Hi to all!

I am looking for some crack tutorials using olly on the net.
and I don't find none.
could somebody tell me where to get some?
where????

Thank you.

Use google and search these three words toghether: HOOF ARTED OLLYDBG

Regards,
yaa

http://AcidCool.cjb.net ("http://AcidCool.cjb.net") also works.
http://reboot.at/k23
("http://reboot.at/k23
")
http://New2cracking.cjb.net
("http://New2cracking.cjb.net
")

Acid_Cool_178

www.darus.fr.fm ("http://www.darus.fr.fm") too

Darus: very nice with screenshots. can you make a translation in english ?

thx TBD, a translation ? i will try but my english is very poor, if someone speaks french and could translate my tuts, it will be better

to contact me : darusweb@free.fr

Darus: i think your english is better than my french, but i can have a look if you are starting translation

hi, Darus
You need remember Olly is only tools.
Olly do many works than only crack.

luucorp: <smile> Olly is the author (Oleh) and OllyDbg is the tool. and i agree, OllyDbg is a great tool for debugging also your code <hehe>

tutorial with OllyDbg and Command Bar 1.08.02 by HackeRMaN
target ("http://crackmes.de/download.php/CuTedEvil%20CrackMe%201.zip?Crackme=250&CrackmesSession=CrackmeSessiond7aeaca2452127310048ab2088861652")::solution ("http://crackmes.de/download.php/solution.zip?Solution=550&CrackmesSession=CrackmeSessiond7aeaca2452127310048ab2088861652")

<edited by TBD - wrong url formatting>

luucorp: i agree with you, ollydbg is a tools but my "hooby" is reverse engineering also i use this tool in consequence (My English is comprehensible?)

else my tutos (cracking topic) are available in english on my website www.darus.fr.fm ("http://www.darus.fr.fm")

Thx Darus for translation the tut

Hi,all of you.
Today, i post 2 tut in oder to use Olly for cracking 2 crackmes at http://crackmes.de.
("http://crackmes.de.
")

no.1:
target: Crackme#5 for duelist@beer.com
dowload here:
Click ("http://crackmes.de/download.php/due-cm5.zip?Crackme=428&CrackmesSession=CrackmeSession4b1695a087144c338f5fc9001781b58b")

no.2:
target: Crackme#2 for [v0!d]
dowload here:
Click here ("http://crackmes.de/download.php/vcrkme02.zip?Crackme=201&CrackmesSession=CrackmeSession4b1695a087144c338f5fc9001781b58b")

And no.1 as following:
<pre>
======================
Only use OllyDbg v1.08b
=======================

OllyDbg is a 32-bit assembler-level analyzing Degugger with intuitive interface.
OllyDbg is very friendly debugger.
OllyDbg run any WINDOWS (with chip intel x86).
...
OllyDbg can use for crack
------------------------------------------------------------------------------
This my no.1 crack for me in OllyDbg.

Target: Duelist's Crackme #5
Author: duelist@beer.com

Crack it by: luucorp@yahoo.com

Crackme#5 is packed,so we must find Origin Point (OP).
And Crackme#5 have 2 goals:
1.Remove Nag
2.Box "Unregistered" -> box "Registered"

We load due-cm5.exe in OllyDbg (F3 -> Open)
-->warning: Entry Point Alert -->OK.

In window "CPU-main..." we are staying Entry point:
Disassembler as:
00406600 > 53 PUSH EBX
00406601 51 PUSH ECX
00406602 52 PUSH EDX
00406603 56 PUSH ESI
00406604 57 PUSH EDI
00406605 55 PUSH EBP

A program_Packed before unpacking, it usually saves register (EBP,ESI,EDI,..) into Stack by using intruction push, as we see above.
Of course, When unpacking to finish then program_Packed will restore value that saved in Stack by using pop, So we will use OllyDbg:

Ctrl+S
type:
pop ebp
pop edi
pop esi
pop edx
pop ecx
pop ebx
click button Find.

