Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[Tutorial] Serial Fishing with OllyDbg

 
Post new topic   This topic is locked: you cannot edit posts or make replies.    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
malfunction
Grandmaster Cheater Supreme
Reputation: 0

Joined: 30 Jan 2007
Posts: 1030
Location: http://www.behindthecorner.com/

PostPosted: Thu Feb 28, 2008 9:05 am    Post subject: [Tutorial] Serial Fishing with OllyDbg Reply with quote

-{Serial Fishing with OllyDbg}-

Welcome to my very first cracking related tutorial! Take a comfy position on your chair and get a warm cup of hot chocolate, and start reading. This is the first part of my serial fishing tutorials which i'll be posting later on.

I will take you through the steps I took when cracking this program, this might help you or give you a better idea how to approach other programs in the future ^_^

Some Information before we start

The Target:
WorldTV 7.1
Download:
Code:
http://www.netfor2.com/WorldTV.zip


The Tools:
OllyDbg, PEiD, W32dasm, HexWorkshop, notepad

Where to download the tools
OllyDbg:
Code:
http://ollydbg.de/download.htm


PEiD:
Code:
http://peid.has.it/


W32dasm:
Code:
http://www.softpedia.com/get/Programming/Debuggers-Decompilers-Dissasemblers/WDASM.shtml


HexWorkshop
Code:
http://www.download.com/Hex-Workshop/3000-2352_4-10004918.html?part=dl-HexWorksh&subj=dl&tag=button


The Protection:
Serial Protection

The Actual Cracking
Before Starting it is wise that you would make a copy of the file you are going to crack incase you screw up, also I named my target program worldtv2.exe

Atleast for me its a habit to first examine the target with PEiD to determine the packer or protector. Open up PEiD and drag worldtv2.exe into it. The result: "Microsoft Visual C++ 5.0". Surprisingly, the target is not packed or protected. That will make it all the easier to crack.

Now knowing that we wont need to unpack the .exe lets us do a little examination on the protection scheme. Open up worldtv, it goes directly into the nag screen letting us know that it is not registered. That is important to note because it lets us know that it is checking for a registration key (maybe a keyfile or registry key) before the program even loads. Try putting in a random key. Ahh, we get a little messagebox telling us "Invalid Registration Code". Lets write that little message down and save it. If you have read any previous tutorials you know that it may come in handy. Press Okay and the program quits.

Finding the Bytes
First we are going to try the easy way, we are going to patch the jump that returns the invalid registration box. Run w32dasm and use it to open up WorldTV.exe. We are opening the original WorldTV.exe file so we can work on the copy that we made. After the file has been disassembled, we will look for the string from the messagebox. To do this click on the "String References" button at the top of w32dasm. A new window opens up with a list of all strings found in the file. Scroll down until you find "Invalid Registration Code" and double click it. You should now be at the following lines:


By looking at the code we see a test eax,eax followed by a jne 0041B54C


We want to change the jne (jump if not equal) to jmp (jump) that way the program will register when you use any serial. To do this we will need to find where the jne instruction is located in WorldTv.exe. That information is found at the bottom of the w32dasm window. You should see:
Line: 52558 Pg 657 and 658 of 1734 Code Data @:0041B521 @Offset 0001A915h in File WorldTV.exe

We are interested in the Offset value of 0001A915h. Write this number down: ignore the h at the end it just means that the value is hexadecimal.

Patching the Bytes:
Begin by opening up WorldTV2.exe in HexWorkshop. Next press CTRL+G to bring up the Goto dialog box, Goto can also be found under Edit. We now want to type in the offset value that we wrote down, in this case 0001A915. Make sure the Hex option is checked and the Beginning of File option is checked. When you are ready press the Go button.


This will take us to the location of our jne 0041B54C. Now hopefully from previous tutorials you know that 75 is the opcode for the instruction JNE and 74 is the opcode for instruction JE. In this case rather than jumping on bad serials we want the program to jump on ANY serial. We will replace 75 with EB which is the instruction for JMP.




Save WorldTV2.exe, I have made it a habit of choosing YES when asked if I want to make a backup. Now, find your newly patched WorldTV2.exe and run it.

It asks for a serial: give it any one you want, I will use 1234567. Press Validate Registration and... Success! Registration Code Accepted. Are we done? No.

Close WorldTV2.exe and open it back up again. It is still asking for a serial. Now, we could just put in a serial every time we use it but that is annoying. Instead, we are going to find a real serial.

