push' saves the contents of a register onto the stack. The command 'pop' grabs the last saved contents of a register from the stack and puts it in the (addressed) register. PUSH 명령어는레지스터의 content를 stack에넣는다. POP 명령어는레지스터의마지막에저장된 content를 stack으로부터꺼낸다. 그리고그것을주소레지스터 (EIP) 에넣는다.
20120328_lena 한글페이지 15 And then finally, the dump window. Here you see the opcodes nicely organized in rows and columns. This can be arranged otherwise, just rightclick in the dump window and play a little with the settings. 마지막으로 dump window다. 이곳은 opcode가행과열로조직화되어있다. 정렬되어있다. dump window에서 right 클릭하고약간의세팅을하면된다. There are more windows, explore already clicking the buttons if you like. Most are self explaining, the others will be explained throughout this saga :) 많은 windows가있다. 이미탐험해봤다. 이버튼들은대부분자기자신을스스로설명한다. 예를들자면 L은 Log data, E는 Executable modules 등
20120328_lena 한글페이지 16 And then finally, time has come to take a look in the first application we will reverse. 이제마지막으로, 첫번째 application 을 reverse 하는시간이왔다. 4. Study of the target We have loaded the ReverseMe in Olly and Olly has stopped execution of the program in the EP(=entry point) by placing a INT3 (CC) instruction before the line. 우리는 ReverseMe를 Olly에서로드했다. 그리고 Olly는프로그램시작하는 EP에멈춰있다. Line 뒤에 INT3 명령어가위치해있다. Let's say for now (more exact, see later when we talk about the TLS Callback function) that this is the first line of code from the program that is executed. This way, Olly can control the program whilst we.. can control Olly. 내가말하고자하는것은 ( 좀더정확한것은 TLS CallBack function을말할때보자.) 그것은실행된프로그램의첫번째줄이다. Olly는프로그램을제어할수있다. 그때우리가 Olly를제어할수있다. 번역주 ) 먹고먹히는관계... Studying the behaviour of the program is very important because it can give us clues how to attack the target. So, first, let's take a look at the behaviour of the ReverseMe. 프로그램의행동을아는것은매우중요하다. 왜냐하면그것은우리에게어떻게목표물을공격해야할지단서를준다. 먼저, ReverseMe의행동을살펴보자.
20120328_lena 한글페이지 17 If we click this "Run" button, Olly will let the program run freely. BTW, shortcut is F9 만약에우리가 "Run" 을누르게되면 Olly 는프로그램이자유롭게실행되게놔둔다. 단축키는 F9 Bam. And our ReverseMe is running. 우리의 ReverseMe 가실행중이다. But. we get some bad message(hereafter referred to as "Badboy"), right? and what happens if we click the "OK" button??? 그러나우리는약간의나쁜 message를얻었다. ( 이제부터 badboy로부른다 ) 알았지? 그리고 OK 버튼을누르면어떤일이발생할까? Oops the program just exits!!! That is not what we want, right??? 웁스. 프로그램이종료됐다. 이것은우리가원한게아니잖아. 그렇지???
20120328_lena 한글페이지 18 Mmmm, so let's restart and see better what happens to see if we can do something about it. 그래서재시작하고어떤일이일어나는지보자. 5. Searching the patches BTW, note also that Olly has meanwhile analyzed the code. You can see the results here. Olly 는해석해서적었고, 그결과를여기에서볼수있다. What is the goal now? Well, we will step the code a line at a time to see what happens. We can do this by stepping over the code(shortcut key F8 or clicking here). 이제목표가무엇이냐? 우리는 code를한번에한줄씩넘길수있다. 무슨일이일어나는지봐라. 우리는한줄씩 code를넘기는것을할수있다. ( 단축키는 F8이나이곳을누른다.) This is also called "tracing". It is of course very important that you understand the code. Fortunately, there are only a few commands(mnemonics) to know and it is very easy to understand. 이것을우리는 " 추적 " 이라고부른다. 이것은네가 code를이해하는데매우중요하다. This time, I will comment this assembler code a little but in following parts, you will
