Using Olly

Second tutorial
By Sgi

Well, here we are again little kids, on the first tut we saw a basic overview of Olly, yeah, i know it was an EASY crack, but this time, it will get MORE interesting..

This time, the excellent crackme by evidence is gonna be used, we are gonna learn a couple new tricks with Olly and we are gonna find the correct SN.

First, fire up Olly, you know how, right? double click the Olly icon and load the app to crack....

NEXT! you should do the little names trick (we right click the name on the modules window and choose VIEW NAMES), so we can see what call the crackme uses, you should be here.

Ooohhhh, this little baby uses GetdlgitemtextA......

Let's run it.... so we press F9 until we reach the little window asking us for the name and serial, do not use a breakpoint yet, let's try to guess our serial, so we enter for the name Sgi and for the password let's enter 47806 (why not a repeated 7777777 serial? we will learn why later) and let's press the CHECK button....

Mmmmmmhh, we get a SORRY, SERIAL NOT VALID damnit, we are out of luck today, worry not my dear... we can find our serial number in a few....

but, what the heck? the program closes itself after we fail in our attempt to guess the serial.

NP we just press CTRL+F2 and we restart it (under Olly, of course).

Now, we press F9 until the little window appears again and asks again for the Name and Serial, let's enter Sgi as the name and 47806 as the Serial, DO NOT PRESS THE CHECK BUTTON YET.

Now, go get a Dr. Peeper, a good cup of Mexican Coffee (get a Los Portales brand, it's superb) or better go get a some yellow heaven, JW Blue Label can do the trick... or do as +ORC said once.... Martini...

Now, why not a simple 7777777 as the serial? well 7777777 in Hex is 76ADF1, and it's hard to recognize on the registers.... right? soooooo, we are going to use 47806 and the Hex is BABE ahahahahahhaha, yessir, it's BABE! and i recognize a BABE the very first time i see one!

Now, little grasshoppers, let's set a breakpoint, you already know how, you did your homework and you DID read the first tut, right? no? damnit, this studs nowadays. OK, first we right click the name on the modules window and choose VIEW NAMES, then we right click the Getdlgitemtexta name on the names window and choose TOGGLE BREAKPOINT ON IMPORT, this way we are setting a BP at the exact location....

Let's ALT+TAB and switch t the little window asking us for the name and serial number.

Now, let's press the CHECK button. oooohhh! Olly Bps... you should be here....

Let's be careful, see? we need to trace the call until we reach the crackme code, how? EASY let's press the F8 key! F8 under Olly is for TRACING OVER, so, it will go OVER the calls! not into the calls, so, we press CTRL+F9 (that takes us to the next RET) and F8 until we reach the crackme code, how do you know? well, the CPU window will show ya! You should be HERE after pressing F8 SEVERAL times!

ok, you see a few lines below a 00401235 > 68 50204000 PUSH 402050 ; ASCII "47806" That's our code, see? in Hexadecimal is 0000BABE! ok, let's analyze the code for a few, there is a couple calls to the MessageBoxA function.... and one of them is for INVALID and the other is for VALID! oooohhhh. BUT guess what? there are 3 CALLS too!

0040123B . E8 C0FDFFFF CALL 00401000 ; evdcm2.00401000

00401245 . E8 B6FDFFFF CALL 00401000 ; evdcm2.00401000

00401255 . E8 A6FDFFFF CALL 00401000 ; evdcm2.00401000

mmmmh, we should follow them, as you may remember, many many times, the code for checking the serials is inside a call! and those calls surely seem a little suspicious... but, let's go to the 3rd call, why? because common sense indicates that the last call will CHECK the serial... So, we press F8 until we reach this call, remember, with F8 you TRACE OVER (do not go inside the call) with F7 you trace INTO, so, we press F8 until we reach this call.

NOW, be careful, we press F7 so we can GO inside the call, and we should be here, let's scroll down a little, OK? what the hell are we looking for? easy, we are looking for a CMP (compare) followed by a JMP (or JNZ), this is the common way! and... we FIND IT!

0040108C |. 3B16 CMP EDX, DWORD PTR DS:[ESI] <--- Comparing

0040108E |. /75 01 JNZ SHORT 00401091 ; evdcm2.00401091 <--- Jumping if not zero...

OK, but we scrolled down, we are NOT really there! we press F7 until we reach this line

0040108C |. 3B16 CMP EDX, DWORD PTR DS:[ESI] <--- Comparing

And we should be here! ohhh, what is the program comparing? yessir! DS:[004020FF] = 0000BABE OUR SERIAL! REMEMBER? and compared against the content of EDX=0002BFB1 let's write down this number 0002BFB1 Hex = 180145 Dec...

Since we found the serial, or at least we think so, let's press F9, OK? so the program will run...

We get a SORRY INVALID SERIAL, because we used a 47806 serial number, now let's run again the program by pressing CTRL+F2, and this time do not set a BP, let's enter Sgi for the Name and 180145 for the Serial and press that little CHECK button...

This time we get a YEP, SERIAL VALID Window! that's it! we found the correct serial!

Now, you should find more serials by changing the name and checking that call.

I hope you enjoy my tuts, and just in case, you should UNDERSTAND the functions, you should REALLY learn assembler.

The next tut it's a surprise! yeah! expect it soon.

Your friend. Sgi

How to contact me:

EFNET

#new2cracking

Don't message me. If i don't know you i won't respond, ask your questions on the channel.

Email

No email, no SPAM...

Yes all of this info is for educative purposes only. I'm NOT responsible in any way of what you do with this knowledge. My main goal is to teach you how to use a debugger, NOTHING ELSE!

To make lawyers happy:OllyDbg Copyright (C) 2000-2002 Oleh Yuschuk. All Rights Reserved. All the other references are property of their legal owners, including the CRACKME..... ok?