OllyDbg leads us to the followings:

0040665D 5D POP EBP <-------restore value in Stack
0040665E 5F POP EDI
0040665F 5E POP ESI
00406660 5A POP EDX
00406661 59 POP ECX
00406662 5B POP EBX
00406663 FFE0 JMP EAX <-----EAX= Original Point (1)

We set breakpoint at 00406663 ( line (1) )
And press F9 for program_Packed to unpack itseft, wait until program Paused at line(1).
Remove breakpoint at line(1) by press F2.
And now, EAX=401000=Original Point(OP) we go to OP by F7.
EIP are staying at 401000, but we don't understand any instruction, why?
because Olly doesn't analyze this para code before, So we tell OllyDbg that please analyze it
Let OllyDbg do: We press Ctrl+A

We have code as the following:

004010C1 > 68 00200000 PUSH 2000 ; /Style = MB_OK|MB_TASKMODAL
004010C6 . 68 5C204000 PUSH DUE-CM5.0040205C ; |Title = "Unregistered"
004010CB . 68 17204000 PUSH DUE-CM5.00402017 ; |Text "Please..."
004010D0 . 6A 00 PUSH 0 ; |hOwner = NULL
004010D2 . E8 94010000 CALL DUE-CM5.0040126B ; &#92;MessageBoxA
004010D7 . 6A 00 PUSH 0 ; /lParam = NULL
004010D9 . 68 B8104000 PUSH DUE-CM5.004010B8 ; |DlgProc = DUE-CM5.004010B8
004010DE . 6A 00 PUSH 0 ; |hOwner = NULL
004010E0 . 6A 01 PUSH 1 ; |pTemplate = 1
004010E2 . FF35 0F214000 PUSH DWORD PTR DS:[40210F] ; |hInst = NULL
004010E8 . E8 12010000 CALL DUE-CM5.004011FF ; &#92;DialogBoxParamA
004010ED .^EB C2 JMP SHORT DUE-CM5.004010B1

For printing nag then the code begins from 004010C1 to 4010D2.
we see ">" at 004010C1:
004010C1 >
so we click left mouse on this instruction, press Ctrl+R , Olly will goto window "Ref...."
We see in this window first line:

0040105C|jmp short ..

click double mouse on this lines, olly return "CPU-MAIN.."
That means jmp to prinf(" Unregistered", so we will fix it don't printf.
Do it, we jump to after MessageBoxA -> must jmp to address 004010D7.

On this line:
0040105C . EB 63 JMP SHORT DUE-CM5.004010C1
you press Space,
you type "JMP SHORT 004010D7"
Click Assemble
click Cancel

As NAG removed.

Next, we can goto this code:
00401130 > 68 5C204000 PUSH DUE-CM5.0040205C
; /lParam = 40205C " Unregistered"
00401135 . 6A 00 PUSH 0 ; |wParam = 0
00401137 . 6A 0C PUSH 0C ; |Message = WM_SETTEXT
00401139 . 6A 03 PUSH 3 ; |ControlID = 3
0040113B . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040113E . E8 3A010000 CALL DUE-CM5.0040127D ; &#92;SendDlgItemMessageA

How to find para above codeclick right mouse+Search for+All ref -> click double mouse on line " Unregistered" order 2)

Now, We must find string as :" Registered"
We press Shift+Tab (twice)
Ctrl+B
in box lable ASCII, we type " Registered" (no colon)
Enter

OllyDbg goto address 40204F, here have string " Registered",0
As What Do you know fix on line 00401130 ??????????

press Tab (twice)
this on line:
00401130 > 68 5C204000 PUSH DUE-CM5.0040205C
; /lParam = 40205C " Unregistered"
press Space
type : "push 40204F"
Click Assemble
Click Cancel

As you replace from " Unregistered" to " Registered"
Finish goals 2.
==================>PRESS F9.
</pre>

If you want patcher for this crackme#5 then tell me.

