You are on page 1of 30

Making of a Cracker

using OLLY Debugger

First Crack
• • • •

Check the exe and remember What are the strings? Search for the strings in .exe Lets find the loops and jumps in exe

Can we locate it in the Debug window? .

I have added an arrow to show you where this jump will go if it is used: Understand the code around… • Notice that it jumps right past the message we want and right to the message we don’t want BUT.• First jump is a JNZ at address 401220. . notice that right above this JNZ instruction is a CMP instruction That means this is a potential point that determines whether Olly displays the message we want or don’t want.

Summary of Jumps .

udd files .• Press “.” on the debugger window Placing comments in Olly • This is not any command just helping us to remember • Stored into .

DWORD PTR DS:[403078] • “Follow in Dump” ”Memory Address”.• Set a breakpoint at address 401201 (or somewhere near here as it’s before our jump instructions): Suggest Manipulations Please? • Lets run exe through Olly • First thing we notice is the line we stopped on: • MOV EBX. .

we now know that the first 4 bytes (since EAX is a 32-bit register) are loaded into EBX.Check the Registers • Why check registers? • We just entered the serial number • So. from this instruction. you can double click on the EBX . • Hit F8 and let’s check EBX: • ASCII characters in EBX. which in this case are 31 32 31 32 which in ASCII is “1212″.

F1. When we split this up in to bytes you get 7E. 32-bit number). one would think that when storing these bytes into memory (let’s say at location 1000) it would look like this: 1000::7E 1001::A4 1002::F1 1003::82 • But Intel Enggs decided to store it as under: 1000::82 1001::F1 1002::A4 1003::7E • Why? Little Endian Order . Now. A4. 82.• • Say you have the address 7EA4F182 (which is a 4-byte.

• Hence our number is reverse order .

401236 (Jump if Not Zero. with the value 61 (hex). jump to the bad message .) Code Study • Means If the contents of BL are not equal to 61h. We don’t really have a clue what this means (yet) so lets step over it. 61 • Comparing BL. which is the first byte in the EBX register (RTF(asm)M).• CMP BL. Finally we arrive at the first of our JNZ instructions: • JNZ SHORT FAKE.

which automatically jumps to adressOfPassFunction(). 3 If it is equal to 3 we jump to addressOfFailFunction() . • JE addressOfFailFunction() • JMP adressOfPassFunction() • If it is not equal to 3. addressOfSerialNo • First. we pass the JE (Jump if Equal) instruction and hit the JMP (JuMP) instruction.Sample Code • MOV EAX. . EAX is loaded with our serial number. • Next it is compared with “3″. regardless of any flags. • CMP EAX.

Check Manipulations directly … • Watch this • When Z=0 • When changed to Z=1 .

The Result • • • • • • • So lessons learnt?? Never sleep in class Do not take leniency for a ride I am not a looser Hacker is never trained Background knowledge No shortcuts to success .

.

Are you Interested to learn more? .

Part-2 .

Second Crack • Load into Olly • So try running it • Did we pass or fail • Try searching for strings .

.

Where is it in the Code? .

If we click on this line.• The first jump we find is at address 4010EB. Olly can be programmed to show us where it will jump: Just Monitor the Jump . a JNZ statement.

• TEST EAX EAX - What does this mean on ground????? What is the TEST? • … .

.

• Computes the bit-wise logical AND of first operand (source 1 operand) and the second operand (source 2 operand) and sets the SF. The result is then discarded. • If EAX does not equal zero. and PF status flags according to the result. jump to 40110D TEST? . ZF.

• At 004010EB Create a break point now • Now. we can see that we are going to jump past the good boy. Help Olly out by flipping the zero flag: • Now we have the desired Result… . Let’s not let that happen. straight into the arms of the bad boy.

as well as a dialog to change them: • Change JNZ SHORT 0040110D to NOP How to Patch? . You will see a window pop up that shows us the instructions at that line.• Click on the line we are paused at (address 4010EB) click on the instruction column of the line (the part that has JNZ SHORT…) and press the space bar.

.• ctrl-P Saving The Patch • • • • Remove BreakPoints Copy to Executable Save as File Finished so Now no registration errors..

.

So Where Are You? .