Sunday, July 26, 2009

From TiGa IDA video

Just finish TiGa IDA Pro RCE tutorial, 8 set totally.

Note:

1 - Visual Debugging with IDA - The Interactive Disassembler
F4 - run to cursor
F7 - step into
F8 - step over
F2 - breakpoint
F9 - start process


2 - Remote Debugging with IDA Pro
-at terminal
#share
#share user 192.168.0.1 IDA
#cd /mnt/share ( if the connection success, share should be work)
#./linuxserver //run the ida linuxserver

-at gdb
$file crackme
$dis main /let the program start from Main
$break strrcmp
$run

-let e"X"amine the "S"tring pointed by EAX, it is the dummy pasword
$ x/s $eax
$step
$ins $eax //let's INSpect EAX
$clear strcmp //clear the breakpoint that created

To paste thing in IDA cmd, use SHIFT+INSERT , not Ctrl + V


3 - Tracing a buggy Application with IDA Pro (Training Package)
-sizeof(iInterger) calculate the length of the array in bytes, but in in count element

-Hardware breakpoint needed when deal with Data. A normal BP inserts an opcode (0xCC) at the

beginning of an instruction to generate an exception when that line is about to be executed.
- if the fucntion will reading integers,the BP needed to be 4 bytes wide
- F2 to set breakpoint
- F9 to run

-High-light the viarable, then add the vairable to the watch list (click the button), the value should be

same as the specified register

modifying the tracing option

-at Tracing Option the tracing buffer size is the number of lines to log before overwriting ( 0 mean

unlimited buffer)

-we can specify the tracing stop at the end of this function rather than at the end of main. Just change

the Stop Condition at Tracing options

-we can disable breakpoint by right click, but not remove it
( the color of the breakpoint will turn from red to green)

-run to cursor
-pressing the H key will switch a value from hex to decimal. pressing H again will change it back from

decimal to hex

-A HWBP set on execute will perform the same way as a regular BP but without adding the 0xCC bytecode.

Max 4 HWBP. All pc CPUs are limited in this way.

-Tooggle Tracing intruction. tracing panel will show.

-from tracing windows, we can know what API has used.

-we can make a Breakpoint without Break, but it will only break under certain condition

-we can set all Trace mode or Break mode in Tracing options. It will have added a red marker in the

tracing window


4 - How to solve Crackmes for Dummies in Video
(part 1)
-F4 for run til cursor
-[ebx] mean the data pointed by EBX
-some time use this as breakpoint condition al=al-2 because al -2+1=al-1

- we can use breakpoint condition to avoid a nag, at the nag address, set a breakpoint, with condition

that "EIP=0x4014E2" (this address is the place where nag can be bypass.)

(part 2)
-In Visual C++, CTRL-T to test the dialog
-MSC ClassWizard

void CKeygenDlg : OnChangeEname()
{
UpdateData(true);
}

//MFC version of printf

m_sSerial.Format("%i",iSum);


5 - x64 Disassembling and Fixing obfuscated APIs
-Press C to convert the Data to Code ---> Renalysis the segment
-Debugger --> take memory snapshot //IDA can dump volatile memory and intergrate with the database,
-let check the import section (pink area of memory bar)
-some informatiom is not loaded in the database,especially a segment of memory disappear,
solution : reload the file without checking " create imports section"
-IDA Options---> Analysis-->Reanalysis program
-edit the segment size, edit the starting segment address, the truncated segment will show
-SHIFT--, SHIFT + "minus" to change the 0xFFFFFFFF value to a signed decimal number, -1
-x64 disasambling need do in remotely in 64bit OS
-why not dissable IDA-64 locally?
Reason : IDA-64 is a 32-bit program, the server acts as tranlator only
Solution : set the server address and port if want to debug 64bit app locally in 64bit OS

EAX -> RAX
EBX -> RBX
ECX -> RCX
EDX -> RDX
ESI -> RSI
EDI -> RDI
EBP ->RBP
ESP -> RSP
EIP -> RIP

-fastcall-like convention has to be used rather than the usual stdcall from win32
Rule :
1. the first 4 arguments of a call are not pushed on the stack but assignned to specific registers in that

order:

RCX -> RDX -> R8 -> R9

2. The remaining arguments are pushed normally on the stack

3 The stack has to be aligned before the argumetns declaration

4. Enough space must be reserved on the stack in case the registers are needed.


6 - TLS-CallBacks and Preventing debugger detection
-press Ctrl+E to display a list of entry points
-TLS = Thread Local Storage, used by packers for anti-debugging tricks, acting as a debugger detector
-TLS-Callback allows to run code before the OEP
- Edit --> Plugins ---> Stealth hide IDA debugger ,it will put breakpoint inside certain APIs to prevent

debugger detection.
-IsDebuggerPresent ( 3 instruction)
Instruction #1:
eax = NT_TIB.Self
eax becomes the address of Thread Information Block
Instruction #2 :
eax = TEB.Peb
eax becomes the address of Process Environment Block
instruction #3:
eax = PEB.BeingDebugged
this value is set by the OS on execution from inside a debugger.


7 - Unwrapping a Flash Video Executable (exe2swf)
-press A to turn the charc into.a string
-paste the url into firefox mozilla


8 - Stop fishing and start keygenning

-let's use a symbolic constant to represent the first message comparison

-The IsDebuggerPresentAPI is used to check if the program is being debugged.It returns 0 for false or 1

for true.

-at breakpoint condition, we specify the condition eax=0, eax will always be 0 when the BP is reached.

- the FindWindowsA API tried to find a window with the Class Name OLLYDGB. And IDA doesn't have one

of those.

- 0x6954 = 26964 decimal

No comments:

Post a Comment