ED 305: Simple EXE Hacking with Ollydbg (120 pts) ED 305：使用Ollydbg进行简单的EXE黑客攻击（120分）

What You Need你需要什么

A Windows machine, real or virtual. Windows机器，真实的或虚拟的。 I used a Windows Server 2008 virtual machine.我使用的是Windows Server 2008虚拟机。

Purpose目的

To modify a Windows EXE file and save an altered version.修改Windows EXE文件并保存更改的版本。 This gives you practice with very simple features of the Ollydbg debugger.这使您可以使用Ollydbg调试器的非常简单的功能进行练习。

Task 1: Target EXE Recon任务1：目标EXE Recon

Get putty.exe获取putty.exe

If you are using the machine handed out by your instructor, putty.exe is in the Downloads folder.如果您使用的是教师分发的机器，则putty.exe位于Downloads文件夹中。

If you are using some other machine, get it here:如果您正在使用其他机器，请在此处获取：

https://samsclass.info/127/proj/putty.exe https://samsclass.info/127/proj/putty.exe

Verifying the SHA256 Hash验证SHA256哈希

Run Hashcalc on putty.exe and confirm that the SHA256 value matches the value shown below.在putty.exe上运行Hashcalc并确认SHA256值与下面显示的值匹配。

Running Putty跑腻子

Double-click putty.exe .双击putty.exe 。 PuTTY opens, as shown below. PuTTY打开，如下所示。

If PuTTY won't start, right-click it, click Properties , and click Unblock .如果PuTTY无法启动，请右键单击它，单击“ 属性” ，然后单击“ 取消阻止” 。

In the "Host Name (or IP address)" box, type在“主机名（或IP地址）”框中，键入

ad.samsclass.info

At the bottom, click the Open button.在底部，单击“ 打开”按钮。

A black box opens, and shows a " login as: " prompt, as shown below.将打开一个黑框，并显示“ login as： ”提示，如下所示。

You could connect to a server at this point, but that's not the point of this project.此时您可以连接到服务器，但这不是此项目的重点。 We will alter this program to do other things instead of printing "login as".我们将更改此程序以执行其他操作，而不是打印“login as”。

Close the Putty window.关闭Putty窗口。

Starting Ollydbg启动Ollydbg

Click Start .单击开始。 Search for Ollydbg and start it.搜索Ollydbg并启动它。

In Ollydbg, from the menu bar, click File , Open .在Ollydbg中，从菜单栏中单击“ 文件” ，“ 打开” 。 Navigate to putty.exe and open it.导航到putty.exe并打开它。

Ollydbg opens, as shown below. Ollydbg打开，如下所示。 If your screen doesn't look like this, click View , CPU and maximize the CPU window.如果您的屏幕看起来不像这样，请单击“ 查看” ，“ CPU”并最大化CPU窗口。

Ollydbg shows you a lot of data, but for now just notice the Assembly Code in the top left pane, and the Paused message in the lower right. Ollydbg向您显示了大量数据，但现在只需注意左上方窗格中的Assembly Code和右下方的Paused消息。

When you load a program into Ollydbg, it starts in a "Paused" state, with the Assembly Code window showing the first instruction.将程序加载到Ollydbg时，它将以“Paused”状态启动，Assembly Code窗口显示第一条指令。

Running Putty in Ollydbg在Ollydbg中运行Putty

In Ollydbg, from the menu bar, click Debug , Run .在Ollydbg中，从菜单栏中单击“ 调试” ， “运行” 。

A Putty window opens, but it's behind the Olly window. Putty窗口打开，但它位于Olly窗口后面。 At the bottom of the screen, in the taskbar, click the " PuTTY Configuration " button to bring the PuTTY window to the front, as shown below.在屏幕底部的任务栏中，单击“ PuTTY Configuration ”按钮将PuTTY窗口置于前面，如下所示。

