#ro0ted #OpNewblood What the Blackhats don’t want you to know: Part 3 Ollydbg Cheating a Crackme
Happy New Years everyone.
Today we will be continuing into Part 3 Ollydbg: Intro to Crackme’s
Introduction Part 3 Ollydbg: Cheating a Crackme +
What’s a Crackme?
a Crackme is a small program designed to test a programmer’s reverse engineering skills
This tutorial will be interactive meaning you can download the crackme and try it out for yourself. Use Ollydbg 1.0 in the Whitehat Lab. We will move onto other advanced pre built Ollydbgs later. – https://twitter.com/ro0ted/
Why is this important in analyzing malware?
Because you are going to need to re-edit the malicious code when you conduct tests and/or you are going to want to know what JMPs, PUSH, CALL, and other command comes do.
Commands in this tutorial we are going to see a lot:
See a this list to see which opcode means what:
This crackme is a typical one if not super basic has a screen that says enter serial number with two answers, Incorrect/Correct.
There’s two ways to do this. The long way & the cheating way. Let’s do the cheating way first. The next tut we will do it the correct way.
Open Ollydbg 1.0 Load FAKE.exe into Olly:
Double Click Play til program opens and click register:
Enter a random value and press enter
You will get this screen:
Now go to the Disassembly section and right click search for all reference strings like we talked about in the other tuts, don't exit out the program:
In the reference string module click incorrect> right click pick follow in disassembler
Before we continue I got tired of the boring colors. You can edit your colors in options> appearance:
Okay moving on. The plan is edit the command that sends the message incorrect to correct.
so right click PUSH 403039 and click assemble. We will use the JMP long command which will have the error Jump to another address where the box will say “correct”
JMP long 401222
Now maximize the program back up re enter the serial. Look what we get.
(Visited 1,794 times, 1 visits today)
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.