Section 2 - Obtaining Began - Ok, so you should have got down loaded the crackme and have got Ollydebug installed. First factor to perform is near this tutorial and possess a play around. See what you can find and obtain a sense for the system. The really least this will perform is train you how to make use of simple Ollydebug features.

Jul 03, 2012  [Tutorial] OllyDBG - The very basics. Well, I originally did a video on this last night, but on my internet, uploading wasn’t going to happen. So, since three. Reddit gives you the best of the internet in one place. Get a constantly updating feed of breaking news, fun stories, pics, memes, and videos just for you. Passionate about something niche? Reddit has thousands of vibrant communities with people that share your interests. Alternatively, find out what’s trending across all of Reddit on r/popular.

No cheating today;-) Done? Nicely maybe you suprised yourself and discovered things you believed you'd never find? Maybe you found nothing at all and think you just lost 30 mins? Either method, I'll proceed through the process I utilized to invert this and ideally it will instruct you a few things.

Okay, so operate the crackme and lets possess a appearance around. Nicely, theres not much to see but we can discover a 'Sign up' package. Enter a consumer title into the container and a random username. You'll obtain a information saying 'No good fortune there partner' (incidentally, if you perform occur to think your serial and obtain the 'Congratulations' message, I recommend that you buy a lottery ticket nowadays). So we understand what we require to perform; we require to find the serial - at this stage we dont understand if its a hard coded quantity or if its generated from the usérname but thats part of the fun! Okay, so open Olly and select Crackme1.exe. You'll then be offered with the operation of the software, starting about right here: 00401000 6A 00 Drive 0 00401002 Elizabeth8 FF040000 Contact 00401007 A3 CA204000 MOV DWORD PTR DS:4020CA,EAX 0040100C 6A 00 Drive 0 Right now, we understand that the Crackme is usually acquiring whatever we entered and examining it against the proper serial.

We thus require Olly to intercept any phone calls this crackme can make where it could end up being reading what we entered from the usérname and serial boxes. There are a few ways home windows does this - its beyond the scope of this post to educate you the depths - but I will tell you that oné of thém if using the contact 'GetDlgItemTextA'. So, what we require to perform is create certain that if the Crackme can make this contact, Olly intercepts it and fractures for us therefore that we can follow what is definitely being completed with the info. Thats easy sufficiently.

If you push Ctrl-N (or correct click and select 'Search for' adopted by 'title (content label) in present module') you are presented with a checklist of phone calls made by the crackmé. You can after that right click on on GetDlgItemTextA and choose 'set breakpoint on every benchmark'.

We're prepared to move. Press F9 and Olly will run the crackme, delivering you with its user interface. Proceed to the registration package and get into a name and any serial. I'michael using 'FaTaLPrIdE' and '123456'.

Push the register button and Olly should crack here: 004012C4. At the8 07020000 CALL 004012C9.

83F8 01 CMP EAX,1 004012CChemical. M745 10 EB0300>MOV DWORD PTR SS:EBP+10,3EB Now, this is usually the 1st guide to the call 'GetDlgItemTextA' so we know our serial is definitely shortly heading to be go through in. If you read the best of you Olly windows, it should say CPU - primary thread, component Crackme1. This is certainly important as when this says Kernel or User32, we understand we can keeping stepping as it provides nothing to perform with our serial - we are usually only interested in the Crackme.

Press F8 to stage over the plan and test to get a experience for what is certainly heading on. Pressing just twice will provide you into Consumer32 and after 15 action overs we are usually back again with the crackme.

25 measures get us back to User32 and 38 get us back again. In potential future you will make use of F10 and Y12 to phase, F8 just shows you even more of whats involved. If we continue this process we go through a lengthy session in User32 and eventually land back again here: 00401223. 83F8 00 CMP EAX,0 00401226.^74 End up being JE Brief Crackme1.004011E6 00401228. 68 8E214000 Force Crackme1.0040218E; ASCII 'FaTaLPrId' 0040122D.

Age8 4C010000 CALL Crackme1.0040137E 00401232. 50 Drive EAX 00401233. 68 7E214000 PUSH Crackme1.0040217E; ASCII '123456' 00401238. E8 9B010000 CALL Crackme1.004013D8 0040123D. 83C4 04 Add more ESP,4 00401240. 58 Take EAX 00401241. 3BChemical3 CMP EAX,EBX 00401243.