20120328_lena 한글페이지 19 already know and understand this yourself. More about these mnemonics (assembler code) can also be found in the document file included in this package. 이제, assembler code에약간의 comment를달겠으니이번 parts는나를따라와. 너는이미알고있고이해했을것이다. 좀더많은상징들은 (assembler code) 내가첨부한문서에서찾을수있다. I said it already : assembler is relatively easy and there are only a few mnemonics to understand (for starting). Btw, code is always executed top to bottom unless the code is "redirected" elsewhere by jumps or calls (see more later). 내가이미말했잖아 : assembler는비교적쉬워. 오직몇개의상징만이해하면된다.( 시작하기위해서 ). Code는 call문이나 jump에의해 "redirected"( 방향재지정 ) 하지않는한항상 code의위에서아래로실행된다. ASSEMBLY INFO: PUSH Syntax: PUSH operand PUSH is the opposite of POP. It stores a value on the stack and decreases it by the size of the operand that was pushed, so that ESP points to the value that was PUSHed. PUSH의반대는 POP이다. 그것은값을 stack에저장하고 ESP가명령어의크기만큼줄어든다. 그래서 PUSH를한후에 ESP 포인트는 PUSH된값을가리킨다. Hehe, so much for the theory, but don't worry, it will all become clear in a while. 헤헤, 너무이론적이지?, 걱정하지마. 그것은곧명확해질거야^^ First line of code is executed and nothing has happened yet but 첫번째줄의 code는실행됐다. 그리고아직까지아무런일이없다. 그러나 notice the function of the stack and see how this "PUSH" instruction has pushed the value on the stack(00000000 == 0), let's continue Stack의 function이알려주잖아. "PUSH" 명령이들어온후에 stack(0000 0000) 의값이 0이된
20120328_lena 한글페이지 20 것을봐. 계속진행하자. ASSEMBLY INFO: CALL(Call) Syntax: CALL something The instruction CALL pushes the RVA(Relative Virtual Address) of the instruction that follows the CALL to the stack to know where to return to after the call and then executes a sub program/procedure. CALL 명령은 RVA( 상대적인가상메모리주소 ) 의명령을넣는다. call 명령은 call을실행한후에 return할주소를 stack에넣는다. 그리고 sub program/procedure를실행한다. "Call" can be used in the following ways: "Call" 은이방법대로사용된다. CALL 404000 (CALL address) CALL EAX (CALL register - executes the procedure with address == value of EAX) EAX 에있는주소값을실행한다. CALL DWORD PTR [EAX] executes procedure at address with value of EAX EAX 에있는주소값을실행한다. CALL DWORD PTR [EAX+5] executes procedure at address with value of EAX+5 EAX+5 에있는주소값을실행한다. CALL <JMP to API> is in fact also a CALL address, but it's kind of special because it executes an API (see further) CALL <JMP to API> 또한 CALL address다. 그러나이것은특별해. 왜냐하면 API를실행할수있거든.( 나중에 ) It is also when talking about calls that I need to mention this button. It is the "step in" button(shortcut key F7). With this, you can follow the code IN the call, while the... "step over" button (shortcut key F8) executes the complete code and all subcode in the call at once
20120328_lena 한글페이지 21 이것은우리가 calls 에대해말한때언급하기위해이버튼이필요하다. 이것은 "step in" 버튼이다.( 단축키는 F7). 이 button을누르면 call문안으로따라갈수있어. 반면에 "step over" button( 단축키 F8) 은 call문으로자동으로들어가서 code를실행하고우리는다음줄에위치하게돼지. 즉, call문안으로따라들어가지않고간편하게 code를실행할수있어. The API GetModuleHandleA got executed. A little more on API's first. Windows applications run in Ring3 (high level). But those applications need to be able to "work" with the kernel(ring0). Windows has functions that User applications can use to request specific operations from the kernel(low level). These functions are the Windows API's (Application Programming Interface). API GetModuleHandleA가실행됐다. 먼저약간의 API의정보를알려줄께. Windows applications은 Ring3(high level) 실행된다. Windows의 User applications은 kernel로부터 (low level) 특별한명령을요구하는데사용되는데사용한다. If a program needs to access a low level function, it calls a particular API function. The API allows interaction with the kernel. The API's code generally resides in system dll's. 만약에프로그램이 low level 제어가필요할때, API function을불러. API는 kernel과대화하는것이허락되거든. API는보통 system dll에존재한다. When an API function is called, the application needs to communicate the API function what it wants to achieve by passing parameters(arguments) to the API function. In human language : applications use API's to get the computer to do something :) API를부를때, application은 API function과대화하는게필요하다. Application은 API function으로넘겨진 parameter로 API와대화할수있어. 인간은 : application은 computer에게무언가를시키는데 API를사용한다. See later for more on API's. 나중에 API에대해좀더살펴보자.
