7/30/2019 Olly Debugger
1/30
Making of a Crack
usingOLLY Debugger
7/30/2019 Olly Debugger
2/30
First Crack Check the exe and remember
What are the strings?
Search for the strings in .exe
Lets find the loops and jumps in exe
7/30/2019 Olly Debugger
3/30
7/30/2019 Olly Debugger
4/30
Can we locate it in the Debug win
7/30/2019 Olly Debugger
5/30
Understand the code around First jump is a JNZ at address 401220. I have
arrow to show you where this jump will go if
Notice that it jumps right past the message w
and right to the message we dont want BUTthat right above this JNZ instruction is a CMPinstruction That means this is a potential podetermines whether Olly displays the messag
or dont want.
S f J
7/30/2019 Olly Debugger
6/30
Summary of Jumps
7/30/2019 Olly Debugger
7/30
Placing comments in Olly Press ; on the debugger window
This is not any command just helping us to re
Stored into .udd files
7/30/2019 Olly Debugger
8/30
Suggest Manipulations Pleas Set a breakpoint at address 401201 (or some
near here as its before our jump instructions
Lets run exe through Olly
First thing we notice is the line we stopped o MOV EBX, DWORD PTR DS:[403078]
Follow in Dump
Memory Address.
7/30/2019 Olly Debugger
9/30
Check the Registers Why check registers?
We just entered the serial number
So, from this instruction, we now know that the
bytes (since EAX is a 32-bit register) are loaded i
which in this case are 31 32 31 32 which in ASCI
Hit F8 and lets check EBX:
ASCII characters in EBX, you
can double click on the EBX
7/30/2019 Olly Debugger
10/30
Little Endian Order Say you have the address 7EA4F182 (which is a 4-byte, 32-bit numb
When we split this up in to bytes you get 7E, A4, F1, 82. Now, one wwhen storing these bytes into memory (lets say at location 1000) itthis:
1000::7E
1001::A4
1002::F1
1003::82
But Intel Enggs decided to store it as under:
1000::82
1001::F1
1002::A4
1003::7E
Why?
7/30/2019 Olly Debugger
11/30
Hence our number is reverse order
7/30/2019 Olly Debugger
12/30
Code Study CMP BL, 61
Comparing BL, which is the first byte in the E
(RTF(asm)M), with the value 61 (hex). We dohave a clue what this means (yet) so lets stepFinally we arrive at the first of our JNZ instruc
JNZ SHORT FAKE.401236 (Jump if Not Zero,)
Means If the contents of BL are not equal jump to the bad message
l d
7/30/2019 Olly Debugger
13/30
Sample Code MOV EAX, addressOfSerialNo
CMP EAX, 3
JE addressOfFailFunction()
JMP adressOfPassFunction()
First, EAX is loadserial number.
Next it is comparIf it is equal to 3 addressOfFailFu
If it is not equal t
the JE (Jump if Eqinstruction and h(JuMP) instructioautomatically jumadressOfPassFun
regardless of any
7/30/2019 Olly Debugger
14/30
Check Manipulations directly
Watch this
When Z=0
When changed to Z=1
Th R l
7/30/2019 Olly Debugger
15/30
The Result
So lessons learnt??
Never sleep in class
Do not take leniency for a ride
I am not a looser
Hacker is never trained
Background knowledge
No shortcuts to success
7/30/2019 Olly Debugger
16/30
7/30/2019 Olly Debugger
17/30
Are you Interested to learn m
7/30/2019 Olly Debugger
18/30
Part-2
S d C k
7/30/2019 Olly Debugger
19/30
Second Crack Load into Olly
So try running it
Did we pass or fail
Try searching for strings
7/30/2019 Olly Debugger
20/30
h h d ?
7/30/2019 Olly Debugger
21/30
Where is it in the Code?
i h
7/30/2019 Olly Debugger
22/30
Just Monitor the Jump The first jump we find is at address 4010E
statement. If we click on this line, Olly ca
programmed to show us where it will jum
Wh i h TEST?
7/30/2019 Olly Debugger
23/30
What is the TEST? TEST EAX EAX -What does this mean on
ground?????
7/30/2019 Olly Debugger
24/30
TEST?
7/30/2019 Olly Debugger
25/30
TEST? Computes the bit-wise logical AND of first
(source 1 operand) and the second operan
2 operand) and sets the SF, ZF, and PF stat
according to the result. The result is then d
If EAX does not equal zero, jump to 40110
Create a break point now
7/30/2019 Olly Debugger
26/30
Create a break point now At 004010EB
Now, we can see that we are going to jump past the goo
straight into the arms of the bad boy. Lets not let that h
Olly out by flipping the zero flag:
Now we have the desired Result
H t P t h?
7/30/2019 Olly Debugger
27/30
How to Patch? Click on the line we are paused at (address 4010EB) click
instruction column of the line (the part that has JNZ SHO
press the space bar. You will see a window pop up that instructions at that line, as well as a dialog to change the
ChangeJNZ SHORT 0040110D to NOP
S i Th P t h
7/30/2019 Olly Debugger
28/30
Saving The Patch ctrl-P
Remove BreakPoints
Copy to Executable
Save as File
Finished so Now no registration errors..
7/30/2019 Olly Debugger
29/30
7/30/2019 Olly Debugger
30/30
SoWhere Are You