74 07 JE SHORT Crackme1.0040124C This will be where the fun starts. We're carried out with the Consumer32 code and are back again with the primary regimen of the Crackme. Olly even helps show us we'ré in the right place by displaying that our éntered username and password are pressed to the collection before phone calls are made and a do a comparison of is produced shortly soon after. For right now, press Ctrl-N, select 'GetDlgItemTextA' and push 'get rid of all breakpoints'.

Then select the range 00401223 and push Y2 to put a fresh breakpoint here. What this indicates is definitely that you can right now come back right here whenever you run the system without moving through all the prior tips we possess used. You dont would like to research for this once again if you push a incorrect button someplace!

So, we possibly know how we could obtain the congrats message - a flick of the Z bit at 00401241 or simple patch of the JE at 00401243 should do it. But that doesn'capital t coach us very much, we would like to know precisely what this crackme is usually carrying out in purchase to test our username ánd serial. Our job is to track the calls at 0040122D and 00401238 to find out exactly what is definitely heading on here. Area 3 - The First Schedule - You should still end up being at 00401243.

Press F8 until you emphasize the following line: 0040122D. At the8 4C010000 Contact Crackme1.0040137E Now press N7.

The distinction between Y7 and N8 is that N8 measures over phone calls and N7 tips into them. In other phrases, if a call can be of no interest to you, you can press F8 to phase over it and bring on. If you think that it might consist of some crucial information, press N7 to stage into it ánd you can look at it in details. You should right now be right here: 0040137E /$ 8B7424 04 MOV ESI,DWORD PTR SS:ESP+4; Crackme1.0040218E 00401382. 56 Press ESI 00401383 >8A06 /MOV AL,BYTE PTR DS:ESI 00401385. 84C0 Check AL,AL 00401387.

74 13 JE Brief Crackme1.0040139C 00401389. 3C 41 CMP AL,B. 72 1F JB Brief Crackme1.004013AD 0040138D. 3C 5A CMP AL,5A 0040138F. 73 03 JNB SHORT Crackme1.0041391. 46 INC ESI 00401392.^EB EF JMP Brief Crackme1.0041394 >Age8 39000000 CALL Crackme1.004013D2 00401399.

46 INC ESI 0040139A.^EB Y7 JMP Brief Crackme1.004139C >5E Put ESI 0040139D. At the8 20000000 CALL Crackme1.004013C2 Fine, therefore we observe at 0040137E that our username can be loaded into ESI ready for refinement. The very first personality of our username (N in my situation) is definitely then relocated into AL before becoming tested to find if it is 0. After that the fascinating stuff begins - at 00401389 the N is compared with 41. A strange assessment you might believe?

Open up a internet browser window and move to and you'll get a better knowing. The pc deals with character ideals in hex we.e. Next to my F in Olly is the quantity 46. If you appear at the ASCII table you will observe that 46 is certainly the hexadecimal rendering of 'N' and 41 is the rendering of 'A'.

What the line at 00401389 will be doing after that, is definitely its using the 1st letter of our username and evaluating it with A new. The outcome of this evaluation results what happens at the leap on the next series (0040138B) as if the very first notice of our title is less than A (see the ASCII table) it gets somewhere else. My Y will be above A though therefore we continue to 0040138D. Here a similar operation is carried out.

A fast look at our ASCII values displays us that our character is today being likened with Z . - this time á jump is takén if the vaIue is abové Z. Certainly, my Y is great and we keep on. At 00401399 ESI will be incremented before a jump is taken back to 00401383. If you remember, our username will be stored in ESI so this has essentially just moved us to the following notice of our username and eliminated back to the starting of this regimen. My 2nd letter is certainly 'a' therefore lets notice how this is treated with. Nicely, moving through it goes by the assessment with 'A' as 61 is indeed higher than 41(A).

When we get to the evaluation with Z . though, it faiIs and thé jump is takén at 0040138F to 00401394. This is certainly because, as the desk displays, a(61) is definitely greater than Z(5A). So we land here: 00401394 >Y8 39000000 CALL Crackme1.004013D2 Which in turn transmits us here: 004013D2 /$ 2C 20 Bass speaker AL,20 004013D4. 8806 MOV BYTE PTR DS:ESI,AL 004013D6.

