Use Ollydbg To Crack Software Codes

Aug 31, 2012 Before pressing the Run key we want to set some breakpoints first. Right-click in the Code window of Olly and choose Search For, select All Intermodular Calls. This will bring up the Calls window. Sort the calls by Destination. How To Crack Software Using Ollydbg; GridinSoft Anti-Malware 4.0.17 Crack Full Activation Code GridinSoft Anti-Malware Activation Code is an amazing tool and all in one standard and famous anti-virus software. It easily removes all type of trojans, bots, adware, keyloggers, trojans, and rootkits.

Hey dudes lets start Cracking today and lets see in the real world how Crackers phishing Serial from software.

Our target is a protected program that ask for serial Download Target bellow


The Tools that we need:
OllyDbg , PEiD , W32dasm, HexWorkshop

The Protection:
Serial Protection

Other Information:
In This is a tutorial we will cover serial fishing with Olly.

Let us first get set up and ready to crack. Go to target folder in our case c:program filesworldtv and make a quick backup that we can work on without fear of screwing up the file. Lets name it worldtv2.exe we will refer to it later

It has become habit to first examine a target with PEiD to determine the packer or protector. Open up PEiD and drag worldtv2.exe into it. The result: “Microsoft Visual C++ 5.0”. Surprisingly, the target is not packed or protected. That will make it all the easier to crack.

Knowing that we will not need to unpack the executable lets us do a little examination of the protection scheme. Open up worldtv. It goes directly into the nag screen letting us know that it is not registered. That is important to note because it lets us know that it is checking for a registration key (maybe a keyfile or registry key) before the program even loads. Try putting in a random key. Ahh, we get a nice little messagebox telling us “Invalid Registration Code”. Let’s write that little message down and save it. Press Okay for Exit.

Finding the Bytes:

Crack software, free download

Lets first try the easy way. We are going to patch the jump that returns the invalid registration box. Run w32dasm and use it to open up WorldTV.exe. We are opening the original WorldTV.exe file so we can work on the copy that we made. After the file has been disassembled, we will look for the string from the messagebox. To do this click on the String References button at the top of w32dasm. A new window opens up with a list of all strings found in the file. Scroll down until you find “Invalid Registration Code” and double click it.

You should now be at the following lines:

Looking at the code we see a test eax,eax followed by a jne 0041B54C

We want to change the jne (jump if not equal) to jmp (jump) that way the program will register when you use any serial. To do this we will need to find where the jne instruction is located in WorldTv.exe. That information is found at the bottom of the w32dasm window.

You should see:

We are interested in the Offset value of 0001A915h. Write this number down.. ignore the “h” at the end it just means that the value is hexadecimal.

Patching the Bytes:

Open up WorldTV2.exe in HexWorkshop. Next press CTRL+G to bring up the Goto dialog box, Goto can also be found under Edit. We now want to type in the offset value that we wrote down, in this case 0001A915. Make sure the Hex option is checked and the Beginning of File option is checked. When you are ready press the Go button.

This will take us to the location of our jne 0041B54C. We know that 75 is the opcode for the instruction JNE and 74 is the opcode for instruction JE. In this case rather than jumping on bad serials we want the program to jump on ANY serial. We will replace 75 with EB which is the instruction for JMP.

It Becomes:

Save WorldTV2.exe, Now, find your newly patched WorldTV2.exe and run it.

It asks for a serial! give it any one you want, We will use 1234567. Press Validate Registration and… Success! Registration Code Accepted.
Are we done? Nop.

Close WorldTV2.exe and open it back up again. It is still asking for a serial. Now, we could just put in a serial every time we use it but that is annoying. Instead, we are going to find a real serial.

Finding a Serial:

To begin, review what we know about the program so far:

1. It checks for a serial when starting up
2. After registering with a bogus serial it is unregistered the next time you start it up

This means that before the program even completely loads it is checking for the existence of a good serial. We need to find out where that serial is being stored. There are usually two places a serial is stored! the registry and in a file. We are going to start with checking the registry. Start up WorldTV2.exe and put in 1234567 as the serial. Validate the serial and then close WorldTV.

