Cracking using OllyDbg
Configurations of your OllyDbg:
We will start our first lesson with olly by finding the serial key of a crackme, during tracing the code it will be very easy to understand where we should patch if needed.
Our mission in this lesson is to find a serial key for our entered name.
Step 1:
Step 2:
For Free download of the Crackme used in this TUT:
Configurations of your OllyDbg:
Let's do some configurations, press alt+o to access options and go to
the CPU menu. Make you settings look like in this picture:
![[Image: picture1la2.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tR_y1awn06wlk7JE7qdF12smlebx-mxrLcqOVQEMwrjpaxaFML0Az_h1Kg3bB90DXVmBD0Rly0AMpeer4t045mtQxdX4Q-QI5ED4NluHj2_5tEQWpBYubSvw=s0-d)
After this go to EXCEPTIONS menu and make your settings look like in this other picture:
![[Image: picture2bp3.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sXX6SdMJPbGr_1dbgIa-mxjpZqQxoFKJI51GrYNUpoweD1RTFPzGbG2TQ-OvyPmCndZIw8c8dUF9FizTS9ktpI6tFyJRk3uMPxWvnMYlzm9OEtve2Gk89SQs0=s0-d)
Ok, we are done for now. We will use olly for everything, like patching, finding serial keys, unpacking, studing, etc.
After this go to EXCEPTIONS menu and make your settings look like in this other picture:
Ok, we are done for now. We will use olly for everything, like patching, finding serial keys, unpacking, studing, etc.
We will start our first lesson with olly by finding the serial key of a crackme, during tracing the code it will be very easy to understand where we should patch if needed.
Our mission in this lesson is to find a serial key for our entered name.
Step 1:
Spoiler (Click to Hide)
Run the crackme and you will see that it needs a name and a serial
number, enter some fake info... click on check serial... :? nothing
happens Lets find a real serial for our name now!
Disassemble our target with w32dasm then click on the imports button. See the picture below:
![[Image: picture3ch5.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_serzZw4dwLXy0fdX84nIaiKKe8LJlln4T_Slk6QhLihmZJw0YYFVIHOCCJReo8PgkGxR3GYPax9vA7UX_JKxuaZ7NiFh9xAFWvnW4zU0SxyTllu-xes3CxhQ=s0-d)
On the dialog box that shows up find this: USER32.GetDlgItemTextA like in the picture below:
![[Image: picture4ls9.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_szr4HQnxfKLb6Dgobl2oAGkiKjqhmCgbauyxAcyKNoa7SEmtF5lSsyQm93_rq9vEADSCgMWWf24Bh4iTMFYgjAHf_owQO5J4lz-Gj3X4VukeHOyV9s8fmB4g=s0-d)
Select it like in picture above and double click on it, you will land at the address: 004011DF (write down this address), just a bit below this we have an other reference to USER32.GetDlgItemTextA at the address 004011F0 (write this address down too). Close W32Dasm, we don't need it anymore.
Disassemble our target with w32dasm then click on the imports button. See the picture below:
On the dialog box that shows up find this: USER32.GetDlgItemTextA like in the picture below:
Select it like in picture above and double click on it, you will land at the address: 004011DF (write down this address), just a bit below this we have an other reference to USER32.GetDlgItemTextA at the address 004011F0 (write this address down too). Close W32Dasm, we don't need it anymore.
Step 2:
Spoiler (Click to Hide)
Run OllyDBG and click on file, open, browse to our crackme and open it.
Cool, you should see the asm code now. Press F9 button from your
keyboard then the crackme should show up. Enter your name and any serial
number but don't click on "check serial" button yet. I will enter
MiStEr_X as name and 12345 as serial. Return to OllyDBG then click on
"Go to Address" button. This button is indicated in the picture below:
picture5:
![[Image: picture5xk1.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vAQ8Giv1-MwLDQzF4Gbga3-M_M_NfrEonTo-mrDLGFeaFbObViOjF624e8q0mxmyvCEGOU5tIDjAWVfVrqLM8wP9MAnjaCso1PbsywCiC2_5Q5Qa-6gtakviI=s0-d)
On the blank box enter the first address we did found on w32dasm, 4011DF then click ok!