D3 RETN So whats taking place here? Our character will be in AL and gets 20 subtracted from it.

Wháts this for? Check out out the ASCII table. You will see that my 'a' will be 20 values increased than 'A' we.age. A-20=A; this sub routine has just capitalised my character! It after that jumps back to the routine, increments ESI to the following letter and continues. Action through the relaxation of the regular and you'll notice that your entire username is certainly processed to make sure its uppercase.

Tháts all this little bit is carrying out. My username is certainly today FATALPRIDE. A few of points to note though are usually that if you only utilized uppercase words anyway, this schedule is unnecessary and you wont actually find the Subwoofer AL,20 part. Furthermore, if you have non alphabetic character types in now there, they'll become taken down 20 beliefs too mainly because they certainly are not really between A and Z . Once the final notice of your username offers been processed, the TEST AL,AL will fail and the program leaps out of this cycle to 0040139C where your recently capitalised name is popped from the bunch to ESI. After that comes this range: 0040139D. Age8 20000000 Contact Crackme1.004013C2 Push Y7 to track this contact - this is usually the second routine.

Establishing a breakpoint here may become useful as well! - Section 4 - The Second Schedule - When we track the over contact we get the pursuing: 004013C2 /$ 33FY XOR EDI,EDI 004013C4. 33DW X0R EBX,EBX 004013C6 >8A1E /MOV BL,BYTE PTR DS:ESI 004013C8.

84DC TEST BL,BL 004013CA. 74 05 JE SHORT Crackme1.004013D1 004013CM. 03FC Add more EDI,EBX 004013CElizabeth.

46 INC ESI 004013CY.^EB F5 JMP SHORT Crackme1.004013C6 004013D1 >Chemical3 RETN So whats happening here? Properly firstly EDI and EBX are X0R'd with themselves - yóu've transferred enough issues to know that this generally returns a 0 result hence this is just a method of clarifying both EDI and EBX. After that a identical thing occurs to what happened in the over program - the only difference being that the very first notice of our capitalised username is usually shift to BL rather than AL. Its then tested incase its 0 before landing at 004013CChemical.

If you've study Trope'beds posts, you'll find out that BL (where our character is stored) is certainly just the lower storage in EBX. Hence Add more EDI,EBX is usually taking the value of that character and incorporating it to EDI - obviously, we simply zero'd EDI so for the initial notice, its included to 0. We after that increment to the next letter of our usérname and the procedure is recurring although notice that the loop does not consist of the XOR functions each period.

This basically has the impact of adding all the values of our username jointly and storing it in EDl. For my usérname I obtain this: N + A + T + A + D + P + R + I + N + E 46 + 41 + 54 + 41 + 4C + 50 + 52 + 49 + 44 + 45 = 02DD At the finish of the username, we fail the Check BL,BL and leap out to the come back declaration at 004013D1.

Our summed username (02DD in my situation) is certainly still saved in EDI. Area 5 - Finish With The Usérname - So the final collection of the over routine will be: 004013D1 >C3 RETN When we step over this, it will take us back to the finish of the initial routine, to where the second routine was known as from. We land here: 004013A2. 81F7 78560000 XOR EDI,5678 004013A8. 8BChemical7 MOV EAX,EDI Okay, therefore right here we have another XOR declaration - this period the material of EDI are usually X0R'd with '5678'. We understand that EDI consists of our summed username therefore in my situation, this equation is: 02DD XOR 5678 - the result is kept in EDI once again (54A4 in my case) before the next statement moves it to EAX.

We after that jump back again to the initial program code we appeared at in section 2. 83F8 00 CMP EAX,0 00401226.^74 End up being JE Brief Crackme1.004011E6 00401228. 68 8E214000 Force Crackme1.0040218E; ASCII 'FaTaLPrId' 0040122D. E8 4C010000 Contact Crackme1.0040137E 00401232. 50 Press EAX 00401233. 68 7E214000 Force Crackme1.0040217E; ASCII '123456' 00401238.