Click in the Putty window.单击Putty窗口。 In the "Host Name (or IP address)" box, type在“主机名（或IP地址）”框中，键入

ad.samsclass.info

At the bottom, click the Open button.在底部，单击“ 打开”按钮。 The "login as" message appears, as shown below.出现“登录为”消息，如下所示。

Putty is running, but it's under the control of Ollydbg, so we can modify its execution. Putty正在运行，但它在Ollydbg的控制之下，所以我们可以修改它的执行。

Finding the "login as" Code查找“登录为”代码

Close the Putty window.关闭Putty窗口。 A box asks "Are you sure..." Click OK .一个框询问“你确定......”单击“ 确定” 。

In Ollydbg, from the menu bar, click Debug , Restart .在Ollydbg中，从菜单栏中单击“ 调试” ，“ 重新启动” 。

In Ollydbg, in the "Assembly Code" pane, right-click.在Ollydbg的“汇编代码”窗格中，右键单击。 Point to " Search for ".指向“ 搜索 ”。 Click " All referenced text strings ", as shown below.单击“ 所有引用的文本字符串 ”，如下所示。

A "Text strings referenced in putty:.text" window opens, showing all the strings in the program.将打开“putty：.text中引用的文本字符串”窗口，显示程序中的所有字符串。

To make this text easier to read, right-click, point to Appearance , Font , and click " OEM Fixed Font ".要使此文本更易于阅读，请右键单击，指向“ 外观” ，“ 字体” ，然后单击“ OEM固定字体 ”。

Right-click in that window, and click " Search for text ", as shown below.在该窗口中单击鼠标右键，然后单击“ 搜索文本 ”，如下所示。

In the "Enter text to search for" box, type在“输入要搜索的文本”框中，键入

login as

as shown below.如下所示。 Check the " Entire scope " box.选中“ 整个范围 ”框。

Click OK .单击确定。

Ollydbg finds the ASCII string "login as", and the instruction that uses it, as shown below. Ollydbg找到ASCII字符串“login as”，以及使用它的指令，如下所示。 This instruction is at address 00417053.该指令位于地址00417053。

Right-click again, and click " Search next ".再次单击鼠标右键，然后单击“ 下一步搜索 ”。

Ollydbg finds another line of code that uses this string, as shown below. Ollydbg找到使用此字符串的另一行代码，如下所示。 This instruction is at address 0041CB6E.该指令位于地址0041CB6E。

Right-click again, and click " Search next ".再次单击鼠标右键，然后单击“ 下一步搜索 ”。

A message appears at the bottom of the window saying "Item not found".窗口底部会显示一条消息，说“找不到项目”。 There are only two commands in the program that use this string.程序中只有两个命令使用此字符串。

Using Breakpoints使用断点

We'll set breakpoints at those instructions to see which one is used when logging in to an SSH server.我们将在这些指令中设置断点，以查看登录SSH服务器时使用的断点。

In the "Text strings referenced in putty:.text" window, right-click again, and click " Search text ".在“putty：.text中引用的文本字符串”窗口中，再次右键单击，然后单击“ 搜索文本 ”。 In the "Enter text to search for" box, click OK .在“输入要搜索的文本”框中，单击“ 确定” 。

The instruction at 00417053 appears again. 00417053处的指令再次出现。 Right-click this instruction and click " Toggle breakpoint ", as shown below.右键单击该指令，然后单击“ 切换断点 ”，如下所示。

The address turns red, as shown below, to indicate that there's a breakpoint here.地址变为红色，如下所示，表示此处有断点。

Right-click again, and click " Search next ".再次单击鼠标右键，然后单击“ 下一步搜索 ”。 The instruction at address 0041CB6E appears.出现地址0041CB6E的指令。 Right-click it and click " Toggle breakpoint ".右键单击它，然后单击“ 切换断点 ”。

The address turns red, as shown below.地址变为红色，如下所示。

In Ollydbg, from the menu bar, click Debug , Restart .在Ollydbg中，从菜单栏中单击“ 调试” ，“ 重新启动” 。