20120328_lena 한글페이지 22 ASSEMBLY INFO: MOV (Move) Syntax: Mov dest src (dest=destination, src=source) This is an easy to understand instruction. MOV copies the value from src to dest and src stays what it was before. 이것은이해하기쉬운명령어다. MOV는 src에서 dest로값을복사한다. 그리고 src 값은명령을실행하기전의값을유지한다. There are some variants of MOV: 다양한 MOV가있다. MOVS/MOVSB/MOVSW/MOVSD EDI,ESI: Those variants copy the byte/word/dword ESI points to, to the space EDI points to. 다양하게 Byte/word/dword ESI points에서 EDI 공간에값을복사한다. MOVSX: MOVSX expands Byte or Word operands to Word or Dword size and keeps the sign of the value. Movsx는 Bytes나 Word에서 Word나 Dword 크기로확장한다. 그리고 sign 값은유지한다. 번역주 )sign값은 +,- 값이있는것. 즉 Byte 크기에서 Word 크기로확장할때 sign값 ( 부호 ) 를유지한다. 예를들자면 byte값인 0000 0001을 word값인 0000 0000 0000 0001로확장할때 sign값 ( 부호 ) 를유지합니다. MOVZX: MOVZX expands Byte or Word operands to Word or Dword size and fills the rest of the space with 0. Movzx 는 Bytes 나 Word 에서 Word 나 Dword 크기로확장한다. 그리고나머지영역은 0 으로
20120328_lena 한글페이지 23 채운다. In human language and in our example, the value of EAX which...is 00400000 at the moment...will be copied into the DWORD (=4bytes) starting at address 402177 인간이이해하기에예제에서현재 EAX 값이 0040 0000 이다. 402177의시작주소로 Dword(4bytes) 값이복사되어진다....and the value of 00402177 can be seen here in the pane window(or verified in the dump window) 00402177의값을 pane window 볼수있다. ( 또는 dump windows를검증됐다 ) INFO: If this sounds like rubbish, once again, don't worry, it is not that important here. If you are new to this, just study it a moment and try to understand. It will all become clear after a little while. 내말이잘이해가되지않니? 다시말하지만걱정하지마. 이것은여기에서중요하지않아. 네가초보라면이것만배워. 그리고이해하려고해. 지금이것들은약간이시간이지난후에명확해질것이다. We just continue our journey in outer space. Follow along. Some instructions that you understand by now are carried out until 우리의여행을시작하자. 따라와. 약간의명령어들은네가이해했을거야. Ok. So far, all good. Now, perhaps you think that nothing is happening but...take a look at this text 지금까지, 좋아. 이제어쩌면네가생각하고있는것이아무일도안일어날것이라생각할거야. 그러나텍스트를봐.
20120328_lena 한글페이지 24, but this is badboy message!!! So, if we would continue executing the code, then it is here that the bad message appears. Understood? 그러나이것은 badboy message!!! 우리가계속 code를실행하면우리는이곳에위치하고 bad message를보게될거야. 이해돼? And see why the software exits after the badboy message!...unless of course we can avoid somehow this badboy + exit??? badboy message 후에 software를종료하려하잖아. 봐봐. 우리가 badboy + exit를회피하지않는한 Let's take a better look in the API here. Aha, if you downloaded the win32.hlp, it will already come in handy! Let's see this more in detail using this win32.hlp because here it must be decided. API를봐라. 아하! 만약에네가 Win32.hlp를다운받았다면, 이것은이미내손안에있지. 자세한정보는 Win32.hlp를사용해서보자. 왜냐하면이것에의해 badboy나 goodboy가결정된다.
20120328_lena 한글페이지 25 INFO: Very often, it's in the call just before a conditional jump that is decided if the jump will eventually be taken or not. Call문안에서많이결정돼. 그후에 conditional jump를한다. 결국이 call문이 jump를할지말지결정해. That's it... 바로그것이다... That is selfexplaining, isn't it? "The CreateFile function creates or opens an object and returns a handle to access the object" 여기설명이끝내주게잘되어있네. 그렇지않냐? CreateFile function은 object를만들거나연다. 그리고 object에접근 handle을돌려준다. Remark : in assembler, you will find the parameters of a function pushed to the stack in reversed order (so that when POP'ed they come in regular order) 주목 : 어셈블러에서너는 stack에 function의 parameter가반대의순서로넣어지는것을찾을수있다.( 그래야 POP 할때순서대로나온다. Last In First Out) Let's not yet dig too deep, just see that the important parameter for us here now is 아직깊게들어가지마라. 우리에게중요한 parameter를봐라.
