Olly Debugger

7/30/2019 Olly Debugger

1/30

Making of a Crack

usingOLLY Debugger


2/30

First Crack Check the exe and remember

What are the strings?

Search for the strings in .exe

Lets find the loops and jumps in exe


3/30


4/30

Can we locate it in the Debug win


5/30

Understand the code around First jump is a JNZ at address 401220. I have

arrow to show you where this jump will go if

Notice that it jumps right past the message w

and right to the message we dont want BUTthat right above this JNZ instruction is a CMPinstruction That means this is a potential podetermines whether Olly displays the messag

or dont want.

S f J


6/30

Summary of Jumps


7/30

Placing comments in Olly Press ; on the debugger window

This is not any command just helping us to re

Stored into .udd files


8/30

Suggest Manipulations Pleas Set a breakpoint at address 401201 (or some

near here as its before our jump instructions

Lets run exe through Olly

First thing we notice is the line we stopped o MOV EBX, DWORD PTR DS:[403078]

Follow in Dump

Memory Address.


9/30

Check the Registers Why check registers?

We just entered the serial number

So, from this instruction, we now know that the

bytes (since EAX is a 32-bit register) are loaded i

which in this case are 31 32 31 32 which in ASCI

Hit F8 and lets check EBX:

ASCII characters in EBX, you

can double click on the EBX


10/30

Little Endian Order Say you have the address 7EA4F182 (which is a 4-byte, 32-bit numb

When we split this up in to bytes you get 7E, A4, F1, 82. Now, one wwhen storing these bytes into memory (lets say at location 1000) itthis:

1000::7E

1001::A4

1002::F1

1003::82

But Intel Enggs decided to store it as under:

1000::82

1001::F1

1002::A4

1003::7E

Why?


11/30

Hence our number is reverse order


12/30

Code Study CMP BL, 61

Comparing BL, which is the first byte in the E

(RTF(asm)M), with the value 61 (hex). We dohave a clue what this means (yet) so lets stepFinally we arrive at the first of our JNZ instruc

JNZ SHORT FAKE.401236 (Jump if Not Zero,)

Means If the contents of BL are not equal jump to the bad message

l d


13/30

Sample Code MOV EAX, addressOfSerialNo

CMP EAX, 3

JE addressOfFailFunction()

JMP adressOfPassFunction()

First, EAX is loadserial number.

Next it is comparIf it is equal to 3 addressOfFailFu

If it is not equal t

the JE (Jump if Eqinstruction and h(JuMP) instructioautomatically jumadressOfPassFun

regardless of any


14/30

Check Manipulations directly

Watch this

When Z=0

When changed to Z=1

Th R l


15/30

The Result

So lessons learnt??

Never sleep in class

Do not take leniency for a ride

I am not a looser

Hacker is never trained

Background knowledge

No shortcuts to success


16/30


17/30

Are you Interested to learn m


18/30

Part-2

S d C k


19/30

Second Crack Load into Olly

So try running it

Did we pass or fail

Try searching for strings


20/30

h h d ?


21/30

Where is it in the Code?

i h


22/30

Just Monitor the Jump The first jump we find is at address 4010E

statement. If we click on this line, Olly ca

programmed to show us where it will jum

Wh i h TEST?


23/30

What is the TEST? TEST EAX EAX -What does this mean on

ground?????


24/30

TEST?


25/30

TEST? Computes the bit-wise logical AND of first

(source 1 operand) and the second operan

2 operand) and sets the SF, ZF, and PF stat

according to the result. The result is then d

If EAX does not equal zero, jump to 40110

Create a break point now


26/30

Create a break point now At 004010EB

Now, we can see that we are going to jump past the goo

straight into the arms of the bad boy. Lets not let that h

Olly out by flipping the zero flag:

Now we have the desired Result

H t P t h?


27/30

How to Patch? Click on the line we are paused at (address 4010EB) click

instruction column of the line (the part that has JNZ SHO

press the space bar. You will see a window pop up that instructions at that line, as well as a dialog to change the

ChangeJNZ SHORT 0040110D to NOP

S i Th P t h


28/30

Saving The Patch ctrl-P

Remove BreakPoints

Copy to Executable

Save as File

Finished so Now no registration errors..


29/30


30/30

SoWhere Are You

Documents

Olly Debugger