Wednesday, November 2, 2005

Reverse Engineering Basics (CrackMe v1.0 by Cruehead/ MiB)

I'm bored again and i think this is the right time to make another post about reverse engineering basics. The file is CrackMe v1.0 written for us by Cruehead/ MiB to test our reverse engineering skills.

These are the detailed steps on how i manage to make this application accept any serial that i want.

First, let's fire up crackme1.exe, go to Help >>> Register...



Let's try to register. We got the No luck "No luck there, mate!" dialog by entering the incorrect serial.



Now, close crackme file and we fire up OllyDbg. Click File >>> Open then browse the crackme file.



Right click somewhere on the CPU main thread window, and go to "Search for" >>> and select "All referenced text strings"



Below are all the dialog boxes that the program will refer to. As you can remember earlier, we have put a wrong serial which lead us to this memory address >>> 00401370.



By double clicking "00401370", we can view the full details of the dialog box where the first memory address is at "00401362".



Back to "All reference text strings". You will see the memory address "00401354" which leads to the dialog box when the correct serial was entered. This is what we would like to see if we try to register. By double clicking the "00401354" it will show us the instruction details of the dialog box.



Right click the memory address "0040134D", go to "Find references to" and click "Selected command".



"0040124C" is the memory address where the CALL to "0040134D" was instructed. By double clicking "0040124C", we can view the instruction details.



Now this is the most important part. We have now the memory address where the crackme program do the operations such as CMP the serials at the memory address "00401241" and the JMP call at memory address "00401243".



So to summarize.



What we are going to do now is to reverse the instruction at memory address "00401243" from JE "jump if equal" to JNE "jump if not equal. So what ever serial that we input will lead us to memory address "0040134D" (Greate work, mate! Now try the next Crackme!").



Now, fire up "Hiew" select the Crackme1.exe and hit enter



Press "F4" and select "Decode"



Press "F5" and type ".00401243" without the quote.



Press "F3" to change "74" (is jump if equal - je) to "75" (is jump if not equal - jne)



Press "F9" to save the changes and the "F10" to close Hiew.



Now, fire up crackme1.exe and try any name and serial you want!



Posted by at
Labels:

No comments:

Post a Comment