20120328_lena 한글페이지 26 번역주 ) 위사진에서는 lpfilename 이먼저선언되어있는데 Olly 에서보면제일마지막에 FileName 이있다. 이상하게생각하지말자. Program 에서 sub program 으로 prameter 를넘길 때는항상반대로넘긴다. Parameter 는 sub program 으로넘기는변수다....hehe, the name of the file the program is looking for!!! Let's see in Olly what this file is!!! And it is not a big mystery what file the program is looking for, right??? (Mind the reversed order) 헤헤, Olly에서찾는 file 이름이무엇인지봐. 그리고이것은프로그램의큰문제가아니야. ( 반대순서를기억하자.) In short: the ReverseMe is looking for a file called "Keyfile.dat", but will not find it BECAUSE THE PROGRAM IS UNREGISTERED! Ok. Let's continue and see what goes on next. 요약하자면 : ReverseMe가찾는 file은 "Keyfile.dat" 로불린다. 그러나그것을찾을수없다. 왜냐하면프로그램은등록되지않았기때문에. 이제계속해서다음에어떻게진행되는지보자. ASSEMBLY INFO: CMP (Compare) Syntax:
20120328_lena 한글페이지 27 CMP dest src The cmp instruction compares two things and can set the C/O/Z flags if the result fits. 2 가지값을비교하고그에맞는 C/O/Z flag 를 set 한다. 번역주 )Carry-flag, Overflow-flag, Zero-flag. Mmmmm, translated to our example here, EAX is compared to -1 FFFFFFFF means -1, so, here the result for the comparison is true. (I won't dig deeper in signed/unsigned etc differences here yet). And of course, meanwhile we know the reason why this cmp equals -1 여기서우리의예제를번역하자면, EAX는 -1과비교된다. FFFF FFFF는 -1과같다. 여기에서비교값은 true다. ( 나는 signed/unsigned가다른점을아직깊게들어가지않는다.) 물론, 우리는그이유를안다. Cmp가왜 -1과같은지번역주 )FFFF FFFF + 1 = 0 이됨. 그러니까 FFFF FFFF = -1 임. 2진수변환하기찾아보시면도움이됩니다. IMPORTANT INFO: Throughout this series, I will deliberately tell some inconsistencies not to have to dig too deep in yet if I feel that you may not have sufficient/profound knowledge to understand already. I hope you will pardon me for this 이시리즈를하는동안, 나는고의로모순적으로말할거야. 아직깊게들어가지않을거야. 네가이것을충분히따라올수있는지식이없다고생각해. 그점에대해서미안하게생각해.
20120328_lena 한글페이지 28 REMARK : see more info on jumps in the document included. This instruction is really important. See all(conditional) jumps there. 주목 : jump에대해좀더많은정보를볼수있는문서를첨부했다. 이명령은정말로중요하다. 조건 jump를그곳에서봐. Our example here : JNZ == Jump if not zero ZF= 0 (z-flag) The result from the compare however IS zero (they are equal) and so the jump will not be executed.. but the badboy will be executed. JNZ == zero가아닐때 jump ZF = 0(Z-Flag) 이결과값은비교에서나온다. 그러나결과값이 zero 이고 (EAX와 -1은같다 ) jump가되지않아서 badboy가실행될것이다. This is also where the settings from ARTeam's ollydbg.ini file comes in handy You can easily see if the JNZ is going to be executed. The arrow would have turned red if jumping!!!(you can also change these options manually. See later) So, we need to find a way to jump passed this badboy, right? 이것은 ARTeam's ollydbg.ini 파일에서온 setting이다. 너는 JNZ가실행후에도착할곳을쉽게볼수있다. Jump하게된다면붉은색화살표로바뀐다. ( 또한수동으로그것들의 option을바꿀수있다. 나중에봐 ) 그래서, 우리는 jump를해서 badboy를피하는방법을찾는것이필요하다. 이해했어?
20120328_lena 한글페이지 29 ASSEMBLY INFO: And this is where the flags come in Flags는여기에있다. Flags are single bits which indicate the status of something. The flag register on modern 32bit CPU's is 32bits large. There are 32 different flags, but don't worry. Flag들은어떤상태를가리키는단일 bit다. 현대 32bit CPU의 Flag register는 32bits 보다크다. 그것들은 32개의다른 flags 들이있다. 그러나걱정하지마라. You will mostly only need 3 of them in reversing. The Z-Flag the O-Flag and the C-Flag. For reversing you need to know these flags to understand if a jump is executed or not. (Or use trial and error LOL). 거의대부분리버싱에서는 3개만필요하다. Z-Flag, O-Flag, C-Flag. 리버싱을위해 Jump가실행되거나실행되지않을때 flag들을이해해야한다.( 실험과오류로 ) This register is in fact a collection of different 1-bit flags. A flag is a sign, just like a green light means: 'ok' and a red one 'not ok'. A flag can only be '0' or '1', meaning 'not set' or 'set'. Register는다른 1bit의모임이다. Flag는 sign, green light와같다 : 'ok' 그리고 red는 'not ok'. Flag는 '0' 이거나 '1', 뜻은 'not set', 'set' Conclusion for our example : just change the Z-flag (by doubleclicking the value) and we will jump passed the badboy!!! 이예제의결론은 : Z-Flag를바꾼다.(doubleclick 한값에의해 ) 그리고 badboy를피해서 jump할것이다.