A box pops up warning you that "Process 'putty' is active".弹出一个方框，警告您“处理'油灰'处于活动状态”。 Click Yes .单击是。

In Ollydbg, from the menu bar, click Debug , Run .在Ollydbg中，从菜单栏中单击“ 调试” ， “运行” 。

A Putty window opens. Putty窗口打开。 Bring it to the front, as shown below.将它带到前面，如下图所示。

Click in the Putty window.单击Putty窗口。 In the "Host Name (or IP address)" box, type在“主机名（或IP地址）”框中，键入

ad.samsclass.info

At the bottom, click the Open button.在底部，单击“ 打开”按钮。

A black window opens and closes quickly, and the program stops, as shown below.黑色窗口快速打开和关闭，程序停止，如下所示。

The program stopped at instruction 0041CB6E, as shown in the image above.程序在0041CB6E指令处停止，如上图所示。

We'll use this instruction to hijack the program's execution.我们将使用此指令来劫持程序的执行。

Task 2: Alter the Login Message任务2：更改登录消息

Removing the Breakpoints删除断点

We don't need the breakpoints any more, so we'll remove them.我们不再需要断点，所以我们将删除它们。

In Ollydbg, from the menu bar, click View , Breakpoints .在Ollydbg中，从菜单栏中单击“ 查看” ，“ 断点” 。

A "Breakpoints" window opens, showing two breakpoints.将打开“断点”窗口，显示两个断点。

Right-click the first breakpoint and click Remove , as shown below.右键单击第一个断点，然后单击“ 删除” ，如下所示。

Repeat the process to remove the other breakpoint.重复此过程以删除其他断点。 Close the "Breakpoints" window.关闭“断点”窗口。

Removing One Letter From the Message从邮件中删除一封信

In Ollydbg, in the CPU window, in the Assembly Code pane, right-click the instruction at address 0041CB6E and click Assemble , as shown below.在Ollydbg的CPU窗口的“汇编代码”窗格中，右键单击地址0041CB6E处的指令，然后单击“ 汇编” ，如下所示。

An "Assemble at 0041CB6E" box appears, as shown below.将出现“在0041CB6E处组装”框，如下所示。

This shows the command at this location.这显示了此位置的命令。 It's a PUSH instruction, placing the address 467C7C onto the stack.这是一条PUSH指令，将地址467C7C放入堆栈。 That address points to the letter "l" in the ASCII string "login as: ", as shown on the right side of the instruction line, outlined in green in the image below.该地址指向ASCII字符串“login as：”中的字母“l”，如指令行右侧所示，在下图中以绿色标出。

In the "Assemble at 0041CB6E" box, change the last character to D , as shown below.在“在0041CB6E组装”框中，将最后一个字符更改为D ，如下所示。 This will move the pointer from the "l" to the "o" in the string "login as: ".这会将指针从“l”移动到字符串“login as：”中的“o”。

Click the Assemble button.单击“ 装配”按钮。

Click the Cancel button.单击“ 取消”按钮。

The message on the right now says "ogin as: ", as shown below.右边的消息现在说“ogin as：”，如下所示。

Running the Modified Program运行修改后的程序

In Ollydbg, from the menu bar, click Debug , Run .在Ollydbg中，从菜单栏中单击“ 调试” ， “运行” 。

The black login window appears, with the message "ogin as: ", as shown below.出现黑色登录窗口，消息“ogin as：”，如下所示。

When I did it, an error box also popped up saying "Server unexpectedly closed network connection".当我这样做时，还会弹出一个错误框，说“服务器意外关闭了网络连接”。 If that happens, just close the error box.如果发生这种情况，只需关闭错误框即可。

Saving the Modified .text Section保存Modified .text部分

We have now changed an assembly language instruction;我们现在改变了汇编语言指令; all executable code is in the .text section of the file.所有可执行代码都在文件的.text部分。