Y8 9B010000 Contact Crackme1.004013D8 0040123D. 83C4 04 Put ESP,4 00401240. 58 POP EAX 00401241. 3BM3 CMP EAX,EBX 00401243.

74 07 JE SHORT Crackme1.0040124C The difference is certainly that we possess now completed the contact at 0040122D and we're now at 00401232 waiting around to carry on. Congratulations you've simply tracked your initial call and right now you know precisely how this programs processes a username! Now see if you can follow the same treatment for the 2nd call below! Trace into it with N7 and notice what you can discover. Established a break up point first so that if you clutter up you can try out once again or pick this manual upward where you remaining off!

- Area 6 - Beginning With The Serial - How do you obtain on? Lets find out. Firstly we find EAX can be pressed to the collection (we know that this contains our summed usérname X0R'd with 5678 from the previous contact) and after that our entered serial (123456) is usually forced to the bunch too. We can after that use F7 to track our 2nd call. We land right here: 004013D8 /$ 33C0 XOR EAX,EAX 004013DA.

33FY XOR EDI,EDI 004013DD. 33DN XOR EBX,EBX 004013DE. 8B7424 04 MOV ESI,DWORD PTR SS:ESP+4 004013E2 >W0 0A /MOV AL,0A 004013E4. 8A1E MOV BL,BYTE PTR DS:ESI 004013E6. 84DC Check BL,BL 004013E8.

74 0B JE Brief Crackme1.004013F5 004013EA new. 80EB 30 SUB BL,30 004013ED. 0FAFF8 IMUL EDI,EAX 004013F0. 03FW ADD EDI,EBX 004013F2.

46 INC ESI 004013F3.^EB ED JMP SHORT Crackme1.004013E2 004013F5 >81F7 34120000 XOR EDI,1234 004013FW. 8BDF MOV EBX,EDI 004013FM. M3 RETN The initial three outlines should end up being no issue - we're removing the EAX, EDl and EBX registers by XORing them with themselves. Pursuing this, our Serial quantity is relocated into ESI and the running begins.

Section 7 - Control The Serial - Só you should become at the starting of the loop at 004013E2. Let us attempt and work out whats going on right here. Firstly, 0A (10) is relocated into AL and then the very first character of our seriaI (1 in my case) is certainly moved into BL before getting tested for 0 in the normal way. Notice though that EBX includes 31 rather than 1 we.elizabeth. The hexadecimal manifestation of the personality 1. After this, 30 can be subtracted from our quantity i.age. 31-30 in my situation.

Then EAX and EDI are usually increased and our processed character added to the result. This is then saved in EDI. In some other terms, EDI keeps (31-30) + (10x0) = 1; after one version on my serial.

The procedure is after that repeated but this period, keep in mind that EDI is definitely no more time 0 therefore when EDI is certainly increased by EAX, we obtain a various outcome. 1 (prior iteration) + ( (32-30) + (10x1) ) = 0C Continue this trough the sleep of your seriaI and we obtain a last result (1e240 in my situation). In fact, what this offers done can be to convert our serial tó hex! So wé jump out of the loop and property at 004013F5. This is definitely fascinating - remember in the final contact where the username has been uppercased and XOR'd with 5678h?

Pirate hunter Captain Edward Reynolds and his blond first mate, Jules Steel, return where they are recruited by a shady governor general to find a darkly sinister Chinese empress pirate, named Xifing, and her group of Arab cutthroats, whom are trying to resurrect the late Victor Stagnetti, the world's most feared pirate, from the grave to bring on world domination. When Jules is captured and enslaved by the Xifi hi must rely on his sword-fighting ally, Olivia, to take on the supernatural forces at work surrounding the lethal Xifing.

Properly here we've simply hexed the serial and right now we're X0Ring it with 1234h (result is usually 1f074 in my situation)! Simple actually! The result is after that relocated from EDI tó EBX and wé jump back to our preliminary piece of program code once again! - Section 8 - The Final Stages - This will be it. The last levels of the crackme.

We jump back again to here: 0040123D. 83C4 04 ADD ESP,4 00401240. 58 Take EAX 00401241.

