If you are using some other machine, get it here:如果您正在使用其他机器,请在此处获取:
https://samsclass.info/127/proj/putty.exe https://samsclass.info/127/proj/putty.exe
If PuTTY won't start, right-click it, click Properties , and click Unblock .如果PuTTY无法启动,请右键单击它,单击“ 属性” ,然后单击“ 取消阻止” 。
In the "Host Name (or IP address)" box, type在“主机名称(或IP地址)”框中,键入
ad.samsclass.info
At the bottom, click the Open button.在底部,点击打开按钮。 A black box opens, and shows a " login as: " prompt, as shown below.一个黑匣子打开,并显示“ login as: ”提示符,如下所示。
You could connect to a server at this point, but that's not the point of this project.此时您可以连接到服务器,但这不是该项目的重点。 We will alter this program to do other things instead of printing "login as".我们将改变这个程序来做其他的事情,而不是打印“登录为”。
Close the Putty window.关闭腻子窗口。
In Ollydbg, from the menu bar, click File , Open .在Ollydbg中,从菜单栏中单击文件 , 打开 。 Navigate to putty.exe and open it.导航到putty.exe并打开它。
Ollydbg opens, as shown below. Ollydbg打开,如下所示。 If your screen doesn't look like this, click View , CPU and maximize the CPU window.如果您的屏幕看起来不像这样,请单击查看 , CPU并最大化CPU窗口。
Ollydbg shows you a lot of data, but for now just notice the Assembly Code in the top left pane, and the Paused message in the lower right. Ollydbg向您显示了大量数据,但现在只需注意左上窗格中的Assembly Code以及右下角的Paused消息。
When you load a program into Ollydbg, it starts in a "Paused" state, with the Assembly Code window showing the first instruction.当您将程序加载到Ollydbg中时,它会以“暂停”状态启动,并且“Assembly Code”窗口显示第一条指令。
A Putty window opens, but it's behind the Olly window.一个腻子窗口打开,但它在Olly窗口后面。 At the bottom of the screen, in the taskbar, click the " PuTTY Configuration " button to bring the PuTTY window to the front, as shown below.在屏幕底部的任务栏中,单击“ PuTTY Configuration ”按钮,将PuTTY窗口置于前面,如下所示。
Click in the Putty window.点击Putty窗口。 In the "Host Name (or IP address)" box, type在“主机名称(或IP地址)”框中,键入
ad.samsclass.info
At the bottom, click the Open button.在底部,点击打开按钮。 The "login as" message appears, as shown below.出现“login as”消息,如下所示。 Putty is running, but it's under the control of Ollydbg, so we can modify its execution.腻子正在运行,但它在Ollydbg的控制下,所以我们可以修改它的执行。
In Ollydbg, from the menu bar, click Debug , Restart .在Ollydbg中,从菜单栏中单击调试 , 重新启动 。
In Ollydbg, in the "Assembly Code" pane, right-click.在Ollydbg中的“汇编代码”窗格中,右键单击。 Point to " Search for ".指向“ 搜索 ”。 Click " All referenced text strings ", as shown below.点击“ 所有引用的文本字符串 ”,如下所示。
A "Text strings referenced in putty:.text" window opens, showing all the strings in the program.将打开“在putty:.text中引用的文本字符串”窗口,显示程序中的所有字符串。
To make this text easier to read, right-click, point to Appearance , Font , and click " OEM Fixed Font ".为了使这个文本更容易阅读,请右键单击,指向外观 , 字体 ,然后单击“ OEM固定字体 ”。
Right-click in that window, and click " Search for text ", as shown below.在该窗口中右键单击,然后单击“ 搜索文本 ”,如下所示。
In the "Enter text to search for" box, type在“输入要搜索的文字”框中,输入
login as
as shown below.如下所示。 Check the " Entire scope " box.选中“ 整个范围 ”框。 Click OK .点击确定 。
Ollydbg finds the ASCII string "login as", and the instruction that uses it, as shown below. Ollydbg找到ASCII字符串“login as”和使用它的指令,如下所示。 This instruction is at address 00417053.该指令位于地址00417053。
Right-click again, and click " Search next ".再次右键单击,然后单击“ 搜索下一个 ”。
Ollydbg finds another line of code that uses this string, as shown below. Ollydbg发现使用此字符串的另一行代码,如下所示。 This instruction is at address 0041CB6E.该指令位于地址0041CB6E。