In Ollydbg, in the top left pane of the CPU window, right-click, point to " Copy to Executable ", and click " All modifications ", as shown below.在Ollydbg中，在CPU窗口的左上窗格中，右键单击，指向“ 复制到可执行文件 ”，然后单击“ 所有修改 ”，如下所示。

A "Copy selection to executable file" box pops up, as shown below.弹出“复制选择到可执行文件”框，如下所示。 Click the " Copy all " button.单击“ 全部复制 ”按钮。

A new window pops up, with a title ending in "putty.exe", as shown below.弹出一个新窗口，标题以“putty.exe”结尾，如下所示。

Right-click in the new window and click " Save file ".在新窗口中单击鼠标右键，然后单击“ 保存文件 ”。

Save the file as puttymod.exe .将文件另存为puttymod.exe 。

Running the Modified EXE运行Modified EXE

Close Ollydbg.关闭Ollydbg。

Double-click puttymod.exe .双击puttymod.exe 。

In the "Host Name (or IP address)" box, type在“主机名（或IP地址）”框中，键入

ad.samsclass.info

At the bottom, click the Open button.在底部，单击“ 打开”按钮。

A black box opens, and shows a " ogin as: " prompt, as shown below.将打开一个黑框，并显示“ ogin as： ”提示，如下所示。

Modifying the puttymod File修改puttymod文件

Open Ollydbg and load the puttymod.exe file.打开Ollydbg并加载puttymod.exe文件。

In the top left pane of the CPU window, right-click, point to " Go to ", and click Expression , as shown below.在CPU窗口的左上窗格中，右键单击，指向“ 转到 ”，然后单击“ 表达式” ，如下所示。

In the "Enter expression to follow" box, enter在“输入要跟随的表达式”框中，输入

41CB6E 41CB6E

as shown below.如下所示。 Click OK .单击确定。

Changing the Login Message更改登录消息

In the top left pane of the CPU window, right-click 00467C7D , as shown below.在CPU窗口的左上窗格中，右键单击00467C7D ，如下所示。 Point to " Follow in Dump " and click " Immediate constant ".指向“ Follow in Dump ”并单击“ Immediate constant ”。

The Hex Dump pane, in the lower left, shows the text " ogin as: ", as shown below.左下角的Hex Dump窗格显示文本“ ogin as： ”，如下所示。

In the Hex Dump pane, highlight " ogin as: ", as shown below.在Hex Dump窗格中，突出显示“ ogin as： ”，如下所示。 Right-click the highlighted text.右键单击突出显示的文本。 Point to Binary .指向二进制 。 Click Edit .单击编辑。

An "Edit data at 00467C7D" box opens, as shown below.将打开“在00467C7D处编辑数据”框，如下所示。

Click in the ASCII field, press Backspace to move back to the start, and overwrite the message with this text, as shown below:单击ASCII字段，按Backspace返回到开头，然后用此文本覆盖该消息，如下所示：

BADNESS 恶

Click OK .单击确定。 The modified text appears in red letters in the Dump, as shown below.修改后的文本在转储中以红色字母显示，如下所示。

Saving the Modified ASCII Text保存修改后的ASCII文本

In Ollydbg, in the lower left "Dump" pane of the CPU window, right-click and click " Copy to executable file ", as shown below.在Ollydbg中，在CPU窗口的左下角“转储”窗格中，右键单击并单击“ 复制到可执行文件 ”，如下所示。

A box with a long title ending in "puttymod.exe" appears showing the modified file, as shown below.将出现以“puttymod.exe”结尾的长标题的框，其中显示已修改的文件，如下所示。 Click the X in the top right of that box to close it.单击该框右上角的X将其关闭。

A "File changed" box appears, as shown below.将出现“文件已更改”框，如下所示。 Click Yes .单击是。

A "Copy selection to executable file" box pops up.弹出“复制选择到可执行文件”框。 Click the " Copy all " button.单击“ 全部复制 ”按钮。