20120328_lena 한글페이지 30 Hehe, see the magic!!! So, if we continue stepping now 헤헤, 예술이다!!! 그래서, 계속하겠다. 번역주 ) 위의사진과비교해보면알겠지만 Z-Flag가 0 -> 1로바뀌었다. But first something else. Here, we can set a breakpoint (=BP) ourselves. Olly will set this as a visible red VA. It's easy for later to remember where we will need to make changes. Set a BP by pressing F2 or by doubleclicking the opcodes. 그러나먼저다른방법을사용하겠다. 여기에 BP를설정할수있다. Olly는 VA가 red로보일때설정된것이다. 이것은나중에우리가변화하는지점을기억하는데매우좋다. BP를세팅할때 F2를눌러라. 또는 opcodes를 doubleclick 해라. 번역주 )BP: breakpoint( 이하 BP), 데이터중단점. BP를설정한곳바로전까지실행이된다. BP가걸려있는곳의첫번째 byte를 int3로바꿔서멈추는것이다. 자세한내용은이 series 후에나온다.
20120328_lena 한글페이지 31 Let's execute the JNZ and continue the journey in outer space LOL Hehe, ain't that great? We have jumped the badboy JNZ를실행하고우리들의공간으로여행을떠나자. 헤헤, 대단하지않냐? 우리는 badboy를 jump했다. Let me resume so far what happened. We have executed some code from the ReverseMe till the point where the program verifies the existence of a file. 어떤일이일어났는지설명할게. ReverseMe에서파일이존재하는지검증하기위해이지점까지실행됐다. I have changed a flag so that the program thinks this file was found. Thus, the ReverseMe does not jump to the badboy but continues its normal execution. 나는 flag를바꿨다. 그래서 program은 file을 ' 찾았다 ' 로생각한다. 이렇게하여, ReverseMe 는 badboy로 jump하지않는다. 그러나일반적인실행을계속해보자. --> file not found == BadBoy --> file found == continue execution --> 파일을못찾으면 == badboy --> 파일을찾으면 == 실행을하자. Scroll up for better view 스크롤을올려보는게좋다.
20120328_lena 한글페이지 32 Mmmm, a whole bunch of jumps and conditional jumps ahead and then nothing 모든가지의 jump와조건 jump들 어디로 jump해야할지안보여. 살펴보자 Perhaps you have already understood that indeed again, we will need to dig in the API. Let's go. That clarifies a lot, doesn't it? Gogo! 어쩌면너는이미이해했을것이다. 우리는 API를파헤치는게필요하다. 많은것이명확하다. 맞지않냐? 고고! In short: ReadFile tries to read our Keyfile.dat for a certain number of bytes which it puts in a buffer at a certain address if successfull. Understood? 요약하면 : ReadFile은성공하면 Keyfile.dat를정확한 byte를읽어 Buffer의정확한주소에넣는다. Keyfile.dat was not found by CreateFile of course, so the info here is missing (FFFFFFFF instead of the value) CreateFile에의해서 Keyfile.dat는찾지못했다. 그래서정보는못찾았다.(FFFF FFFF 값을대신해서넣었다 ) ReadFile was going to read 46h (==70d) bytes at 402173 (would normally have been filled by CreateFile) to place them in a buffer at 40211A ReadFile은 46h를읽기위해 402173에서실행된다. (CreateFile에의해서채워진다 ) 그것들은 40211A Buffer에넣어진다. I hope it's clear that this is again bad news. The following conditional jumps will lead to badboys again, don't you think? Let's take a look.
20120328_lena 한글페이지 33 그것은나쁜소식이라는게다시한번명확해진다. 조건 jump 를따라가면다시 badboy 를 본다. 그렇게생각하지않냐? ASSEMBLY INFO: TEST Syntax: TEST operand1 operand2 This instruction is in 99% of all cases used for "TEST EAX, EAX". It performs a Logical AND (see AND instruction) but does not save the values. It only sets the Z-Flag, when EAX is 0 or clears it, when EAX is not 0. The O/C flags are always cleared. 이명령어는 99% "TEST EAX, EAX" 다. 그것은논리 AND를실행한다. 그러나값을저장하지않는다. Z-Flag는 EAX가 0일때 set되거나, EAX가 0이아닐때 clear 된다. The O/C flag는항상지워진다. ASSEMBLY INFO: AND (Logical And) Syntax: AND dest src The AND instruction uses a logical AND on two values. This instruction *wil* clear the O- Flag and the C-Flag and can set the Z-Flag. To understand AND better, consider those two binary values: AND 명령어는논리 AND에두가지값으로사용된다. 이명령어는 O-Flag와 C-Flag를 clear 하고 Z-Flag를 set한다. AND 이해했으리라생각한다. 두가지 binary 값만고려한다. 1001010110 AND 0101001101 0001000100 If you AND them, the result is 0001000100 When two 1 stand below each other, the result is of this bit is 1, if not: The result is 0. You can use calc.exe to calculate AND
20120328_lena 한글페이지 34 네가 AND 할때, 결과값은 0001000100 이다. 두값이각각 1 이면결과값은 1 로 set 되고아니 면결과값은 0 이다. 계산기를사용할때 AND 를계산할수있다. After this TEST EAX, EAX 그리고 TEST EAX, EAX...comes JUMP if NOT zero, so, we are not going to jump because EAX "IS" zero (the Z-flag is set) Indeed. If we don't jump now, then next is an unconditional jump. Let's see where that leads to Zero가아닐때 jump 한다. 그래서우리는 jump하지않는다.
