Making of a Cracker

using OLLY Debugger

First Crack

Check the exe and remember What are the strings? Search for the strings in .exe Lets find the loops and jumps in exe

Can we locate it in the Debug window?

 First jump is a JNZ at address 401220. I have added an arrow to show you where this jump will go if it is used:

Understand the code around

Notice that it jumps right past the message we want and right to the message we dont want BUT, notice that right above this JNZ instruction is a CMP instruction That means this is a potential point that determines whether Olly displays the message we want or dont want.

Summary of Jumps

 Press ; on the debugger window

Placing comments in Olly

This is not any command just helping us to remember Stored into .udd files

 Set a breakpoint at address 401201 (or somewhere near here as its before our jump instructions):

Suggest Manipulations Please?

Lets run exe through Olly First thing we notice is the line we stopped on: MOV EBX, DWORD PTR DS:[403078] Follow in Dump Memory Address.

Check the Registers

Why check registers? We just entered the serial number So, from this instruction, we now know that the first 4 bytes (since EAX is a 32-bit register) are loaded into EBX, which in this case are 31 32 31 32 which in ASCII is 1212. Hit F8 and lets check EBX: ASCII characters in EBX, you can double click on the EBX

Say you have the address 7EA4F182 (which is a 4-byte, 32-bit number). When we split this up in to bytes you get 7E, A4, F1, 82. Now, one would think that when storing these bytes into memory (lets say at location 1000) it would look like this: 1000::7E 1001::A4 1002::F1 1003::82 But Intel Enggs decided to store it as under: 1000::82 1001::F1 1002::A4 1003::7E Why?

Little Endian Order

 Hence our number is reverse order

 CMP BL, 61 Comparing BL, which is the first byte in the EBX register (RTF(asm)M), with the value 61 (hex). We dont really have a clue what this means (yet) so lets step over it. Finally we arrive at the first of our JNZ instructions:
JNZ SHORT FAKE.401236 (Jump if Not Zero,)

Code Study

Means If the contents of BL are not equal to 61h, jump to the bad message

Sample Code
MOV EAX, addressOfSerialNo First, EAX is loaded with our serial number. Next it is compared with 3. CMP EAX, 3 If it is equal to 3 we jump to addressOfFailFunction() . JE addressOfFailFunction()
JMP adressOfPassFunction() If it is not equal to 3, we pass the JE (Jump if Equal) instruction and hit the JMP (JuMP) instruction, which automatically jumps to adressOfPassFunction(), regardless of any flags.

Check Manipulations directly

Watch this

When Z=0

When changed to Z=1

The Result

So lessons learnt?? Never sleep in class Do not take leniency for a ride I am not a looser Hacker is never trained Background knowledge No shortcuts to success

Are you Interested to learn more?

Part-2

Second Crack
Load into Olly So try running it Did we pass or fail Try searching for strings

Where is it in the Code?

 The first jump we find is at address 4010EB, a JNZ statement. If we click on this line, Olly can be programmed to show us where it will jump:

Just Monitor the Jump

 TEST EAX EAX - What does this mean on ground?????

What is the TEST?

 Computes the bit-wise logical AND of first operand (source 1 operand) and the second operand (source 2 operand) and sets the SF, ZF, and PF status flags according to the result. The result is then discarded.
If EAX does not equal zero, jump to 40110D

TEST?

 At 004010EB

Create a break point now

Now, we can see that we are going to jump past the good boy, straight into the arms of the bad boy. Lets not let that happen. Help Olly out by flipping the zero flag: Now we have the desired Result

 Click on the line we are paused at (address 4010EB) click on the instruction column of the line (the part that has JNZ SHORT) and press the space bar. You will see a window pop up that shows us the instructions at that line, as well as a dialog to change them: Change JNZ SHORT 0040110D to NOP

How to Patch?

 ctrl-P

Saving The Patch

Remove BreakPoints Copy to Executable Save as File Finished so Now no registration errors..

So
Where Are You?