Greets to: Oleh Yuschuk, TBD and u

thx
luucorp
luucorp@yahoo.com


See you again with tut no.2

<::TBD::edit> added bbcode code for formatting

Great work, thanks

Thx luucorp
Great tut

Put how we can patch it ? as u know it's a program_Packed
And how to Unpacker it ?

with thx

How about writing a short tut on OllyDump?? Use an UPXed notepad or something... Coz I cant get the dumped exe to run, but it does if I dump with ProcDump.

luucorp thanks for sharing. i want to add your tutorial, converted in html, to the OllyDbg stuph page in the soon to be created Tutorials part.

please for the next tut part, to send it by email to me, because it looks "funky" on the messageboard. you can find my email here ("http://rohanpall.com/ollydbg/?action=userinfo&user=1")

olly4all:For patch it:
At address 00406663:JMP EAX ; (don't jmp to OP here)
You fix it as(use HIEW):
00406663:mov dword ptr [0040105D],79h ;Remove Nag
mov dword ptr [00401131],4Fh ;Status box become " Registered"
jmp eax
TBD
Thanks, tut is "funky". I will mail to you for next tut(no.2).

Thanks luucorp ..clear

THANKYOU! Crackmes may seem useless to some people, but I find that theyre the best way to learn - there's no bloat code to sift through ...

thank you.
here it is clear.
how to patch Duelist's Crackme #5, that don't need unpack.
after my tut No.1, we patch it (very easy):
Remove Nag:
===========

old: 0040105C EB 63 JMP SHORT DUE-CM5.004010C1
fix to: 0040105C EB 79 JMP SHORT DUE-CM5.004010D7

Status box become " Registered":
==============================

old: 00401130 68 5C204000 PUSH DUE-CM5.0040205C ;" Unregistered"
fix to: 00401130 68 4F204000 PUSH DUE-CM5.0040204F ;" Registered"

As, we must fix:

byte at [0040105D]=79
byte at [00401131]=4F

Next,We patch as:
After program unpacked, then we will fix 2 byte at [40105D], [401131]
and go to OP.
That mean is: we must add 3 instruction after:
mov byte ptr [0040105D],79
mov byte ptr [00401131],4f
jmp eax

but where do we add 3 instruction?
we find some space that program doesn't never use, find it simple this:
above EP (entry point), we see many byte have value=0, that is space
that we need.

I chosse space at address 004065EC and add 3 above intruction as:

004065EC C605 5D104000 79 MOV BYTE PTR DS:[40105D],79
004065F3 C605 31114000 4F MOV BYTE PTR DS:[401131],4F
004065FA FFE0 JMP EAX (goto OP)

Ofcourse, we must replace instruction at address 00406663:

From: 00406663 FFE0 JMP EAX
to: 00406663 ^EB 87 JMP SHORT DUE-CM5.004065EC


As, if you use Hex Editor then we will patch as:

Offset in file .exe:

000027EC: C6 05 5D 10 40 00 79 C6 05 31 11 40 00 4F FF E0
00002863: EB 87

Done patch.

If you don't have Hex Editor,You can do a program for patch as (use Pascal):

const
fix1:array[1..16] of byte=($C6,$05,$5D,$10,$40,$00,$79,$C6,$05,$31,$11,$40,$00,$4F,$FF,$E0);
fix2:array[1..2] of byte=($EB,$87);
var
f : file of byte;
i,j : byte;
begin
assign(f,'due-cm5.exe');
reset(f);

seek(f,$27EC);
for i:=1 to 16 do write(f,fix1[I]);
seek(f,$2863);
for i:=1 to 2 do write(f,fix2[I]);

close(f);
end.

Greets: OD, TBD and you.

See you with no.2 (TBD?)

Note - above download URLs for the crackmes dont work. The correct URLs are:

Crackme #5 - <a href="http://crackmes.de./crackmeinfo.php?ID=428
" target="_new">http://crackmes.de./crackmeinfo.php?ID=428
</a>
Crackme #2 - <a href="http://crackmes.de./crackmeinfo.php?ID=425
" target="_new">http://crackmes.de./crackmeinfo.php?ID=425
</a>
(I just went to crackmes.de and searched under D for Duelist)

Anonymous: thanks for correct links.
you also find my solution (Only use OllyDdb to crack) here that.

if anybody want nice tutorial then you can view here:
Tutorials -=thanks TBD=- ("http://www.rohanpall.com/ollydbg/files")

thx, luucorp

if you have any question about tut no.2 please tell me
thank you very much.

