Cracking Tutorial

What you need: -Little ASM knowledge -Ollydbg ( download from http://home.t-online.de/home/Ollydbg ) *Note: When cracking always have a backup of the program you are cracking in case you fuck up!!*

Chapter 1: Cracking program level 1 Open Login1.exe and you will see that the program asks for as password, and we need to find the password. First we need a string to search for so enter aaaaa as a password. Then you will see that the program says ACCESS DENIED, we want to have ACCESS GRANTED. Open Ollydbg and then open the Login1.exe program. This is what you get to see:

You are searching for the string ACCESS DENIED, so scroll down until you find it. When you find it, you look a little above the string and you will see

ACCESS GRANTED , and above that you will see H4x0R: 00401848 . 4800 3400 7800>UNICODE "H4x0R",0 00401854 1C DB 1C 00401855 00 DB 00 00401856 00 DB 00 00401857 00 DB 00 00401858 . 4100 4300 4300>UNICODE "ACCESS G" 00401868 . 5200 4100 4E00>UNICODE "RANTED",0 In the right down corner you see Paused , that means that the program is paused. Now press F9 to run the program and enter H4x0R as the password and you will see that it says ACCESS GRANTED

Chapter 2: Cracking program level 2 Open Login2.exe (created by BasTijs not me so its also real cracking for me) and enter aaaaaaa as the password. It says Calculating, then ACCESS DENIED. Now open Ollydbg and open the Login2.exe program. Now you have to find the string Calculating or ACCESS DENIED. But you see the first string before the second one so you will also see that in Ollydbg, so you better search for Calculating. When you find it you can see that ACCESS GRANTED is beneath Calculating and beneath that is ACCESS DENIED. Then you scroll up and you see these 7 UNICODE numbers. 0040297D . 68 AC204000 004029AE . 68 B8204000 004029E0 . 68 C4204000 00402A11 . 68 D0204000 00402A43 . 68 DC204000 00402A71 . 68 E8204000 00402A9F . 68 F4204000 PUSH Login2.004020AC PUSH Login2.004020B8 PUSH Login2.004020C4 PUSH Login2.004020D0 PUSH Login2.004020DC PUSH Login2.004020E8 PUSH Login2.004020F4 ; UNICODE "164" ; UNICODE "39" ; UNICODE "512" ; UNICODE "40" ; UNICODE "696" ; UNICODE "756" ; UNICODE "296"

Now you want to know if the password is 7 characters long. So you have to scroll up until you see this: vbaLenBstr, this is the Visual Basic code that checks a string. So when you find it you should see this piece of code: 00402469 . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] MSVBVM60.__vbaLenBstr 0040246F . 33C9 XOR ECX,ECX 00402471 . 83F8 07 CMP EAX,7 In this piece of code you can see it checks the string, in the register. You can see CMP EAX,7, that means he is comparing the code, with the length of 7 characters so the password is indeed 7 characters. So now we have to crack the password and for that we use breakpoints. When you set a breakpoint at a code line, the program will stop executing codes when it reaches the breakpoint. So

now we are going to set breakpoints after each UNICODE number we saw just a moment ago. So select the code line by pressing it once and then press F2, now you see it turn red. Do this for every number, and it should look like this:

Now press F9 so the program starts running and enter aaaaaaa (7 characters) as password and try to log in. Then the program shows pause again. When you press F9 again, and the program still selects the same breakpoint, the first entered character is wrong. When you press F9 and the program goes to the next breakpoint, the character is right. Easier explanation: When you enter aaaaaaa as a password and press F9, the program stops at the first breakpoint ( so the first character , the a, isnt the first character of the password ). Then you try baaaaaa and caaaaaa and so on. But when you enter Haaaaaa you can see the program jumps to the next breakpoint. That means that the H is the first character of the password. Then try as the password Hbaaaaa and so on until you have the password. When you finish that you can see that the password is H4x1ng!. Chapter 3: Cracking program level 3 This is a real downloadable software program you are going to crack now. Open Swilpi32.exe and it asks for the passwords for the user ID. Fill in fuckyou and it says that the password is not valid. Then when the program is loaded and you quit, it says that the settings are not saved in the light version and a text-file

appears. That is quite annoying so lets try to crack it! Open Swipli32.exe in Ollydbg. You know a string to look for, that one is Not a valid password!. Scroll from the upper code down and soon you will find that string. Then you will see something like this: 00401384 > 68 28444100 PUSH Swlipi32.00414428 ; |Text = "Not a valid password!"

You can see that the code line number is 0041384 so you need to know what was the step that made this code active. So scroll up abit and you will see this: 00401352 . 68 90904100 PUSH Swlipi32.00419090 00401357 . 74 2B JE SHORT Swlipi32.00401384 00401359 . 68 40444100 PUSH Swlipi32.00414440 Please restart the software!" ; |Title = "Sweet Little Piano" ;| ; |Text = "Thanks for registering!

You can see that there is a jump at the second line, that jumps to line 00401384. But he only jumps if it is Equal because JE means Jump if Equal. So we have to change that jump so he works up the other way. Double-click on the JE SHORT Swipli32.00401384, and a small screen appears. Change the JE into JNE, JNE means Jump if Not Equal, and press Assemble (it turns into JNZ that is the same as JNE). Now right-click, copy to executable, all modifications. Then press copy all and then press Yes so you can make your own file of it. Open the cracked version of the program and enter fuckyou as password. It will say you have registered the program. Copyright K1LL3RBYT3 Mail: killerbyte_darkbyte@hotmail.com