20120328_lena 한글페이지 35 왜냐하면 EAX 가 0 이기때문이다.(Z-Flag 가 set 됐다 ) 우리는현재 jump 하지않는다. 그리고다음은무조건 jump 다. 따라가면무엇이있는지봐라. Woops! Follow the jump. Scroll down. Right, we jump to...another badboy!!! Let's run and have a look at it 웁스! Jump를따라가보자. Scroll 내려라. 맞아, 여기로 jump한다. 다른 badboy로실행해보고봐라. ;) Aha, the ReverseMe asks for a keyfile And what happens if we click OK? Right, the program exits :) 아하, ReverseMe는 keyfile을묻는다. 그리고우리가 click하면무슨일이발생할까? 맞다, program은종료된다. Suddenly, we are back here again. Indeed, to reduce the size of this movie, I have cut from this movie...the restarting...and coming back right here where we jumped to the 2nd badboy (in the same way as before) changing the Z-flag in the first JNZ. 갑자기, 다시여기로왔다. 정말, movie의 size를줄이기위해, 이 movie에서 restart과이곳으로되돌아오는것을삭제했다. 이곳은 badboy를 2개 jump했다.( 전에했던같은방법으로 ) 첫번째 JNZ에서 Z-Flag를바꾼다. This time however, let's avoid jumping to the badboy again. I suppose you have understood how to do it??? badboy 로다시 jump 하는것을회피하자. 너는어떻게하는지이해했을거다.
20120328_lena 한글페이지 36 Exactly 정확하다. And the magic has happened again. Magic 이다시일어났었다. Let's resume : I have changed the Z-flag once more to make the ReverseMe think it has successfully read the file. --> the ReverseMe will continue its normal execution as if all were ok!!! 재개하자 : 나는 ReverseMe가성공적으로파일을읽기위해 Z-Flag를한번이상바꿨다. --> 우리가 ok 됐을때 ReverseMe 는일반적인방법으로실행된다. Remark : basically, what I'm doing, is guiding the execution of the ReverseMe as if everything it verifies is simply. ok 근본적으로, 내가무슨일을했냐면? 모든것을간단히검사할때까지 ReverseMe를인도했다. ASSEMBLY INFO : XOR Syntax: XOR dest src The XOR instruction connects two values using logical exclusive OR XOR 명령어는두값을배타적논리 OR 로연결한다. This instruction clears the O-Flag and the C-Flag and can set the Z-Flag. To understand XOR better, consider those two binary values: 이명령어는 O-Flag와 C-Flag를 clear 하고, Z-Flag를 set한다. 두값을고려할때 XOR을좀더많이이해했을거라고생각한다. 1001010110
20120328_lena 한글페이지 37 XOR 0101001101 1100011011 If you XOR them, the result is 1100011011 XOR 결과는 1100011011 이다. When two bits on top of each other are equal, the resulting bit is 0. Else the resulting bit is 1. You can use calc.exe to calculate XOR. The most often seen use of XOR is "XOR EAX, EAX". 두값이서로같을때, 결과 bit는 0 이고, 다른것일때 bit는 1 이다. 계산기로 XOR를사용할수있다. 자주 "XOR EAX, EAX" 사용된것을본다. This will set EAX to 0, because when you XOR a value with itself, the result is always 0. I hope you understand why, else write down a value on paper and try ;) However, the result result here is always zero. XOR REG, REG is often used to make sure the result is zero. EAX가 0으로 set된다. 왜냐하면같은값을 XOR 할때결과값은항상 0이다. 나는네가왜이러한지이해했을거라생각한다. 다른방식으로종이에값을적고도전해봐 ;) 여기결과는항상 0 이다. XOR REG, REG는결과값을 0으로만들기위해자주사용된다. Aha, is this the jump to the goodboy? Scrool down 아하, 이 jump는 goodboy로가나? Scroll 내려봐. Oh no again to the badboy!!! Now, I told you already I'm guiding the program to the goodboy. Deliberately, I have not yet looked at the strings in the ReverseMe not to give it all away from the beginning. Let's do that now. 오노!! 다시 badboy로간다. 너에게이미프로그램을 goodboy로인도한다고말했다. 일부러 goodboy를안봤다. 이 ReverseMe에서처음시작할때부터문자열을주지않는다. 이제다시해보자.