Go to your Start menu and find the Run command. A box will open asking you to “Type the name of a program, folder, etc…”. Type in “regedit”, without the quotes, and press enter. You will now be in the regedit window and see a two pane window with a list of folders in the left pane. Click on the plus sign in front of HKEY_CURRENT_USER. It will open, you now have another list of folders. Click the plus sign in front of Software. Scroll down until you find WorldTV and click on the folder. Aha! In the right pane we have a key called RegCode with our bogus key: 1234567 stored in it. We now know that WorldTV checks the registry for a serial before loading.

We are going to start by opening Ollydbg. Using Ollydbg, open the original WorldTV.exe.

Resized to 93% (was 652 x 425) – Click image to enlarge

You should see something similar to the image above. Before pressing the Run key we want to set some breakpoints first. Right-click in the Code window of Olly and choose Search For, select All Intermodular Calls. This will bring up the Calls window. Sort the calls by Destination. Scroll down until you find RegQueryValueExA. Select it and Right-Click set a breakpoint on every call to RegQueryValueExA.

Resized to 93% (was 651 x 423) – Click image to enlarge

Now press the Run button ‘>’ You will first break at FF15 0C304400 CALL DWORD PTR DS:[<&ADVAPI32.RegQueryValueExA>]. If you look at the Register’s window on the right side of Olly, you will see EDI is holding the ASCII value “Recordings”. This is not the registry key we are looking for so press Run again. We break again on the Recordings registry key so press Run again. We will have to press Run 24 more times before we break here:

Resized to 98% (was 615 x 33) – Click image to enlarge

Notice the Value of EAX is ASCII “RegCode”. Press Run once more and we are now here:

Resized to 96% (was 630 x 31) – Click image to enlarge

Crack Cracked Software

And ECX now holds the ASCII value “RegCode”. We know we are getting close because WorldTV just looked for the registration code. We are now going to step through the code and pay attention to the Registers. After a few steps we find that ESI is holding our bogus serial 1234567 and EDI is holding 00000000-00000000-00000000-00000000. This is interesting, however I doubt that a bunch of zeros is the registration code. Stepping through some more, we see that EDI is shortened to -00000000-00000000-00000000. This still does not give us the serial. Continue to step through past where EDI is replaced by “C:Program FilesWorldTVScheduler.txt.tmp”. You will find soon after that point that you come to here:

Notice that EAX, EBX, and EDX were all zeroed out. Also we see an ASCII value moved into EDI. It is here we are going to start seeing our serial come together. After a little more stepping through we find that we are in a loop. We can see that a serial is being made and can be seen at this address: MOV EDI,WorldTV.004C8950. Rather than stepping through the code line by line we are going to set a breakpoint on MOV EDI,WorldTV.004C8950 and watch our serial come together. Select the line and press F2 to set a breakpoint. Now press the Run button a few times and we can watch our serial build itself.

Paying attention to EDI earlier we know that our serial is either 4 sets of 8 characters or 3 sets of eight characters. As you get near 3 full sets slow down or you will miss the serial. When you only have 2 characters left to go stop pressing the Run button and just step through the code. When you step past the following line REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] you will see the last two characters of your serial added on.

Resized to 100% (was 606 x 123) – Click image to enlarge

Go ahead and write this number down. Press Run again to see if there is another set of characters to be added. Nope. Pressing Run again will start you through another loop where a separate serial is calculated (for what? I am not sure because it would not register the program).

Go ahead and close Ollydbg. Open up the original WorldTV.exe and try registering with the serial we wrote down. Registration Code Accepted, we have successfully registered WorldTV with a real serial. No patching invloved!

Every reverse engineer, malware analyst or simply a researcher eventually collects a set of utility software that they use on a daily basis to analyze, unpack, and crack other software. This article will cover mine. It will be useful to anyone who has not yet collected their own toolset and is just starting to look into the subject. However, an experienced reverse engineer must also be curious about what other crackers are using.


WARNING

This article is for information purposes only. Neither the editorial team nor the author assumes any responsibility for possible harm that may arise from the use of these materials.

