By ro0ted | January 2, 2015 - 03:50 | Posted in /b/ | 39 Comments
#ro0ted #OpNewblood What the Blackhats don’t want you to know: Part 3 Ollydbg Cheating a Crackme

Happy New Years everyone. 

Today we will be continuing into Part 3 Ollydbg: Intro to Crackme’s

 


 

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme +

 

 


What’s a Crackme?

a Crackme  is a small program designed to test a programmer’s reverse engineering skills

This tutorial will be interactive meaning you can download the crackme and try it out for yourself. Use Ollydbg 1.0 in the Whitehat Lab. We will move onto other advanced pre built Ollydbgs later. – https://twitter.com/ro0ted/

Tools used:

Ollydbg 1.0

Fake.exe (Crackme)

 


 

Why is this important in analyzing malware? 

Because you are going to need to re-edit the malicious code when you conduct tests and/or you are going to want to know what JMPs, PUSH, CALL, and other command comes do.

 Commands in this tutorial we are going to see a lot:

JMP long

JNZ short

PUSH

MOV EBX

CMP

CALL

See a this list to see which opcode means what:

http://ref.x86asm.net/coder32.html

 


 

This crackme is a typical one if not super basic has a screen that says enter serial number with two answers, Incorrect/Correct. 

There’s two ways to do this. The long way & the cheating way. Let’s do the cheating way first. The next tut we will do it the correct way.

Open Ollydbg 1.0 Load FAKE.exe into Olly:

Double Click Play til program opens and click register:

Enter a random value and press enter

 

You will get this screen:

 

Now go to the Disassembly section and right click search for all reference strings like we talked about in the other tuts, don't exit out the program:

 

 

In the reference string module click incorrect> right click pick follow in disassembler

Before we continue I got tired of the boring colors. You can edit your colors in options> appearance:

Okay moving on. The plan is edit the command that sends the message incorrect to correct.

so right click PUSH 403039 and click assemble. We will use the JMP long command which will have the error Jump to another address where the box will say “correct”

]

So before:

PUSH 403039

After:

JMP long 401222

Now maximize the program back up re enter the serial. Look what we get.

 

Screenshot from 2014-10-14 01:56:45

 

 

(Visited 1,770 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

39 Responses to #ro0ted #OpNewblood What the Blackhats don’t want you to know: Part 3 Ollydbg Cheating a Crackme

  1. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Analyzing the ZeuS bot Part 2

    […]  Introduction Part 3 Ollydbg: Cheating a Crackme […]

  2. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Infected Machine? Create a memory dump

    […]  Introduction Part 3 Ollydbg: Cheating a Crackme […]

  3. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want u to know: Meet the Auto Cousin of Volatility Framework

    […]  Introduction Part 3 Ollydbg: Cheating a Crackme […]

  4. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood You have pictures of your face on the internet right?

    […]  Introduction Part 3 Ollydbg: Cheating a Crackme […]

  5. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

    […]  Introduction Part 3 Ollydbg: Cheating a Crackme […]

  6. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the Blackhats dont want u to know: Memory Cloning & BE in Linux

    […]  Introduction Part 3 Ollydbg: Cheating a Crackme […]

  7. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the Blackhats dont want you to know: Memory Forensics for Malicious Activity

    […]  Introduction Part 3 Ollydbg: Cheating a Crackme […]

  8. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the Blackhats don’t want you to know series

    […]  Introduction Part 3 Ollydbg: Cheating a Crackme […]

  9. Pingback: Tutoriales sobre ingeniería inversa | Cyberhades

    […] Introduction Part 3 Ollydbg: Cheating a Crackme […]