20120328_lena 한글페이지 38 Rightclick ;) ;) And Olly displays all textstrings he can find in the ReverseMe. Study them a little This looks definitely like a goodboy to me!! Doubleclick this line to go there and take a look. Doubleclicking this line brings you to this place in the program. Let's go see it there Olly는찾은모든 textstring을보여준다. 이것들을공부하자. 이것은명확히 goodboy로가는것을보여준다. 이 line을 Doubleclick 하고살펴보자. Doubleclick은프로그램에서이 line이위치해있는곳을너에게가져온다. 이제보자.
20120328_lena 한글페이지 39 This is what it looks like in the code. Mmmm, see the goodboy here. It means that, if we can guide the program to execute this piece of code that we solved the ReverseMe. 이것이무슨 code인지봐라. Goodboy가여기에있다. 이것은약간의조각난코드를실행하기위해프로그램을인도한다. 우리는 ReverseMe 문제를해결했다. But how to get here? Easy : just follow the jumps. This sign indicates a jump arriving here. Let's see from where it comes. Scroll up. 그러나, 우리는어떻게이곳으로오냐? 쉽다. Jump를따라가자.
20120328_lena 한글페이지 40 이 sign 은 jump 가도착한곳을나타낸다. 어디서부터왔는지보자. Scroll 올려. And simply follow the jump :) Of course, you can also see here where the jump comes from 간단히 jump를따라가자. 물론, 우리는 jump가어디에서시작됐는지볼수있다. So, we need to arrive here huh!!! 우리는여기에도착할필요가있다. and here is where we are already!!! 그리고이곳은이미우리가와본적이있다.
20120328_lena 한글페이지 41 INFO : the EIP register always holds the VA(virtual address) of what is the next line of code to execute. If you get lost in the code, doubleclick it find your way back to the origin EIP register는항상다음실행할 code의 VA를잡고있다. 만약에 code 안에서길을잃어버렸을때 doubleclick 하면너의 original 길로돌아갈수있다. I suppose you know by now what need to be done??? But this time, it's a JL, so do not change the Z-flag but 네가이제무엇이우리에게필요할지알고있을거라생각한다. 그러나지금은, JL의 Z-Flag를바꾸지말자그러나 Mmm, ok this JE does not jump to the badboy 이번 JE 는 badboy 로 jump 하지않는다.
20120328_lena 한글페이지 42 We noticed before that this leads to the goodboy...and this leads to the badboy So, we need to correct this jump too 이것은 goodboy로이끄는것을안다. 그리고이것은 badboy로이끈다. 그래서우리는정확하게 jump하기위해이 jump가필요하다. To the goodboy!!! Goodboy 로! Ok. Continue stepping to see the result Ok. 결과를보기위해계속하자.
20120328_lena 한글페이지 43 Great. 좋아! BTW, all API have their own specific function in a program. This MessageBoxA for example displays a messagebox. You can clearly see the arguments (parameters) that were pushed on the stack. You can find info on most API's in Win32.hlp. Do that on your own if you want more info. 모든 API는프로그램에서자신만의특별한 function을가진다. 이 MessageBoxA 는예를들면 messagebox를보여준다. 너는명확히우리가 stack에넣었던 arguments를볼수있다. 너는대부분의정보를 Win32.hlp에서찾을수있다. 좀더정보를보고싶다면실행하자. I'm sure you already understand what this API will accomplish :)) 물론너는이미이 API 가실행하는것을이해했다. So far so good. The question now is : how can we finalize this. We are not always there to guide Olly to the goodboy! Well, I'll show you. So, restart the ReverseMe in Olly. 여태까지는그런대로잘됐다. 질문은 : 우리가어떻게이것을끝내나? 우리는항상 Olly를 goodboy로 guide 하지않는다. 나는너에게보여준다. 그래서 ReverseMe를 Olly에서 restart 한다. 6. Finalizing the patches I've restarted but removed it from this movie to reduce its size and so we land once again at the EP. Remember the breakpoint that we've set and look what Olly is capable of. 나는 restart 했다. 그러나 movie size를줄이기위해삭제했다. 그리고우리는다시한번 EP 에도착했다. BP를기억해라. 그것은우리가 set할수있고 Olly에서활용하는것을봐라. We press "run" (F9 key) 우리는 F9 를누른다.