A new window pops up, with a title ending in "putty.exe", as shown below.弹出一个新窗口，标题以“putty.exe”结尾，如下所示。

Right-click in the new window and click " Save file ".在新窗口中单击鼠标右键，然后单击“ 保存文件 ”。

Save the file as "puttymod2.exe".将文件另存为“puttymod2.exe”。

Running the Modified EXE运行Modified EXE

Close Ollydbg.关闭Ollydbg。

Double-click puttymod2.exe .双击puttymod2.exe 。

In the "Host Name (or IP address)" box, type在“主机名（或IP地址）”框中，键入

ad.samsclass.info

At the bottom, click the Open button.在底部，单击“ 打开”按钮。

A black box opens, and shows a " BADNESS: " prompt, as shown below.将打开一个黑框，并显示“ BADNESS： ”提示，如下所示。

ED 305.1: Calculating the Hash (20 pts) ED 305.1：计算哈希（20分）

Calculate the CRC32 hash of puttymod2.exe计算puttymod2.exe的CRC32哈希值

The flag is that hash like this: 07b01710标志就是这样的哈希： 07b01710

Patching More EXEs修补更多EXE

Getting the Files获取文件

You need several files to examine.您需要检查多个文件。 They are all in the Documents folder of the VM your instructor handed out.它们都在教师分发的VM的Documents文件夹中。 If you don't have that, download them with these links:如果您没有，请使用以下链接下载它们：

Analyzing 00000.exe分析00000.exe

In the Documents folder of the VM handed out by your instructor, find the 00000.exe file.在教师分发的VM的Documents文件夹中，找到00000.exe文件。

Checking the Hash检查哈希

Calculate the SHA256 hash of the file.计算文件的SHA256哈希值。 It should match the value shown below.它应该与下面显示的值匹配。

Running the EXE运行EXE

Run 00000.exe in a Command Prompt.在命令提示符中运行00000.exe 。 It asks for a "Launch code" and if you guess wrong, it insults you, as shown below.它要求“启动代码”，如果你猜错了，它会侮辱你，如下所示。

Examining the EXE with Ollydbg使用Ollydbg检查EXE

Open the file in OllyDbg, as shown below.在OllyDbg中打开文件，如下所示。

Look at the rightmost section, and you can easily see what the program does;看看最右边的部分，你可以很容易地看到程序的功能; it prints out "Launch codes?", reads in a decimal number (%d), and then chooses to print either a winning message with a result, or an insult.它打印出“启动代码？”，读取十进制数字（％d），然后选择打印带结果的获胜消息或侮辱。

The choice is performed by two instructions: CMP (Compare) and JNZ (Jump if Not Zero), outlined in green in the image below.选择由两个指令执行：CMP（比较）和JNZ（如果不为零则跳转），在下图中以绿色标出。

Replace those instructions with NOP (No Operation), as shown below.用NOP（无操作）替换这些指令，如下所示。 Save the patched file.保存修补文件。

Running the Patched File运行修补文件

The patched file will accept any Launch code, as shown below.修补后的文件将接受任何启动代码，如下所示。

Checking the Hash检查哈希

Calculate the SHA256 hash of the patched file.计算修补文件的SHA256哈希值。 It should match the value shown below.它应该与下面显示的值匹配。

ED 305.2: CRC32 of Patched File (10 pts) ED 305.2：补丁文件的CRC32（10分）

Calculate the CRC32 hash of the patched file.计算修补文件的CRC32哈希值。

That value is the flag, like this:该值是标志，如下所示：
07b01710

Patching Three EXEs修补三个EXE

Getting the EXEs获得EXE

In the Documents folder of the VM handed out by your instructor, find the 3EXEs.zip file.在教师分发的VM的Documents文件夹中，找到3EXEs.zip文件。

