14: Patching EXEs with Ollydbg 14:用Ollydbg修补EXE
What You Need你需要什么
- A Windows machine, real or virtual.一台Windows机器,真实还是虚拟。 I used a Windows Server 2008 virtual machine.我使用了Windows Server 2008虚拟机。
- You need several files to examine.你需要检查几个文件。 They are all in the Documents folder of the VM your instructor handed out.它们全都位于您的教师发布的虚拟机的“文档”文件夹中。 If you don't have that, download them with these links:如果您还没有,请使用以下链接下载它们:
Purpose目的
To practice disassembling and modifying binaries, and using Python scripts.练习反汇编和修改二进制文件,以及使用Python脚本。
Challenge A: Patching an EXE (10 pts.)挑战A:修补EXE(10分)
Getting the EXE获取EXE
In the Documents folder of the VM handed out by your instructor, find the 00000.exe file.在教师发布的虚拟机的“文档”文件夹中,找到00000.exe文件。 Checking the Hash检查哈希
Calculate the SHA256 hash of the file.计算文件的SHA256散列。 It should match the value shown below.它应该与下面显示的值相匹配。 
Running the EXE运行EXE
Run 00000.exe in a Command Prompt.在命令提示符下运行00000.exe 。 It asks for a "Launch code" and if you guess wrong, it insults you, as shown below.它要求提供“启动代码”,如果您猜错了,它会侮辱您,如下所示。 
Examining the EXE with Ollydbg用Ollydbg检查EXE
Open the file in OllyDbg, as shown below.在OllyDbg中打开文件,如下所示。 Look at the rightmost section, and you can easily see what the program does;看最右边的部分,你可以很容易地看到程序的功能; it
prints out "Launch codes?", reads in a decimal number (%d), and then
chooses to print either a winning message with a result, or an insult.它会打印出“启动代码?”,读取一个十进制数(%d),然后选择打印带有结果的赢得消息或者是一个侮辱。
The choice is performed by two instructions: CMP (Compare) and JNZ (Jump if Not Zero), outlined in green in the image below.选择由两条指令执行:CMP(比较)和JNZ(如果不为零则跳转),在下图中以绿色表示。
Replace those instructions with NOP (No Operation), as shown below.如下所示,将这些指令替换为NOP(无操作)。 Save the patched file.保存修补文件。
Running the Patched File运行修补文件
The patched file will accept any Launch code, as shown below.修补后的文件将接受任何启动代码,如下所示。 
Checking the Hash检查哈希
Calculate the SHA256 hash of the patched file.计算修补文件的SHA256哈希值。 It should match the value shown below.它应该与下面显示的值相匹配。 
Challenge A: Submit the CRC32 (10 pts)挑战A:提交CRC32(10分)
Calculate the CRC32 hash of the patched file.计算修补文件的CRC32哈希值。 Use the form below to get your points.使用下面的表格来获得你的观点。
Challenge B: Patching Three EXEs (10 pts.)挑战B:修补三个EXEs(10分)
Getting the EXEs获得EXE
In the Documents folder of the VM handed out by your instructor, find the 3EXEs.zip file.在教师发布的VM的Documents文件夹中,找到3EXEs.zip文件。 Checking the Hash检查哈希
Calculate the SHA256 hash of the file.计算文件的SHA256散列。 It should match the value shown below.它应该与下面显示的值相匹配。 
Patch the Files修补文件
Patch all 3 files so they will accept any input.修补所有3个文件,以便他们接受任何输入。 Gather the Results收集结果
Run the three patched files.运行三个修补文件。 Each one returns a single character as a result.每个人都会返回一个字符。 Keep the files in alphabetical order, by filename, like this:按文件名按字母顺序保存文件,如下所示: - File 00000.exe Result C文件00000.exe结果C
- File 0000a.exe Result A文件0000a.exe结果A
- File 000a1.exe Result T文件000a1.exe结果T
If those were the results, the answer would be CAT如果这些是结果,答案将是CAT The actual results are different, of course.当然,实际结果是不同的。
Challenge B: Submit the Results (10 pts)挑战B:提交结果(10分)
Use the form below to get your points.使用下面的表格来获得你的观点。
Challenge C: Patching 19 EXEs (30 pts.)挑战C:修补19个EXEs(30分)
Getting the EXEs获得EXE
In the Documents folder of the VM handed out by your instructor, find the easy.zip file.在教师发布的VM的Documents文件夹中,找到easy.zip文件。 Unzip it.解压缩。 There are 19 EXEs in it.它有19个EXE。 Goal目标
Patch all 19 files, run them, and combine the Results to get a 19-character flag.修补所有19个文件,运行它们并合并结果以获得19个字符的标志。 Hints提示
There are hints here .这里有提示。 Challenge C: Submit the Results (30 pts)挑战C:提交结果(30分)
Use the form below to get your points.使用下面的表格来获得你的观点。
Challenge D: Patching 256 EXEs (50 pts.)挑战D:修补256个EXE(50分)
Getting the EXEs获得EXE
In the Documents folder of the VM handed out by your instructor, find the 256exes.zip file.在教师发布的虚拟机的“文档”文件夹中,找到256exes.zip文件。 Unzip it.解压缩。 There are 256 EXEs in it.它有256个EXE。 Goal: Gather the Results目标:收集结果
Patch all 256 files and run them.修补所有256个文件并运行它们。 Each file will give you one "Result" character.每个文件都会给你一个“结果”字符。 Gather all those characters into a file 256 bytes long.将所有这些字符收集到256个字节长的文件中。 Calculate the SHA256 hash of that file.计算该文件的SHA256散列。 It should match the value shown below.它应该与下面显示的值相匹配。
Calculate the CRC32 of that file to win.计算该文件的CRC32以获胜。
Submit the CRC32 (50 pts)提交CRC32(50分)
Calculate the CRC32 hash of the 256-byte file.计算256字节文件的CRC32哈希值。 Use the form below to get your points.使用下面的表格来获得你的观点。
Extracting the Files提取文件
In the Documents folder of the VM handed out by your instructor, find the 256exes.zip file.在教师发布的虚拟机的“文档”文件夹中,找到256exes.zip文件。 If you don't have that VM, you can download it here:如果你没有这个虚拟机,你可以在这里下载它:
256exes.zip 256exes.zip
Unzip the files.解压缩文件。 You will see a folder containing 256 EXE files.您将看到一个包含256个EXE文件的文件夹。
Credit信用
This is based on the 67k Challenge from EasyCTF 2017.这是基于EasyCTF 2017的67k挑战赛。
Modified 7-12-17 7:53 am修改7-12-17 7:53上午 