Finding a Serial:
To begin, review what we know about the program so far:
1. It checks for a serial when starting up
2. After registering with a bogus serial it is unregistered the next time you start it up
This means that before the program even completely loads it is checking for the existence of a good serial. We need to find out where that serial is being stored. There are usually two places a serial is stored: the registry and in a file. We are going to start with checking the registry. Start up WorldTV2.exe and put in 1234567 as the serial. Validate the serial and then close WorldTV.

Go to your Start menu and find the Run command. A box will open asking you to "Type the name of a program, folder, etc...". Type in "regedit", without the quotes, and press enter. You will now be in the regedit window and see a two pane window with a list of folders in the left pane. Click on the plus sign in front of HKEY_CURRENT_USER. It will open, you now have another list of folders. Click the plus sign in front of Software. Scroll down until you find WorldTV and click on the folder. Aha! In the right pane we have a key called RegCode with our key: 1234567 stored in it. We now know that WorldTV checks the registry for a serial before loading.

We are going to start by opening Ollydbg. Using Ollydbg, open the original WorldTV.exe.


You should see something similar to the image above. Before pressing the Run key we want to set some breakpoints first. Right-click in the Code window of Olly and choose Search For, select All Intermodular Calls. This will bring up the Calls window. Sort the calls by Destination. Scroll down until you find RegQueryValueExA. Select it and Right-Click: set a breakpoint on every call to RegQueryValueExA.


Now press the Run button. You will first break at FF15 0C304400 CALL DWORD PTR DS:[<&ADVAPI32.RegQueryValueExA>]. If you look at the Register's window on the right side of Olly, you will see EDI is holding the ASCII value "Recordings". This is not the registry key we are looking for so press Run again. We break again on the Recordings registry key so press Run again. We will have to press Run 24 more times before we break here:


Notice the Value of EAX is ASCII "RegCode". Press Run once more and we are now here:


And ECX now holds the ASCII value "RegCode". We know we are getting close because WorldTV just looked for the registration code. We are now going to step through the code and pay attention to the Registers. After a few steps we find that ESI is holding our serial 1234567 and EDI is holding 00000000-00000000-00000000-00000000. This is interesting, however I doubt that a bunch of zeros is the registration code. Stepping through some more, we see that EDI is shortened to -00000000-00000000-00000000. This still does not give us the serial. Continue to step through past where EDI is replaced by "C:\Program Files\WorldTV\Scheduler.txt.tmp". You will find soon after that point that you come to here:


Notice that EAX, EBX, and EDX were all zeroed out. Also we see an ASCII value moved into EDI. It is here we are going to start seeing our serial come together. After a little more stepping through we find that we are in a loop. We can see that a serial is being made and can be seen at this address: MOV EDI,WorldTV.004C8950. Rather than stepping through the code line by line we are going to set a breakpoint on MOV EDI,WorldTV.004C8950 and watch our serial come together. Select the line and press F2 to set a breakpoint. Now press the Run button a few times and we can watch our serial build itself.


Paying attention to EDI earlier we know that our serial is either 4 sets of 8 characters or 3 sets of eight characters. As you get near 3 full sets slow down or you will miss the serial. When you only have 2 characters left to go stop pressing the Run button and just step through the code. When you step past the following line REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] you will see the last two characters of your serial added on.


Go ahead and write this number down. Press Run again to see if there is another set of characters to be added. Nope, pressing Run again will start you through another loop where a separate serial is calculated (for what? I am not sure because it would not register the program).

Go ahead and close Ollydbg. Open up the original WorldTV.exe and try registering with the serial we wrote down. Registration Code Accpeted, we have succesfully registered WorldTV with a real serial.

Hope you enjoyed reading this tutorial and perhaps you learned something usefull too!!

I made a basic x86 ASM tutorial it mainly has term explanations and some syntax, link at the very bottom of this topic.

Thanks,
Sky

Originally Posted By: Skytactic
Code:
http://forum.astalavista.ms/viewtopic.php?t=122151


Basic x86 ASM:
http://forum.cheatengine.org/viewtopic.php?t=206082

_________________


Last edited by malfunction on Thu Feb 28, 2008 11:16 am; edited 3 times in total
Back to top
View user's profile Send private message
HolyBlah
Master Cheater
Reputation: 2

Joined: 24 Aug 2007
Posts: 450

PostPosted: Thu Feb 28, 2008 9:41 am    Post subject: Reply with quote

You should get banned from this section. Mad

Last edited by HolyBlah on Fri Feb 29, 2008 11:20 am; edited 1 time in total
Back to top
View user's profile Send private message
malfunction
Grandmaster Cheater Supreme
Reputation: 0