3BG3 CMP EAX,EBX 00401243. 74 07 JE Brief Crackme1.0040124C 00401245. Y8 18010000 CALL Crackme1.004124A.^EB 9A JMP SHORT Crackme1.004011E6 0040124C >E8 FC000000 CALL Crackme1.0040134D The 1st line is certainly a quick stack cleanup which after that results in our processed username worth (54A4 in my situation) on the best of the collection. This is then sprang to EAX.

Then arrives the important evaluation: 00401241. 3BM3 CMP EAX,EBX EAX (the result of our username becoming processed) and EBX are usually likened - the two values should look familiar as they are usually the results of our two phone calls i.y.

In my situation they are 54A4 and 1f074. The following jump statement is certainly the essential one - if the two beliefs in EAX and EBX are equal, we jump to the contact statement at the bottom part of the over code extract. This is our success package!

(Therefore the reason I said we could plot this jump to jump if not really equal rather than if equivalent). If EAX and EBX are not equivalent, we dont leap and we are usually used down the 'Zero luck presently there partner' routine - this will be where I move on this occasion as 123456 is certainly not really my correct serial. Area 9 - Identifying Your Serial - So, we possess discovered that the important operation will be a assessment of our prepared username and our prepared serial. Particularly, our processed serial give the exact same result as our prepared username in order to end up being valid. So how perform we obtain this?

Properly, this will be where understanding of the XOR function provides us through. We know that: if A XOR B = G then D XOR W = A. Therefore how is usually this useful? Well, looking at the method the serial is definitely processed, our entered seriaI in hex X0R with 1234 must even our processed usérname (in my situation 54A4).

Using the above reasoning then, our serial is certainly our processed username XOR with 1234 we.at the. (for me) SeriaI for FaTaLPrIdE = 54A4 XOR 1234 5 4 A 4 = 0101 0100 1010 0100 1 2 3 4 = 0001 0010 0011 0100 SERIAL = 0100 0110 1001 0000 = 4690h Switch to Decimal = 16 + 128 + 512 + 1024 + 16384 = 18064 (we need to perform this as we are treating the reality that our plan coverts the decimaI serial we entered into hex).

Therefore I have got username FaTaLPrIdE (not really case sensitive owing to the uppercasing routine) and serial 18064. Area 10 - Bottom line - Therefore thats it! I hope you loved this and discovered it useful. As I state, I'm a comprehensive newbie at this so I thought a beginners guideline created by a beginner would become helpful to a few individuals.

If you like this, just put a comment below and allow me know. Likewise, if you have a critique or improvement, I'd like to listen to it as well. Please don't inform me it has been too simple though as that has been the point of the write-up - to explain as very much as I couId for those whó have never used a debugger just before. I'm recommend trying crackme 2 if you obtain a chance. Individually, I think its much easier than this one - make use of the exact same strategies and work out how your password is being worked with. I'll compose a tutorial when I get a chance, but experience free to Evening me if you wish a helping hands before the content is certainly out. As yóu for you reading through this because level 8 can be disturbing you, I wish this will assist you out.

Level 8 provides a few extra tips up its sIeeve but if yóu've obtained that far, you should end up being capable to type through them. Just logically action through and function out precisely what is happening - compose it down to maintain note. Thanks a lot for reading. Please dont recreate this on additional sites - its written particularly for the Geeks;-).

Greatest worthy of for your money, ask testimonials ivlszuwzser of the individuals who have got used cheap true religion. People also state that once they put on these denims they sensed as if they are in heaven.If you are usually fashion conscious, yet you like to use clothing that are usually casual and comfy, then Monarchy skinny jeans are usually among the much better options. You can stay in design and in style, as these are jeans from developer brands, but furthermore remain comfy and informal since these are usually jeans after all.

This is a great compromise, allowing you to appear great and sense great at the same time. Shoe cut is a style of cheap accurate religion skinny jeans which is usually commonly used by the people. Features of this design are usually it will be easy to appear, flared at the underside, straight fitting on the limb.

This design is superb wear for the people who possess heavy upper thighs because it wiIl over the entire body. Next design of cheap correct religion is stretch out, as the title indicates it is made from the stretch materials which will modify automatically to the shape of the body. This is used by the people having good technique and likes to wear skin tight denim jeans.

With so many advantages offered by cheap true religion, it is definitely wise to visit online store and place your order today.