Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Sunday, March 29 2020 @ 09:06 PM CEST

Vault crackme tutorial (serial fishing)

   

TutorialsLevel : newbie

Serial fishing using Ollydbg. (For absolute newbies only)

Well, this whole crackme should take you about one minute to crack.

I used two programs:
PEiD
OllyDbg

I remeber doing this crackme a while ago when I first started screwing around with debuggers and such. I think it was harder for me then, but who knows.

Well, download the vault.exe here and save it to your desktop (that is where I usually work on files because of its ease of location). Then make a backup in another folder (always make a backup).

Step One:
Drag the exe file into PEiD to see if there is any sort of protection... Nope, it is pure Assembly so we are good to go.

Step Two:
Right click on the vault.exe file and select open with OllyDbg (if you don't have this option, then open OllyDbg and go to Options->Add to Explorer)
This will open the exe in the program. Hit F9 to run the program (you may need to Alt+Tab to pull the program to the front after it is run), it will ask you for the name and the key. Enter anything in there and you will see it says: "No Access!"
Well, that is no good. Go ahead and close the exe and hit Alt+F2, this will reload the program. Now go to the CPU menu in OllyDbg (that is the big one with the Blue C in the upper left hand corner of it) and right click anywhere and go to: Search for-> All referenced text strings.

That should pop up a window that shows about 6 strings total. The first two seem interesting:

Robin Banks
8dS#9d2?@$

Hmmm... that seems odd. The first one looks like a name and the second one looks like a key.

Let's copy those down on a piece of paper or copy and paste them into a notepad file. Then hit F9 to run the program again, put: Robin Banks in the name area and: 8dS#9d2?@$ in the key area. What do you know?!! It Worked!!

I know that this is about as easy as we can get, but hey, you gotta start somewhere. There is an even easier way to get the serial and name, but I will save that one for my next tutorial on an actual generated serial.

Warezhog




What's Related

Story Options

Vault crackme tutorial (serial fishing) | 2 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Vault crackme tutorial (serial fishing)
Authored by: warezhog on Monday, May 09 2005 @ 07:18 PM CEST
Thanks for editing my post, I realized while writing my second tutorial that I put the wrong shortcut in this one. I said that Alt+F2 will reload the exe file, it is actually CTRL+F2.

warezhog

---
warezhog
Vault crackme tutorial (serial fishing)
Authored by: thorpe on Monday, May 09 2005 @ 10:32 PM CEST
Well warezhog beat me to it, but here is a little more detailed way of understanding where that code comes from and how its compared to user input:

You can get to the important code below by either just skimming the code (since the file is so small) or by breaking on GetDlgItemTextA, lstrcmpA, MessageBoxA, etc:

00401069 CALL <JMP.&USER32.GetDlgItemTextA> ; get input from name textbox
0040106E PUSH vault.00403000 ; push your inputted name
00401073 PUSH vault.00403040 ; push "Robin Banks"
00401078 CALL <JMP.&KERNEL32.lstrcmpA> ; compare 2 strings
0040107D OR EAX,EAX ; result = 0 if equal
0040107F JNZ SHORT vault.004010BA ; if not equal (EAX = 1) jump to 004010BA
00401081 PUSH 20 ;
00401083 PUSH vault.00403020 ;
00401088 PUSH 0BB9 ;
0040108D PUSH DWORD PTR SS:[EBP+8] ;
00401090 CALL <JMP.&USER32.GetDlgItemTextA> ; get input from key textbox
00401095 PUSH vault.0040304C ; push "8dS#9d2?@$"
0040109A PUSH vault.00403020 ; push your inputted key
0040109F CALL <JMP.&KERNEL32.lstrcmpA> ; compare 2 strings
004010A4 OR EAX,EAX ; result = 0 if equal
004010A6 JNZ SHORT vault.004010B1 ; if not equal (EAX = 1) jump to 004010B1

If you take the JNZ at 0040107F you land here

------------------------------------------------------
004010BA |> C605 9E304000 >MOV BYTE PTR DS:[40309E],0
004010C1 |> 803D 9E304000 >CMP BYTE PTR DS:[40309E],1
004010C8 |. 75 1D JNZ SHORT vault.004010E7

This verifies 0040107F is a badboy jump because it always moves 0 in and then compares to 1, which will never be equal, hence 004010C8 will always execute the jump to the badboy msg.

The same situation can be seen for the 004010A6 jump:

-------------------------------------------------------
004010B1 |> C605 9E304000 >MOV BYTE PTR DS:[40309E],0
004010B8 |. EB 07 JMP SHORT vault.004010C1

004010C1 |> 803D 9E304000 >CMP BYTE PTR DS:[40309E],1
004010C8 |. 75 1D JNZ SHORT vault.004010E7

This jump leads to another compare which will always never be equal and force 004010C8 to jump to the badboy message.

So we know that our username must be "Robin Banks" and our key "8dS#9d2?@$"

To verify this works (besides just entering it in and looking at the msgbox) you can look at the code:

004010A6 |. 75 09 JNZ SHORT vault.004010B1 ; not taken (look above)
004010A8 |. C605 9E304000 >MOV BYTE PTR DS:[40309E],1
004010AF |. EB 10 JMP SHORT vault.004010C1

004010C1 |> 803D 9E304000 >CMP BYTE PTR DS:[40309E],1
004010C8 |. 75 1D JNZ SHORT vault.004010E7

We see that yes 1 goes in, its compared to 1, and this JNZ will not JUMP! And guess what's below...

A messagebox asking us how we got in ;)

Hope this helps some new people in the cracking world

-thorpe
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.82 seconds