Checking the Hash检查哈希

Calculate the SHA256 hash of the file.计算文件的SHA256哈希值。 It should match the value shown below.它应该与下面显示的值匹配。

Patch the Files修补文件

Patch all 3 files so they will accept any input.修补所有3个文件，以便他们接受任何输入。

Gather the Results收集结果

Run the three patched files.运行三个修补文件。 Each one returns a single character as a result.结果每个都返回一个字符。 Keep the files in alphabetical order, by filename, like this:按文件名的字母顺序保存文件，如下所示：

File 00000.exe Result C文件00000.exe结果C.
File 0000a.exe Result A文件0000a.exe结果A.
File 000a1.exe Result T文件000a1.exe结果T.

If those were the results, the answer would be CAT如果是结果，那么答案就是CAT

The actual results are different, of course.当然，实际结果是不同的。

ED 305.3: Three Characters (10 pts) ED 305.3：三个角色（10分）

The flag is the results, three characters like this: CAT标志是结果，三个字符如下： CAT

Patching 19 EXEs修补19个EXE

Getting the EXEs获得EXE

In the Documents folder of the VM handed out by your instructor, find the easy.zip file.在教师分发的VM的Documents文件夹中，找到easy.zip文件。 Unzip it.解压缩它。 There are 19 EXEs in it.其中有19个EXE。

Goal目标

Patch all 19 files, run them, and combine the Results to get a 19-character flag.修补所有19个文件，运行它们，并将结果组合起来以获得19个字符的标记。

Hints提示

There are hints here .这里有提示。

ED 305.4: Nineteen Characters (30 pts) ED 305.4：十九个字符（30分）

The flag is the results, 19 Characters like this: Impenetrable!Cyber!标志是结果，19个字符是这样的： Impenetrable!Cyber!

Patching 256 EXEs修补256 EXE

Getting the EXEs获得EXE

In the Documents folder of the VM handed out by your instructor, find the 256exes.zip file.在教师分发的VM的Documents文件夹中，找到256exes.zip文件。 Unzip it.解压缩它。 There are 256 EXEs in it.其中有256个EXE。

Goal: Gather the Results目标：收集结果

Patch all 256 files and run them.修补所有256个文件并运行它们。 Each file will give you one "Result" character.每个文件都会给你一个“结果”字符。 Gather all those characters into a file 256 bytes long.将所有这些字符收集到256字节长的文件中。

Calculate the SHA256 hash of that file.计算该文件的SHA256哈希值。 It should match the value shown below.它应该与下面显示的值匹配。

Calculate the CRC32 of that file to win.计算该文件的CRC32以获胜。

ED 305.5: CRC32 (50 pts) ED 305.5：CRC32（50分）

The flag is the CRC32 hash of the 256-byte file.该标志是256字节文件的CRC32哈希值。

Credit信用

This is based on the 67k Challenge from EasyCTF 2017.这是基于2017年EasyCTF的67k挑战赛。

Sources来源

Backdooring PE Files - Part 1 Backdooring PE文件 - 第1部分
Art of Anti Detection 2 – PE Backdoor Manufacturing 反检测技术2 - PE后门制造
https://github.com/EgeBalci/Cminer https://github.com/EgeBalci/Cminer
https://en.wikipedia.org/wiki/Code_cave https://en.wikipedia.org/wiki/Code_cave
http://stackoverflow.com/questions/787100/what-is-a-code-cave-and-is-there-any-legitimate-use-for-one http://stackoverflow.com/questions/787100/what-is-a-code-cave-and-is-there-any-legitimate-use-for-one
The Beginners Guide to Codecaves Codecaves初学者指南
Reversing with Ollydbg debugger 与Ollydbg调试器反转
Ollydbg 'Copy all modifications to executable' doesn't copy all modifications Ollydbg'将所有修改复制到可执行文件'不会复制所有修改

Revised 5-21-19 for WCIL为WCIL修订了5-21-19