By ro0ted | January 4, 2015 - 17:15 | Posted in /b/ | 24 Comments
#ro0ted #OpNewblood What the Blackhats don’t want you to know | Ollydbg: Your first Patch

In the last tutorial we learned how to cheat a crackme by editing the commands. That way won’t work on most crackme’s. Most crackme’s that have serial numbers require you to code a keygen for them. Others require “patches” that’s what we will be doing today creating your first patch. – https://twitter.com/ro0ted/


 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch +

 

 


Tools used:

r4ndoms Ollydbg http://www.thelegendofrandom.com/files/tools/R4ndoms_OllyDBG.zip

Crackme http://www.mediafire.com/download/0syc6om4ln3969l/Crackme2.exe

As always open ollydbg load crackme2.exe in Olly.

Click the play button only once and go to the disassembly window right click>search for> all reference strings

Select good boy and right click> Follow in Disassembler:

You should have a screen like this:

See anything familiar? No will look again:

The last tut we had we used JMP and we had a bunch of JNZ short commands.

You may want to be attention to JNZ’s

This one says JNZ short which means:

Jump short if not zero (ZP=0).

 

You can find the values for ZP flags in the register section:

So let’s see where this JNZ command jumps to.

click the JNZ instructions (JNZ short) and right click and select Follow

So it shows JNZ jumps here:

This shows us it jumps to bad boy instead of activation screen. We don’t want this to happen so let’s set a breakpoint at the JNZ address

Now we could change the flag in the register section but that’s only a temporary fix. Let’s begin patching.

Now click the jnz instruction “JNZ short” right click and select assemble put nop,  NOP stands for No OPeration which ultimately cancels the command/function.

Now try to run the program, click the play button twice as it run then pause. Look what happens now?

Now if you restart the app or close it the patch you made will erase. Here’s how to save it.

Go to Patches in r4ndoms ollydbg:

You see how it says Active? that means our app is still on. Re-start the program, Olly may bring up an error, a very long, complicated error that basically tells us our patch (and our breakpoints) may not “stick” because Olly can’t keep track of them (it’s a little more complicated than this, but we’ll see later). Close the window and then go to the breakpoints window after that right click>enable.

Go back to the patches window, click the patch>right click>re enable.

After you do this it will take you back to the disassembly:

In order to keep our patch permanent, we must save the changed version to the binary on disk. So on the disassembly screen right click>copy to executables, all modifications.

 

After that select copy all.

You will come to this screen:

Right click hit save anywhere on the window:

Now try it out:

s

 

ro0ted

 

 

 

(Visited 966 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.