20120328_lena 한글페이지 44...but here comes Olly in action and...the execution of the code is paused in the BP we set earlier. 그러나 Olly 는이곳으로온다. 그리고실행코드가우리가설정한 BP 에서멈춘다. So, now we need to change this code permanently. This can easily be done in Olly by assembling another piece of code at this offset and then saving it to file!!! In fact, we change the opcodes. Look carefully. We won't need the BP any further, so I'll first remove it. 그래서우리는 code를영원히바꾸는것이필요하다. Olly에서 assembling에의해 offset에서다른 code 조각을매우쉽게변경했다. 그리고파일로저장해라. 사실은, 우리는 opcodes를바꿨다. 괜찮다. 우리는더이상 BP가필요하지않다. 그래서우리는첫번째것을지운다. Doubleclick in the code or press <Spacebar> to assemble. Code 안에서 doubleclick 하거나 Spacebar 를누르면 assemble 한다. Click <Assemble> or press <Enter> Notice that I have the "Fill with NOPs" box checked. (See further) Right. Do you understand that the code execution will now always jump passed this first badboy? Well, we need to assemble all the wrong jumps into good ones. Follow carefully. <Assemble> 이나 Enter를눌러라나는 "Fill with NOPs"(NOP으로채워라 ) box를 chcek 했다. ( 더봐라 )
20120328_lena 한글페이지 45 맞다. 이제실행 code 가항상첫번째 badboy 를 jump 해서피할것을이해했어? 우리는 wrong jump 를 good 으로 assemble 하기위해필요하다. 조심히따라와. Note: I'm showing it here in the long way. Of course we could change the destination jump here and jump right away to the goodboy message. Remark: of course it isn't always this simple ;) Note: 나는여기에서다른방법으로보여준다. 물론우리는도착 jump를바꿀수있고그리고 jump를옳은방법으로 goodboy message로보낸다. Remark: 물론이렇게항상간단하지는않다. Remember that we may NOT jump here. So, this code needs another treatment. NOP == do nothing :) 여기에서 jump하는것이아니라는것을기억해. 그래서, code는다른치료가필요하다. NOP == 아무것도안한다 :) INFO: There are always many different ways to assemble patches that achieve the same. But we'll see more of this later. As an example, I could also assemble the same JL but jumping to the next line instead of NOP'ing the complete line. So like: JL SHORT reversem. 004010C1 All this will become clearer as we continue. 항상같은결과를만드는 assemble patch하는다른방법이많다. 그러나우리는이것에대해서나중에좀더보겠다. 이예제에서는, 나는 JL과같이 assemble 할수있다. 그러나다음 line으로넘어가기위해 NOP'ing을대신쓰겠다. 이렇게 JL SHORT reverseme. 004010C1 이것은우리가진행하면명확해진다.
20120328_lena 한글페이지 46 The checking of the box will assure that both opcodes are NOPed!!! Checking box 는 opcode 들을 NOPed 로된다는것을확언한다. Yep. If not, an "unwanted" opcode would remain. 예, opcode 는원치않는상태의 opcode 로남는다. And remember, this code jumps to the goodboy. Now, we still need to save the changes. Scroll up. 그리고기억해라, 이 code는 goodboy로 jump한다. 이제, 우리는바뀐것을저장해야한다. 스크롤올려봐. Here, we can see all the patches we have made. 우리는우리가만든모든 patch 를볼수있다. BTW, if you want to see the list, you can also find all patches in the "Patches" window. You can verify that for yourself if you want. 만약에이 list를보기원한다면, 너는모든 patch를 "Patches" window에서찾을수있다. 네가원한다면네가검증할수있다. Either way will do 어느쪽이든지
20120328_lena 한글페이지 47 ;) Saving under a different name!!! 다른이름으로저장해라. Let's resume what we've done so far. First, we have found what needs to be done to guide the code to run to the goodboy. Then we have permanently changed and saved ReverseMe to do that. (=patching) So, all that rests now is 지금까지우리가했던것을요약하자. 먼저, 우리는 code를 guide해서 goodboy로실행하는것을찾았다. 우리는영원히바꿨다. 그리고 ReverseMe를 patch하고저장했다. 그래서, 우리는재시작하자....testing the saved ReverseMe 저장된 ReverseMe 를 test 하자. 7. Testing the patched ReverseMe Indeed!!! You really did it. Congratulations patching your first ReverseMe. 오!! 정말로해냈어요. 너의첫번째 ReverseMe를 patch 한것을축하해요. In reversing, there are always different solutions to a problem. See me back in part 2 in this series to solves this ReverseMe the proper way ;) 리버싱에서문제를해결하는데항상다른방법이있다. 나는 part 2에서적절한방법으로 ReverseMe를해결하기위해돌아오겠다.
20120328_lena 한글페이지 48 I hope you understood everything fine and I also hope someone somewhere learned something from this. See me back in part 2 in this series ;) 나는네가모두이해했기를그리고누구든지어디에서이것에서무엇을배웠으면하고희망한다. 나는이 series의 Part 2 에서돌아오겠다. The other parts are available at 다른 parts는사용가능하다. http://tinyurl.com/27dzdn (tuts4you) http://tinyurl.com/r89zq (SnD Filez) http://tinyurl.com/l6srv (fixdown) Regards to all and especially to you for taking the time to look at this tutorial. lena151 (2006, updated 2007) 모두에게안부를전하고특별히이 tutorial에시간을투자해준너에게감사한다. lena151 (2006, updated 2007)