Area 2 - Getting Started - Okay, so you should have downloaded the crackme and have got Ollydebug installed. First matter to perform is close this tutorial and have got a have fun with around.

Ollydbg Basics for Beginners. 8:09 AM Amit Hacker For You 1 comment. Well, looking at the way the serial is processed, our entered serial in hex XOR with 1234 must equal our processed username (in my case 54A4). Basic Tutorial Video on How to use Ollydbg and Peid to Crack Software Cracking is the art of breaking security. Tutorial VTC - Sony DVD Architect. Serial numbers.

Observe what you can discover and get a feel for the system. The really least this will perform is educate you how to make use of basic Ollydebug functions. No cheating today;-) Done? Nicely probably you suprised yourself and found stuff you believed you'd in no way find?

Maybe you found nothing at all and think you simply squandered 30 mins? Either way, I'll go through the procedure I used to reverse this and hopefully it will coach you a few items. Okay, so operate the crackme and permits have a appearance around. Nicely, theres not really very much to notice but we can discover a 'Register' package. Enter a user name into the container and a arbitrary username. You'll obtain a information stating 'No fortune there partner' (by the way, if you perform occur to suppose your serial and obtain the 'Great job' information, I suggest that you purchase a lottery solution nowadays).

Therefore we understand what we require to perform; we need to discover the serial - at this point we dont understand if its a tough coded amount or if its produced from the usérname but thats component of the fun! Okay, therefore open up Olly and choose Crackme1.exe. You'll after that be introduced with the operation of the application, starting about here: 00401000 6A 00 PUSH 0 00401002 E8 FF040000 CALL 00401007 A3 CA204000 MOV DWORD PTR DS:4020CA,EAX 0040100C 6A 00 Press 0 Now, we know that the Crackme will be having whatever we typed and checking out it against the correct serial. We as a result need Olly to intercept any calls this crackme can make where it could end up being reading through what we typed from the usérname and serial containers.

There are a few ways windows does this - its beyond the scope of this content to teach you the depths - but I will tell you that oné of thém if making use of the call 'GetDlgItemTextA'. So, what we need to do is make sure that if the Crackme can make this call, Olly intercepts it and breaks for us so that we can stick to what is usually being done with the information. Thats simple more than enough. If you press Ctrl-N (or correct click and choose 'Research for' adopted by 'name (brand) in current component') you are usually presented with a checklist of phone calls produced by the crackmé. You can after that right click on on GetDlgItemTextA and select 'set breakpoint on every reference'. We're ready to go. Press N9 and Olly will operate the crackme, showing you with its user interface.

Go to the sign up box and get into a title and any serial. I'michael making use of 'FaTaLPrIdE' and '123456'. Push the sign up switch and Olly should split here: 004012C4. At the8 07020000 CALL 004012C9.

83F8 01 CMP EAX,1 004012CD. D745 10 EB0300>MOV DWORD PTR SS:EBP+10,3EB Now, this can be the very first reference to the contact 'GetDlgItemTextA' so we understand our serial is usually shortly heading to be examine in. If you read through the best of you Olly window, it should state Central processing unit - main thread, module Crackme1. This will be essential as when this states Kernel or Consumer32, we know we can maintaining stepping as it has nothing at all to do with our serial - we are only serious in the Crackme. Press Y8 to stage over the system and attempt to get a experience for what will be heading on. Pushing just twice will bring you into Consumer32 and after 15 phase overs we are back again with the crackme.

25 measures take us back to User32 and 38 consider us back again again. In potential you will make use of Y10 and F12 to action, N8 just shows you even more of whats included. If we carry on this procedure we move through a lengthy session in Consumer32 and ultimately land back again right here: 00401223.

83F8 00 CMP EAX,0 00401226.^74 BE JE Brief Crackme1.004011E6 00401228. 68 8E214000 Press Crackme1.0040218E; ASCII 'FaTaLPrId' 0040122D. At the8 4C010000 Contact Crackme1.0040137E 00401232. 50 PUSH EAX 00401233.