You will be here:
PUSH 019h
PUSH 0403096h
PUSH 066h
PUSH DWORD PTR SS:[EBP+8]
004011DF CALL GetDlgItemTextA ;read the entered name
PUSH 01Eh
PUSH 0403078h
PUSH 065h
PUSH DWORD PTR SS:[EBP+8]
004011F0 CALL GetDlgItemTextA ;read the entered serial
CMP EAX,4 ; compare entered name with 4
JB @crackme__00401245 ; jump if below (if our entered name is smaller than 4 digits then jump)
GetDlgItemTextA is used in asm to retrive the information entered by users in blank boxes!
Now, put the selector line on "004011DF Call GetDlgItemTextA" then press the F2 button from your keyboard to set a breakpoint. Go to the second address to and set a breakpoint there too by pressing F2. See the picture below to see my breakpoints. The addresses highlighted with white means that there is set a breakpoint.
picture6:
![[Image: picture6ox5.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u3Sj8Xzzt-Hga59-FYrbbDqAmprxD749sC7gEdO6ILJhnyuSL8v_Yuo2LZWxtH4XKY2_TQVd6DmjFzL_8ZYMLh7q7okBCyzQExkP-ZawLhFCdQ5txRFL1cSw=s0-d)
Bring up the crackme from the taskbar and click on "check serial" Olly will break on the first breakpoint, now press F9 (run) and Olly will break on the other breakpoint we did set. The first breakpoint was for the name we have entered and the second is for the serial number. Now trace line by line slowly with F8 button until you are on the address "0040121F"
picture7:
![[Image: picture5cs0.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vShVppCORg_YmrJGrN21fl_mMW2q7eNCWI5q0K-DoB-cZF7v3LqxKZxyjItLpSO3kAM5kSZpzJZeLXUWh6_BM2AiybKwH6TF_IRyjCQLuMGpo5iJG5BKx3cF4=s0-d)
Refering to the picture too, you must be on this line:
0040121F CMP EAX, EBX
Let's explain what does this mean, CMP means compare, eax register is storing the fake serial we did enter and ebx register is storing the real serial number for the entered name. Check this on the top-right of your screen, in the above picture are number 2 and 3. EAX has the value 12345 that is the fake serial I did enter and EBX is has the value 2EB. Can 2EB be the real serial number for the name MiStEr_X?? Yes it is, we did found a real serial number and we can find a serial for any name we enter by following the procedure of this tutorial. Enjoy!
As you see, on the address .40121F the protection of the crackme is comparing our fake serial with a real serial for our name.
picture5:
On the blank box enter the first address we did found on w32dasm, 4011DF then click ok!
You will be here:
PUSH 019h
PUSH 0403096h
PUSH 066h
PUSH DWORD PTR SS:[EBP+8]
004011DF CALL GetDlgItemTextA ;read the entered name
PUSH 01Eh
PUSH 0403078h
PUSH 065h
PUSH DWORD PTR SS:[EBP+8]
004011F0 CALL GetDlgItemTextA ;read the entered serial
CMP EAX,4 ; compare entered name with 4
JB @crackme__00401245 ; jump if below (if our entered name is smaller than 4 digits then jump)
GetDlgItemTextA is used in asm to retrive the information entered by users in blank boxes!