Debuggers

Debugging an application is an essential part of studying it, so every reverse engineer needs a debugger at the ready. A modern debugger must support both Intel architectures (x64 and x86), so this is the first prerequisite.

We must also be able to debug kernel-mode code. You will need this every once in a while, especially if you want to look for zero-day vulnerabilities in OS kernels or reverse engineer malware in drivers. The main candidates are x64dbg and WinDbg. The first debugger works in user mode, while the second one can debug kernel-mode code.

x64dbg

This is a modern debugger with a good user interface, a worthy successor of OllyDbg. It supports both architectures (x64 and x86), and there are tons of useful plugins.

Granted, it has its downsides as there are a number of annoying bugs. But it is actively developed and supported. Since the debugger works in user mode, it is of course vulnerable to a wide range of anti-debugging techniques. This is, however, in part offset by the availability of many different debugger hiding plugins.

x64dbg has a built-in decompiler and imports reconstructor (both x64 and x86), supports code graph visualization and read/write/execute/access breakpoints. This debugger has enabled some hackers to break down the infamous Denuvo DRM system!

Why not OllyDbg

We haven’t included OllyDbg here because it is very outdated. It does not support the latest operating systems or x64. The app’s official website announced a x64 version and even reported some development progress, but the site itself has not been updated since 2014. OllyDbg is undoubtedly a milestone piece of software, but now it seems that its time has passed. There have also been fewer kernel mode debuggers since Syser Kernel Debugger, a successor to SoftICE, was abandoned.

WinDbg

WinDbg is one of the best kernel or driver debugging tools. This debugger is supported by Microsoft and included in the Windows Driver Kit (WDK). This is currently the most up-to-date and powerful kernel code debugger. It does not feature the user-friendly interface of x64dbg, but there are not many other options, as other debuggers don’t support kernel-mode code.

WinDbg supports remote debugging and can download debug symbols directly from Microsoft servers. The VirtualKD booster exists to speed up the WinDbg setup for debugging kernel-mode code in a VM. WinDbg is definitely not for beginners, but as you gain experience in reverse engineering and start testing various interesting options, you won’t be able to avoid it.

WinDbg enables you to view various system structures and easily disassemble NTAPI functions. Of course it can also be used to debug “regular” applications, but I prefer to unleash this powerful weapon only when it is really needed!

Disassemblers

Reverse engineering cannot exist without static code analysis tools. The current selection of disassemblers is not much better than that of debuggers, but there we still have some favorites. The IDA Pro disassembler is a de facto standard in antivirus labs. Next is the Radare2 reverse engineering framework (many reckon that Radare2 is on par with IDA).

IDA Disassembler

There are two versions of IDA, a paid Pro version and a free Starter version. The free version is limited to x86 and does not support plugins. The Pro version offers full functionality with a large number of supported processor architectures and plugin support.

IDA does have a built-in debugger with rather basic functionality, but its unconventional interface takes some time to get used to. IDA can also be augmented with the Hex-Rays addon, a decompiler of application source code into C code. This is very useful as it really speeds up program analysis.

Overall, IDA is a very powerful and polished tool with a long development history. Unfortunately, the Pro version costs about $500-1000 (depending on the license type) and they do not sell it to just anybody. So we have to make do with other options.

Radare2

Radare2 was initially conceived as a simple hex editor but grew into a full framework able to debug and disassemble all types of code including firmware, viruses and cracks.

Radare is a set of console tools including a debugger, disassembler, decompiler, hex editor, its own compiler, utility for comparing binary files and much more. There is also a GUI addon named Cutter that greatly improves the look and usability of Radare’s framework.

Codes

The framework supports a large number of processors and platforms, which enables it to compete with products like IDA Pro. Another big advantage of Radare is that it is an open source, free and community-driven project.

Additional utilities

We have covered the main tools, but reverse engineering also needs packer identifiers, network monitors, hex editors and many other utilities. Let’s have a closer look to the main ones.

Detect it Easy (DiE)

This is a great packer identifier with a large number of useful functions. For example, it allows you to view file section entropy, which facilitates visual identification of encryption.

It also has a resource viewer with a dump-to-disk feature. DiE enables you to easily access the import table and add plugins and scripts, configure signature scanning methods and view file headers. It fully supports PE and PE+.