Nice tut mate thank you

hi, all of you.
----
you also use method (same tut no.2) for crack FireWork's crackme#10 (at crackmes.de)

but you note: in 2 box don't fill anything at begin (for SEH works).

thx, luucorp

luucorp - youve mentioned a magic word, SEH
Id love to read a tutorial about SEH -- how it is used as a protection, and how to defeat it, but there doesnt seem to be anything for it - at least not with OllyDbg. *subtle hint* ...

Anonymous:thanks you for question about SEH.
now, we talk about SEH

1 : SEH
The idea of exception handling (often called "Structured Exception Handling" is that your application instals one or more callback routines called "exception handlers" at run-time and then, if an exception occurs, the system will call the routine to let the application deal with the exception. The hope would be that the exception handler may be able to repair the exception and continue running either from the same area of code where the exception occurred, or from a "safe place" in the code as if nothing had happened. No closure message box would then be displayed and the user would be done the wiser. As part of this repair it may be necessary to close handles, close temporary files, free device contexts, free memory areas, inform other threads, then unwind the stack or close down the offending thread. During this process the exception handler may make a record of what it is doing and save this to a file for later analysis.

If a repair cannot be achieved, exception handling allows your application to close gracefully, having done as much clearing up, saving of data, and apologising as it can.

thanks, yado.

2 : Example about SEH
I have two example, i hope you read it you will understand
<pre>
DOS:
===========
;
;tasm sehd
;tlink /t sehd
;
.model tiny
.code
org 100h
start:
xor bx, bx
mov es,bx
mov dx,offset @fixerror

push word ptr es:[bx] ;save old int0
push word ptr es:[bx+2]

mov word ptr es:[bx], dx ;new int0 --> @fixerror
mov word ptr es:[bx+2], cs

mov ax,1982
xor bx,bx
div bx ;<-- error here

jmp @ok

@fixerror:
xor bx, bx
pop word ptr es:[bx+2] ;retore old int0
pop word ptr es:[bx]

call msg
_title db 'by luucorp',13,10
_error db 'Divide 0',36
msg:
pop dx
mov ah, 9
int 21h
xor ah,ah
int 16h
jmp @terminate
@ok:
xor bx, bx
pop word ptr es:[bx+2] ;retore old int0
pop word ptr es:[bx]

@terminate:
int 20h
end start

WIN:
==========;
;tasm32 /ml /m3 /z seh
;tlink32 -x /Tpe /aa /c /V4.0 /o seh,seh,, d:&#92;c&#92;tasm&#92;import32.lib
;
.386
.model flat, stdcall
extern MessageBoxA:Proc
.data
_error db 'Divide 0',0
_title db 'by luucorp',0
.code
start:
xor ebx, ebx
push ebp
push offset @fixerror
push dword ptr fs:[ebx]
mov dword ptr fs:[ebx], esp

mov eax,29121982
xor ebx,ebx
idiv ebx ;<-- error here

jmp @ok

@fixerror:
xor ebx, ebx
mov eax, dword ptr fs:[ebx]
mov esp, dword ptr [eax]
pop dword ptr fs:[ebx]
call MessageBoxA, 0, offset _error, offset _title, 0
jmp @terminate
@ok:
sub ebx, ebx
pop dword ptr fs:[ebx]
@terminate:
pop eax
pop ebp
ret
end start
</pre>

What does fs: mean ? I've seen things like ds: and cs: and assume these mean data segment and code segment, but what does fs: mean ? I'm assuming it's something do with SEH or system structure how you used it, but can you explain?

luucorp - thank you sooooooo much! I dont have any time to sit down and properly go through it yet, but hopefully later this weekend with any luck

very interesting...how do people use SEH as a protection/anti-debug method?

hi, all of you.
i hope people like tut3

thx, luucorp

... which begs the question - where is tutorial 3?

I would imagine it would be done by creating an exception handler, then causing that exception, with the exception handling code being the rest of the program. The debugger wouldn't know where to go.

TBD : tut3?
....