Cracking Tutorial [PDF]

Zitiervorschau

Cracking Tutorial

What you need: -Little ASM knowledge -Ollydbg ( download from http://home.t-online.de/home/Ollydbg ) *Note: When cracking always have a backup of the program you are cracking in case you fuck up!!*

Chapter 1: Cracking program level 1 Open Login1.exe and you will see that the program asks for as password, and we need to find the password. First we need a string to search for so enter “aaaaa” as a password. Then you will see that the program says “ACCESS DENIED”, we want to have “ACCESS GRANTED”. Open Ollydbg and then open the Login1.exe program. This is what you get to see:

You are searching for the string “ACCESS DENIED”, so scroll down until you find it. When you find it, you look a little above the string and you will see

“ACCESS GRANTED” , and above that you will see H4x0R: 00401848 . 4800 3400 7800>UNICODE "H4x0R",0 00401854 1C DB 1C 00401855 00 DB 00 00401856 00 DB 00 00401857 00 DB 00 00401858 . 4100 4300 4300>UNICODE "ACCESS G" 00401868 . 5200 4100 4E00>UNICODE "RANTED",0 In the right down corner you see “Paused” , that means that the program is paused. Now press F9 to run the program and enter “H4x0R” as the password and you will see that it says “ACCESS GRANTED”

Chapter 2: Cracking program level 2 Open Login2.exe (created by BasTijs not me so it’s also real cracking for me) and enter “aaaaaaa” as the password. It says “Calculating…”, then “ACCESS DENIED”. Now open Ollydbg and open the Login2.exe program. Now you have to find the string “Calculating…” or “ACCESS DENIED”. But you see the first string before the second one so you will also see that in Ollydbg, so you better search for “Calculating…”. When you find it you can see that “ACCESS GRANTED” is beneath “Calculating…” and beneath that is “ACCESS DENIED”. Then you scroll up and you see these 7 UNICODE numbers. 0040297D . 68 AC204000

PUSH Login2.004020AC

; UNICODE "164"

004029AE . 68 B8204000

PUSH Login2.004020B8

; UNICODE "39"

004029E0 . 68 C4204000

PUSH Login2.004020C4

; UNICODE "512"

00402A11 . 68 D0204000

PUSH Login2.004020D0

; UNICODE "40"

00402A43 . 68 DC204000

PUSH Login2.004020DC

; UNICODE "696"

00402A71 . 68 E8204000

PUSH Login2.004020E8

; UNICODE "756"

00402A9F . 68 F4204000

PUSH Login2.004020F4

; UNICODE "296"

Now you want to know if the password is 7 characters long. So you have to scroll up until you see this: “vbaLenBstr”, this is the Visual Basic code that checks a string. So when you find it you should see this piece of code: 00402469 . FF15 10104000 CALL DWORD PTR DS:[] MSVBVM60.__vbaLenBstr 0040246F . 33C9 XOR ECX,ECX 00402471 . 83F8 07 CMP EAX,7 In this piece of code you can see it checks the string, in the register. You can see “CMP EAX,7”, that means he is comparing the code, with the length of 7 characters so the password is indeed 7 characters. So now we have to crack the password and for that we use breakpoints. When you set a breakpoint at a code line, the program will stop executing codes when it reaches the breakpoint. So

now we are going to set breakpoints after each UNICODE number we saw just a moment ago. So select the code line by pressing it once and then press F2, now you see it turn red. Do this for every number, and it should look like this:

Now press F9 so the program starts running and enter “aaaaaaa” (7 characters) as password and try to log in. Then the program shows pause again. When you press F9 again, and the program still selects the same breakpoint, the first entered character is wrong. When you press F9 and the program goes to the next breakpoint, the character is right. Easier explanation: When you enter “aaaaaaa” as a password and press F9, the program stops at the first breakpoint ( so the first character , the “a”, isn’t the first character of the password ). Then you try “baaaaaa” and “caaaaaa” and so on. But when you enter “Haaaaaa” you can see the program jumps to the next breakpoint. That means that the “H” is the first character of the password. Then try as the password “Hbaaaaa” and so on until you have the password. When you finish that you can see that the password is “H4x1ng!”. Chapter 3: Cracking program level 3 This is a real downloadable software program you are going to crack now. Open Swilpi32.exe and it asks for the passwords for the user ID. Fill in “fuckyou” and it says that the password is not valid. Then when the program is loaded and you quit, it says that the settings are not saved in the light version and a text-file

appears. That is quite annoying so let’s try to crack it! Open Swipli32.exe in Ollydbg. You know a string to look for, that one is “Not a valid password!”. Scroll from the upper code down and soon you will find that string. Then you will see something like this: 00401384 > 68 28444100

PUSH Swlipi32.00414428

; |Text = "Not a valid password!"

You can see that the code line number is 0041384 so you need to know what was the step that made this code active. So scroll up abit and you will see this: 00401352 . 68 90904100 PUSH Swlipi32.00419090 00401357 . 74 2B JE SHORT Swlipi32.00401384 00401359 . 68 40444100 PUSH Swlipi32.00414440 Please restart the software!"

; |Title = "Sweet Little Piano" ;| ; |Text = "Thanks for registering!

You can see that there is a jump at the second line, that jumps to line 00401384. But he only jumps if it is Equal because “JE” means “Jump if Equal”. So we have to change that jump so he works up the other way. Double-click on the “JE SHORT Swipli32.00401384”, and a small screen appears. Change the JE into JNE, “JNE” means “Jump if Not Equal”, and press “Assemble” (it turns into JNZ that is the same as JNE). Now right-click, copy to executable, all modifications. Then press “copy all” and then press “Yes” so you can make your own file of it. Open the cracked version of the program and enter “fuckyou” as password. It will say you have registered the program. ©Copyright K1LL3RBYT3 Mail: [email protected]