Now, put the selector line on "004011DF Call GetDlgItemTextA" then press the F2 button from your keyboard to set a breakpoint. Go to the second address to and set a breakpoint there too by pressing F2. See the picture below to see my breakpoints. The addresses highlighted with white means that there is set a breakpoint.
picture6:
Bring up the crackme from the taskbar and click on "check serial" Olly will break on the first breakpoint, now press F9 (run) and Olly will break on the other breakpoint we did set. The first breakpoint was for the name we have entered and the second is for the serial number. Now trace line by line slowly with F8 button until you are on the address "0040121F"
picture7:
Refering to the picture too, you must be on this line:
0040121F CMP EAX, EBX
Let's explain what does this mean, CMP means compare, eax register is storing the fake serial we did enter and ebx register is storing the real serial number for the entered name. Check this on the top-right of your screen, in the above picture are number 2 and 3. EAX has the value 12345 that is the fake serial I did enter and EBX is has the value 2EB. Can 2EB be the real serial number for the name MiStEr_X?? Yes it is, we did found a real serial number and we can find a serial for any name we enter by following the procedure of this tutorial. Enjoy!
As you see, on the address .40121F the protection of the crackme is comparing our fake serial with a real serial for our name.
For Free download of the Crackme used in this TUT:
Tools you may need:
Spoiler (Click to Hide)
Debuggers:
DebugView v4.77: DOWNLOAD
OllyDbg v1.10: DOWNLOAD
Zeta Deb v1.3ugger:DOWNLOAD
.NET Decompilers:
Dotnet IL Editor v0.2.6:DOWNLOAD
ILIDE# v3.0.1799.34705:DOWNLOAD
Red Gate's .NET Reflector v7.4:DOWNLOAD
Delphi Decompiler:
IDR (Interactive Delphi Reconstructor) v2.5.3: DOWNLOAD
Visual Basic Decompilers:
P32Dasm v2.8:DOWNLOAD
VB Decompiler Lite v5.0:DOWNLOAD
Disassemblers:
Dotnet IL Editor (DILE) v0.2.4:DOWNLOAD
IDA Pro v5.0:DOWNLOAD
Hex Calculators:
HexTool v1.7.0.1:DOWNLOAD
Reversers' Calculator v1.2:DOWNLOAD
Hex Editors:
BIEW v6.1.0:DOWNLOAD
Frhed v1.6.0:DOWNLOAD
Hiew v6.50:DOWNLOAD
HxD v1.7.7.0:DOWNLOAD
MiTeC Hexadecimal Editor v6.0.0:DOWNLOAD
Memory Hacking
Memory Hacking Software v6.1:DOWNLOAD
CREDITS GO TO ME FOR PUTTING THIS TOGETHER AND THE MAKERS OF ALL THESE PROGRAMS, ENJOY. :)
DebugView v4.77: DOWNLOAD
OllyDbg v1.10: DOWNLOAD
Zeta Deb v1.3ugger:DOWNLOAD
.NET Decompilers:
Dotnet IL Editor v0.2.6:DOWNLOAD
ILIDE# v3.0.1799.34705:DOWNLOAD
Red Gate's .NET Reflector v7.4:DOWNLOAD
Delphi Decompiler:
IDR (Interactive Delphi Reconstructor) v2.5.3: DOWNLOAD
Visual Basic Decompilers:
P32Dasm v2.8:DOWNLOAD
VB Decompiler Lite v5.0:DOWNLOAD
Disassemblers:
Dotnet IL Editor (DILE) v0.2.4:DOWNLOAD
IDA Pro v5.0:DOWNLOAD
Hex Calculators:
HexTool v1.7.0.1:DOWNLOAD
Reversers' Calculator v1.2:DOWNLOAD
Hex Editors:
BIEW v6.1.0:DOWNLOAD
Frhed v1.6.0:DOWNLOAD
Hiew v6.50:DOWNLOAD
HxD v1.7.7.0:DOWNLOAD
MiTeC Hexadecimal Editor v6.0.0:DOWNLOAD
Memory Hacking
Memory Hacking Software v6.1:DOWNLOAD
CREDITS GO TO ME FOR PUTTING THIS TOGETHER AND THE MAKERS OF ALL THESE PROGRAMS, ENJOY. :)
0 comments:
Post a Comment