//

6 May 2013

Tutorial on cracking Applications with OllyDbg

| |

Tutorial One: Cracking Simplistic Applications


Welcome to my tutorial on cracking simplistic applications with OllyDbg. This tutorial will give you a detailed and in-depth understanding of the basis of cracking with OllyDbg. So let’s begin.

Part One: OllyDbg Interface
This section is for those that are unfamiliar with OllyDbg itself and would like a bit of help with it. Here’s the main interface:
[Image: 2goYfSE.png]
In the CPU panel is where the program’s disassembled code is put. Below is a picture of the panels when I have opened a program into it.
[Image: UOrAn0J.png]
On the left side of the top right box in the CPU panel, you can see the different addresses the program is using. After that is the Hex Dump and next to that are the OpCodes that the Assembly Language uses and finally the comments. On the panel to the right of that you can see the Registers the program is using. The panels below that are the Hex Dump and ASCII window and in the panel on the right of that is the Memory Stack.
I suggest before moving onto the second part of this tutorial, you brush up on the Assembly Language and understand a little more about it. There is a tutorial which explains the Basics Assembly Language:
http://www.ccenter.tk/2013/05/tutorial-assembly-language-basics.html

Part Two: OllyDbg Simplistic Crack 1
Below is an image of a Crack Me program designed in C++. In the links at the bottom of the page will be a download to it to test it out for yourself.
[Image: pIV2Lwp.png]
First drag the executable onto the OllyDbg icon. This will open the program and OllyDbg with the program’s decompiled information.
[Image: Jv1Cw3q.png]
The main way people crack in OllyDbg is by searching for strings. If you know a programming language, you’ll most likely know that a string is a data type that stores a number of characters in a sequence. For example “Hello World” is a commonly used string. To find all the strings in the program, right click on the CPU screen and go to Search For > All Referenced Text Strings. In the “References” window you will now see a list of strings from the program itself.
[Image: rqkryjE.png]
[Image: 71kBaiC.png]
In this case, what we will want is the “Right Password! You made it! Gratz, now upload your solution.” String. We will double click on this and it’ll take us straight to the address where it is located. In the Hex Dump section of the panel, you will see there are red arrows next to the hexes. These are called jumps. They skip parts of the code to get to another part of the code. Click on the various arrows to find the ones that skip just below the “Right Password” string. In the image below you can see one of the jumps jumping below the string.
[Image: I9iCGlM.png]
Simply double click the OpCode (In this case, “JNE SHORT”) and replace it with NOP (Which stands for No Operation), click “Assemble”, and then “Close”. This means it will skip the loop. Once you have repeated this for all jumps that jump to after the “Right Password” code, right click and go to Analysis > Analyse Code. This will scan the code we’ve input and decide whether it’s code or data. The program will skip the jump to the “Wrong Password” string, show the ”Right Password String, and the next loop will cause the program to jump over the “Wrong Password” string.
[Image: 7bfrYxW.png]
Now run the program by either pressing F9, or clicking the “Run Debugged Application” in the Tool Strip Bar. You can now enter any name and any code and the application will assume it is correct.

Part Three: OllyDbg Simplistic Crack 2
Below is an image of the second Crack Me program designed in C++ by me this time.
[Image: oxMsT1U.png]
As you can see, the program is simple. It uses the .NET framework. Yet again we right click in the CPU panel, click Search For > All Referenced Strings. This will again display all the ASCII strings in the assembly of the program. Below is the image of the ASCII strings.
[Image: VDvG0V4.png]
This program is significantly easier to crack. It has a single code that you can use to unlock the program. Now with a bit of intuition, you could probably guess the program’s code is “12345”, however we don’t want to unlock it that way. Instead we want to crack it ourselves. To do this we will double click on “Well done, you gave the right key”. It will take you to the appropriate address. Find the Jump that jumps after the “Well Done” string and replace it with NOP again. After you have found all the jumps and replaced them with NOP, right click on the window and click Analysis > Analyse Code. You can then run the program and type anything as the key and it will accept it as the correct key. An example is below:
[Image: CWJVNai.png]


Tutorial Two: Cracking slightly more advanced Applications


Part One: License File
Welcome to the second section of this large tutorial. In this section, I will show you how to crack a different kind of crackme program that I have written in C++. This program uses authentication based with a license file. If you open the crackme program, it will close down instantly. This is because there is no license file.
Pretty standard license program. If a license doesn’t exist, it’ll alert you. If the license does exist and is valid, it’ll take you to the unlocked page. So let’s begin by dragging the program into the OllyDbg icon to open them both up. Let’s keep this one simple. Right click and search for “All Referenced Text Strings”, or ”All Referenced Strings”, so that we have a list of the text strings. Below you will see the results.
[Image: f0ClKDG.png]
Double click on the string “This program is registered to “ because it is the string we want to get to. It’ll take you to the address. Find any jumps that jump over the wanted string and replace the OpCode with “NOP”.
Go back to the referenced strings. You will see that one of the strings is called “serials.dat”. This is a filename. You can assume that this is the serials file we need. So let’s go ahead and create a serials.dat file in the same directory as the executable crackme file. We’re not going to fill this with anything; it’s just there to fool the program into thinking it’s valid. Now that there is a file there, we can analyse the code and run the debugged application.
[Image: eMjf1P0.png]
You will see it says “This program is registered to “, however it doesn't say who it is registered to. That’s because this information is supposed to be included in the serials.dat file. However the program does think it’s registered and so it is enabling the “full version”.

Part Two: License from generated code (Faking Cracking)
In this tutorial we will be cracking a program that gives you a random code and tells you to enter your registration code that relates to that random code. Below you can see an image of the program.
[Image: 5EDk2Ef.png]
Open the program up in OllyDbg and search for all referenced strings. You will see a list of the ASCII strings in the References window. You will see that one of the text strings says “Well done, you cracked me.” Double click on this to enter the associated address. Now this time we’re going to do something a little different. Instead of changing the jumps, we’re going to copy the OpCode at “Well done, you cracked me.” We will then scroll down to the OpCode at “Wrong key.” and replace it with the OpCode we copied from “Well done, you cracked me.” You can then debug the program in OllyDbg and enter any code. It will say it is correct. Note that this just looks as though this has been cracked. This will not actually crack the program, but instead it will appear as though the program has been cracked.

Links:
Tutorial on Assembly Language:
http://www.ccenter.tk/2013/05/tutorial-assembly-language-basics.html

Link to Crack File 1:
http://crackmes.de/users/sashx41/keygen_1/

Link to Crack File 2:
http://www.mediafire.com/?f621ra87474ktbj

Link to Crack File 3:
http://www.mediafire.com/?by54ghioq3cs34u

Link to Crack File 4:
http://www.mediafire.com/?vnp9k1k59nk7y9l

Hope you enjoyed the tutorial and thanks for reading.

0 comments:

Post a Comment

Your feedback is always appreciated. We will try to reply to your queries as soon as possible.

Note:
1. HTML CODES are not allowed.
2. Please do not spam Spam comments will be deleted immediately upon our review.

Powered by Blogger.