Joined: 30 Jan 2007
Posts: 1030
Location: http://www.behindthecorner.com/

PostPosted: Thu Feb 28, 2008 9:55 am    Post subject: Reply with quote

ohh xD, wasnt sure were to put it so stuck it in here
just to let you know...
Skytactic = Skyllakarean Wink

_________________
Back to top
View user's profile Send private message
I'm
I post too much
Reputation: 0

Joined: 21 Jun 2006
Posts: 3517

PostPosted: Thu Feb 28, 2008 10:21 am    Post subject: Reply with quote

w32disasm isn't necessery
Back to top
View user's profile Send private message
malfunction
Grandmaster Cheater Supreme
Reputation: 0

Joined: 30 Jan 2007
Posts: 1030
Location: http://www.behindthecorner.com/

PostPosted: Thu Feb 28, 2008 10:42 am    Post subject: Reply with quote

Rot1 wrote:
w32disasm isn't necessery

You are right, you can use Olly or W32Dasm

_________________
Back to top
View user's profile Send private message
I'm
I post too much
Reputation: 0

Joined: 21 Jun 2006
Posts: 3517

PostPosted: Thu Feb 28, 2008 11:13 am    Post subject: Reply with quote

skyllakarean wrote:
Rot1 wrote:
w32disasm isn't necessery

You are right, you can use Olly or W32Dasm


w32 doesn't debug, only disassembles.

olly do both.

there's alot of awsomt plugins that could make your cracking easier.
Back to top
View user's profile Send private message
malfunction
Grandmaster Cheater Supreme
Reputation: 0

Joined: 30 Jan 2007
Posts: 1030
Location: http://www.behindthecorner.com/

PostPosted: Thu Feb 28, 2008 11:15 am    Post subject: Reply with quote

Rot1 wrote:
skyllakarean wrote:
Rot1 wrote:
w32disasm isn't necessery

You are right, you can use Olly or W32Dasm


w32 doesn't debug, only disassembles.

olly do both.

there's alot of awsomt plugins that could make your cracking easier.

Could you suggest any? (maybe links to them)
-------------------------------------------------------------------------------------
Im rewriting my other tut atm Smile will be posting it at the weekend, if I get it done by then!
Serial Fishing P2: Internal Keygen and Patching

_________________


Last edited by malfunction on Fri Feb 29, 2008 7:27 am; edited 1 time in total
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 97

Joined: 25 Jan 2006
Posts: 5597
Location: 127.0.0.1

PostPosted: Thu Feb 28, 2008 6:05 pm    Post subject: Reply with quote

http://tutorials.sins-realm.com/Beginner_Olly_Tutorial_part1/

Care to explain how this is yours?

_________________
- Retired.
Back to top
View user's profile Send private message
Simon :v
Grandmaster Cheater
Reputation: 37

Joined: 11 Oct 2006
Posts: 711

PostPosted: Thu Feb 28, 2008 6:38 pm    Post subject: Reply with quote

Scenario 1.)
He copied and pasted, yet in a way, spread the tutorial to people who were too lazy to look around ( Like me ), and therefor taught us something. However, even if you help some people, stealing others' work is still wrong. Very dishonorable. /facepalm...

Scenario 2.)
He wrote both this Tutorial and Gabri3l's Tutorial. He merely posted in two places, and spread the knowledge further. Good job! /thumbs_up
Back to top
View user's profile Send private message MSN Messenger
Snootae
Grandmaster Cheater
Reputation: 0

Joined: 16 Dec 2006
Posts: 978
Location: --->

PostPosted: Thu Feb 28, 2008 11:02 pm    Post subject: Reply with quote

nice, thanks, im gonna go try Very Happy

even if you didn't write it, i'm glad you brought attention to it

_________________
Back to top
View user's profile Send private message
Haxory'
Grandmaster Cheater Supreme
Reputation: 92

Joined: 30 Jul 2007
Posts: 1905

PostPosted: Fri Feb 29, 2008 12:37 am    Post subject: Reply with quote

nice and here is a fish u may want to fish that too


_________________
you and me baby ain't nothing but mammals so lets do it like they do on the discovery channel
Back to top
View user's profile Send private message
malfunction
Grandmaster Cheater Supreme
Reputation: 0

Joined: 30 Jan 2007
Posts: 1030
Location: http://www.behindthecorner.com/

PostPosted: Fri Feb 29, 2008 7:19 am    Post subject: Reply with quote

x0r wrote:
Wiccaan wrote:
http://tutorials.sins-realm.com/Beginner_Olly_Tutorial_part1/

Care to explain how this is yours?

Just close and ban this compulsive liar. skyllakarean also claimed to be female before he was exposed, he can do nothing but lie to elevate his position.