There is only one problem with this program: a slow update cycle, although it has not been abandoned. In fact, a new version was released recently!

INFO

You can see examples of working with DiE in my previous articles: “Manual unpacking. Cracking a custom packer based on GlobeImposter 2.0 ransomware” and “The art of unpacking. Gutting the protection of the crafty GootKit banker”.

ExeInfoPE

This is another packer and protector detector. It has an unconventional interface that will not be to everybody’s taste. On the other hand, the program is frequently updated, offers numerous interesting functions and user-friendly tips for unpacking.

Overall, I would recommend it to beginners. ExeInfoPE has a number of automatic unpackers and will tell you which tool to use to crack a bolt-on protection system.

Use Ollydbg To Crack Software Codes Online

Of course, the program also offers the full set of standard features including a file header viewer, section viewer, hex viewer and even a number of built-in mini-utilities like TerminateProcess and more. ExeInfoPE also supports plugins.

Use ollydbg to crack software codes for sale

HxD

Sometimes you may need to access HDD, memory or applications in binary mode. This is where hex editors come in handy, as exemplified by HxD. This program is free and frequently updated, supports popular formats, is good for searching and offers a user-friendly UI. There are other well-executed features, such as the ability to remotely erase (zerofill) files. There is also a portable version for easy storage on a flash drive.

HIEW

This hex editor has a long history, but it is still supported by its devs. It comes in free and paid versions (the latter is $20 without updates or $200 with lifelong updates). The Norton Commander-like interface might scare off a younger crowd, but it is easy to get used to. What is especially great about HIEW, is that you can work in “keyboard-only” mode by controlling all its functions via hotkeys.

Pestudio

A useful program for malware analysis. Prestudio automatically scans files samples with VirusTotal, offers an interesting view of the analyzed application’s import table functions, shows the application’s viral markers, used libraries and PE file header info. It also enables you to work with resources. In other words, this is a versatile antivirus tool for initial sample analysis.

PE-bear

Another interesting viewer/editor of PE and PE+ files comes with a packer/protector identifier and shows info on file headers, resources and sections. If you want to, you can view sections in hex mode and disassemble them into regular assembler mnemonics.

PE-bear has a user-friendly UI and file-comparing utility. The program’s only downside, despite its open source code, are its rare updates. So, if you find a bug, you can fix it yourself.

Fakenet-NG

This program emulates working with a network. When studying malware samples, you often need to see all their Internet activities: monitor DNS and HTTP queries, sniff traffic and identify IP addresses of the controlling servers (for example, if you are dealing with a ransomware bot). Your VM should of course be offline, but if the virus detects it, it won’t do all the things that it usually does.

Ollydbg 3

Fakenet-NG is fully supported with frequent updates, so this utility can be used in the latest operating sytems.

ProcessExplorer

It would be hard to perform reverse engineering without programs from Sysinternals that monitor how applications access the filesystem and processes. ProcessExplorer shows all processes in a hierarchical tree view, so you can easily see their spawning order. You can also see which dynamic libraries they use, as well as their priority, digital signatures, processor usage and much more.

Use Ollydbg To Crack Software Codes

RegShot

A handy utility for monitoring registry changes. RegShot takes snapshots of the registry before and after you do some system or software changes.

What Is Ollydbg

TCPView

A small program for monitoring an application’s network activity. You can see which ports it accesses (both local and remote), together with protocols, process identifiers and transmitted packet counters. Overall, this is one of the most useful tools for any hacker!

Resource Hacker

A popular program for editing resources, including manifests, icons, text dialog lines, cursor info and much more. You won’t need this functionality very often, but when you do, this is a suitable tool to have.

Use Ollydbg To Crack Software Codes List

Summing up

Download Ollydbg

We have covered the main utilities used for most reverse engineering tasks. I think this should be enough for a beginner. Your own list will grow as you progress.

Many reverse engineers end up writing their own targeted programs, plugins and scripts. You won’t be able to find tools for every task that will make your life easier. If you know similar software or want to share links to other useful tools, please do so in the comments!