Right-click again, and click " Search next ".再次右键单击,然后单击“ 搜索下一个 ”。
A message appears at the bottom of the window saying "Item not found".在窗口底部出现一条消息,提示“找不到物品”。 There are only two commands in the program that use this string.程序中只有两个命令使用此字符串。
In the "Text strings referenced in putty:.text" window, right-click again, and click " Search text ".在“在putty:.text中引用的文本字符串”窗口中,再次右键单击,然后单击“ 搜索文本 ”。 In the "Enter text to search for" box, click OK .在“输入要搜索的文本”框中,单击确定 。
The instruction at 00417053 appears again. 00417053的指令再次出现。 Right-click this instruction and click " Toggle breakpoint ", as shown below.右键单击该指令并单击“ 切换断点 ”,如下所示。
The address turns red, as shown below, to indicate that there's a breakpoint here.地址变成红色,如下所示,表示这里有一个断点。
Right-click again, and click " Search next ".再次右键单击,然后单击“ 搜索下一个 ”。 The instruction at address 0041CB6E appears.出现地址0041CB6E的指令。 Right-click it and click " Toggle breakpoint ".右键单击它并单击“ 切换断点 ”。
The address turns red, as shown below.地址变成红色,如下所示。
In Ollydbg, from the menu bar, click Debug , Restart .在Ollydbg中,从菜单栏中单击调试 , 重新启动 。
A box pops up warning you that "Process 'putty' is active".一个盒子弹出,警告你“Process'腻子'是活跃的”。 Click Yes .单击是 。
In Ollydbg, from the menu bar, click Debug , Run .在Ollydbg中,从菜单栏中单击调试 , 运行 。
A Putty window opens.腻子窗口打开。 Bring it to the front, as shown below.将它带到前面,如下所示。
Click in the Putty window.点击Putty窗口。 In the "Host Name (or IP address)" box, type在“主机名称(或IP地址)”框中,键入
ad.samsclass.info
At the bottom, click the Open button.在底部,点击打开按钮。 A black window opens and closes quickly, and the program stops, as shown below.黑色窗口快速打开和关闭,程序停止,如下所示。
The program stopped at instruction 0041CB6E, as shown in the image above.程序在指令0041CB6E处停止,如上图所示。
We'll use this instruction to hijack the program's execution.我们将使用这个指令来劫持程序的执行。
In Ollydbg, from the menu bar, click View , Breakpoints .在Ollydbg中,从菜单栏中单击查看 , 断点 。
A "Breakpoints" window opens, showing two breakpoints.打开“断点”窗口,显示两个断点。
Right-click the first breakpoint and click Remove , as shown below.右键单击第一个断点并单击Remove ,如下所示。
Repeat the process to remove the other breakpoint.重复该过程以删除其他断点。 Close the "Breakpoints" window.关闭“断点”窗口。
An "Assemble at 0041CB6E" box appears, as shown below.出现“在0041CB6E组装”框,如下所示。
This shows the command at this location.这显示在这个位置的命令。 It's a PUSH instruction, placing the address 467C7C onto the stack.这是一个PUSH指令,将地址467C7C放入堆栈。 That address points to the letter "l" in the ASCII string "login as: ", as shown on the right side of the instruction line, outlined in green in the image below.该地址指向ASCII字符串“login as:”中的字母“l”,如指令行右侧所示,在下图中以绿色标出。
In the "Assemble at 0041CB6E" box, change the last character to D , as shown below.在“在0041CB6E汇编”框中,将最后一个字符更改为D ,如下所示。 This will move the pointer from the "l" to the "o" in the string "login as: ".这会将指针从“l”移动到字符串“login as:”中的“o”。
Click the Assemble button.点击组装按钮。
Click the Cancel button.点击取消按钮。
The message on the right now says "ogin as: ", as shown below.现在右边的消息说“ogin as:”,如下所示。
The black login window appears, with the message "ogin as: ", as shown below.出现黑色登录窗口,并显示消息“ogin as:”,如下所示。
When I did it, an error box also popped up saying "Server unexpectedly closed network connection".当我这样做时,还出现一个错误框,提示“服务器意外关闭网络连接”。 If that happens, just close the error box.如果发生这种情况,请关闭错误框。