I was not exposed, I exposed myself that does not count!
I do respect you, x0r as a mod and programmer but please do not call me a compulsive liar.

Before coming to the conclusion that I did not write this you might wanna actually go to that link I posted and read the end of my post and take a long deep look at my signature before cussing me.

I did write this some time ago, but I rewrote some parts of it to make it easier to understand for those people who do not speak english that well, eg. to x0r. I'm also going to rewrite my other tutorials (I think I have about 7-10 on using Olly to do stuff) and post them here,

Thanks,
Sky

_________________
Back to top
View user's profile Send private message
DoomsDay
Grandmaster Cheater
Reputation: 0

Joined: 06 Jan 2007
Posts: 771
Location: %HomePath%

PostPosted: Fri Feb 29, 2008 8:50 am    Post subject: Reply with quote

skyllakarean wrote:
x0r wrote:
Wiccaan wrote:
http://tutorials.sins-realm.com/Beginner_Olly_Tutorial_part1/

Care to explain how this is yours?

Just close and ban this compulsive liar. skyllakarean also claimed to be female before he was exposed, he can do nothing but lie to elevate his position.

I was not exposed, I exposed myself that does not count!
I do respect you, x0r as a mod and programmer but please do not call me a compulsive liar.

Before coming to the conclusion that I did not write this you might wanna actually go to that link I posted and read the end of my post and take a long deep look at my signature before cussing me.

I did write this some time ago, but I rewrote some parts of it to make it easier to understand for those people who do not speak english that well, eg. to x0r. I'm also going to rewrite my other tutorials (I think I have about 7-10 on using Olly to do stuff) and post them here,

Thanks,
Sky

Not only you copied it, you tried making people believe that you did originally write it, by writing it on another forum and then linking it here, attempting to credit yourself(check the posts' dates(image attached below)) - I can't even describe how much this thing makes me mad without flaming you.

You may have edited some of your so called contributions so people won't find out where you copied them from(your screen capture code for Delphi is an example of adding unnecessary spaces and modifying comments to stop us from tracing to the code's source), but no one's falling for that anymore(or atleast I hope).

The last thing a community needs is a person like you.

Sincerely,
~DoomsDay

Back to top
View user's profile Send private message
malfunction
Grandmaster Cheater Supreme
Reputation: 0

Joined: 30 Jan 2007
Posts: 1030
Location: http://www.behindthecorner.com/

PostPosted: Fri Feb 29, 2008 9:23 am    Post subject: Reply with quote

DoomsDay wrote:
skyllakarean wrote:
x0r wrote:
Wiccaan wrote:
http://tutorials.sins-realm.com/Beginner_Olly_Tutorial_part1/

Care to explain how this is yours?

Just close and ban this compulsive liar. skyllakarean also claimed to be female before he was exposed, he can do nothing but lie to elevate his position.

I was not exposed, I exposed myself that does not count!
I do respect you, x0r as a mod and programmer but please do not call me a compulsive liar.

Before coming to the conclusion that I did not write this you might wanna actually go to that link I posted and read the end of my post and take a long deep look at my signature before cussing me.

I did write this some time ago, but I rewrote some parts of it to make it easier to understand for those people who do not speak english that well, eg. to x0r. I'm also going to rewrite my other tutorials (I think I have about 7-10 on using Olly to do stuff) and post them here,

Thanks,
Sky

Not only you copied it, you tried making people believe that you did originally write it, by writing it on another forum and then linking it here, attempting to credit yourself(check the posts' dates(image attached below)) - I can't even describe how much this thing makes me mad without flaming you.

You may have edited some of your so called contributions so people won't find out where you copied them from(your screen capture code for Delphi is an example of adding unnecessary spaces and modifying comments to stop us from tracing to the code's source), but no one's falling for that anymore(or atleast I hope).

The last thing a community needs is a person like you.

Sincerely,
~DoomsDay



Actually the screen capture code was not a modified version of something someone else had written

didnt x0r name me "dick of CEF"? Understand now?

_________________
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 97

Joined: 25 Jan 2006
Posts: 5597
Location: 127.0.0.1

PostPosted: Fri Feb 29, 2008 4:36 pm    Post subject: Reply with quote

Locked due to copying others work just like before. User is banned and I have put in a request for a perm. ban. No need for leechers like this on these forums. Take the time to learn how to do things on your own and create your own tutorials and code. You don't need to post work of others without crediting them on these forums.

Not to mention taking others work and claiming it to be yours then trying to defend yourself when the original material was found is just sad.

Locked.

_________________
- Retired.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   This topic is locked: you cannot edit posts or make replies.    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum



Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)