In Ollydbg, in the top left pane of the CPU window, right-click, point to " Copy to Executable ", and click " All modifications ", as shown below.在Ollydbg中,在CPU窗口的左上方窗格中,右键单击,指向“ 复制到可执行文件 ”,然后单击“ 所有修改 ”,如下所示。
A "Copy selection to executable file" box pops up, as shown below.弹出一个“将选择复制到可执行文件”框,如下所示。 Click the " Copy all " button.点击“ 全部复制 ”按钮。
A new window pops up, with a title ending in "putty.exe", as shown below.弹出一个新窗口,标题以“putty.exe”结尾,如下所示。
Right-click in the new window and click " Save file ".在新窗口中右键单击并单击“ 保存文件 ”。
Save the file as puttymod.exe .将文件另存为puttymod.exe 。
Double-click puttymod.exe .双击puttymod.exe 。
In the "Host Name (or IP address)" box, type在“主机名称(或IP地址)”框中,键入
ad.samsclass.info
At the bottom, click the Open button.在底部,点击打开按钮。 A black box opens, and shows a " ogin as: " prompt, as shown below.一个黑匣子打开,并显示“ ogin as: ”提示,如下所示。
In the top left pane of the CPU window, right-click, point to " Go to ", and click Expression , as shown below.在CPU窗口的左上方窗格中,右键单击,指向“ 转到 ”,然后单击表达式 ,如下所示。
In the "Enter expression to follow" box, enter在“输入要跟随的表达式”框中,输入
41CB6E 41CB6Eas shown below.如下所示。 Click OK .点击确定 。
The Hex Dump pane, in the lower left, shows the text " ogin as: ", as shown below.十六进制转储窗格在左下方显示文本“ ogin as: ”,如下所示。
In the Hex Dump pane, highlight " ogin as: ", as shown below.在十六进制转储窗格中,突出显示“ ogin as: ”,如下所示。 Right-click the highlighted text.右键点击突出显示的文本。 Point to Binary .指向二进制 。 Click Edit .点击修改 。
An "Edit data at 00467C7D" box opens, as shown below. “00467C7D编辑数据”框将打开,如下所示。
Click in the ASCII field, press Backspace to move back to the start, and overwrite the message with this text, as shown below:点击ASCII字段,按Backspace退回到开始处,并用此文本覆盖消息,如下所示:
BADNESS 恶
Click OK .点击确定 。 The modified text appears in red letters in the Dump, as shown below.修改后的文本在转储中以红色字母显示,如下所示。
A box with a long title ending in "puttymod.exe" appears showing the modified file, as shown below.出现一个长标题以“puttymod.exe”结尾的框,显示修改后的文件,如下所示。 Click the X in the top right of that box to close it.点击该框右上方的X关闭它。
A "File changed" box appears, as shown below.出现“文件已更改”框,如下所示。 Click Yes .单击是 。
A "Copy selection to executable file" box pops up.弹出“将选择复制到可执行文件”框。 Click the " Copy all " button.点击“ 全部复制 ”按钮。
A new window pops up, with a title ending in "putty.exe", as shown below.弹出一个新窗口,标题以“putty.exe”结尾,如下所示。
Right-click in the new window and click " Save file ".在新窗口中右键单击并单击“ 保存文件 ”。
Save the file as "puttymod2.exe".将该文件保存为“puttymod2.exe”。
Double-click puttymod2.exe .双击puttymod2.exe 。
In the "Host Name (or IP address)" box, type在“主机名称(或IP地址)”框中,键入
ad.samsclass.info
At the bottom, click the Open button.在底部,点击打开按钮。 A black box opens, and shows a " BADNESS: " prompt, as shown below.一个黑匣子打开,并显示“ BADNESS: ”提示,如下所示。
Use the form below to get your points.使用下面的表格来获得你的观点。
Art of Anti Detection 2 – PE Backdoor Manufacturing 反侦测艺术2 - PE后门制造
https://github.com/EgeBalci/Cminer https://github.com/EgeBalci/Cminer
https://en.wikipedia.org/wiki/Code_cave https://en.wikipedia.org/wiki/Code_cave
http://stackoverflow.com/questions/787100/what-is-a-code-cave-and-is-there-any-legitimate-use-for-one http://stackoverflow.com/questions/787100/what-is-a-code-cave-and-is-there-any-legitimate-use-for-one
The Beginners Guide to Codecaves Codecaves初学者指南
Reversing with Ollydbg debugger 使用Ollydbg调试器进行反转
Ollydbg 'Copy all modifications to executable' doesn't copy all modifications Ollydbg'将所有修改复制到可执行文件'不会复制所有修改