68 7E214000 Press Crackme1.0040217E; ASCII '123456' 00401238. E8 9B010000 Contact Crackme1.004013D8 0040123D.

83C4 04 Combine ESP,4 00401240. 58 POP EAX 00401241. 3BG3 CMP EAX,EBX 00401243. 74 07 JE Brief Crackme1.0040124C This is where the fun begins.

We're also carried out with the User32 program code and are usually back again with the main schedule of the Crackme. Olly also helps show us we'ré in the right place by showing that our éntered username and security password are pressed to the stack before calls are made and a compare and contrast is made shortly later on. For today, press Ctrl-N, choose 'GetDlgItemTextA' and push 'get rid of all breakpoints'. Then select the line 00401223 and press F2 to place a new breakpoint right here. What this indicates is certainly that you can today come back again here whenever you run the system without walking through all the previous actions we possess taken. You dont desire to research for this once again if you push a incorrect button someplace! Therefore, we possibly understand how we could obtain the congrats message - a movie of the Z .

bit at 00401241 or simple patch of the JE at 00401243 should do it. But that doesn't coach us much, we would like to know precisely what this crackme is definitely performing in purchase to check our username ánd serial. Our job is definitely to trace the phone calls at 0040122D and 00401238 to discover out precisely what is usually going on right here. Area 3 - The Initial Routine - You should still be at 00401243. Push F8 until you highlight the following line: 0040122D.

Elizabeth8 4C010000 Contact Crackme1.0040137E Now press N7. The difference between N7 and F8 is definitely that N8 methods over phone calls and N7 measures into them. In other terms, if a contact is usually of no curiosity to you, you can push F8 to stage over it and have on. If you think that it might contain some crucial information, press N7 to stage into it ánd you can appear at it in details.

You should today be here: 0040137E /$ 8B7424 04 MOV ESI,DWORD PTR SS:ESP+4; Crackme1.0040218E 00401382. 56 Force ESI 00401383 >8A06 /MOV AL,BYTE PTR DS:ESI 00401385. 84C0 TEST AL,AL 00401387. 74 13 JE Brief Crackme1.0040139C 00401389. 3C 41 CMP AL,B.

72 1F JB SHORT Crackme1.004013AM 0040138D. 3C 5A CMP AL,5A 0040138F. 73 03 JNB SHORT Crackme1.0041391. 46 INC ESI 00401392.^EB EF JMP Brief Crackme1.0041394 >Elizabeth8 39000000 Contact Crackme1.004013D2 00401399.

46 INC ESI 0040139A.^EB Elizabeth7 JMP Brief Crackme1.004139C >5E Place ESI 0040139D. E8 20000000 Contact Crackme1.004013C2 Fine, so we notice at 0040137E that our username is usually packed into ESI prepared for control. The very first character of our username (N in my case) is then relocated into AL before being examined to see if it is definitely 0. After that the fascinating stuff starts - at 00401389 the F is compared with 41. A strange evaluation you might think? Open up up a browser home window and move to and you'll get a better understanding. The personal computer deals with personality ideals in hex i.e.

Next to my N in Olly can be the number 46. If you look at the ASCII table you will discover that 46 can be the hexadecimal rendering of 'N' and 41 is the representation of 'A new'. What the collection at 00401389 can be doing after that, is usually its taking the 1st notice of our username and comparing it with A. The result of this comparison effects what occurs at the leap on the next series (0040138B) as if the very first notice of our name is much less than A (find the ASCII table) it leaps elsewhere. My Y can be above A though therefore we continue to 0040138D. Right here a equivalent operation is definitely carried out.

A fast appearance at our ASCII beliefs displays us that our character is right now being likened with Z - this time á jump is takén if the vaIue is abové Z. Certainly, my N is good and we continue. At 00401399 ESI is definitely incremented before a leap is used back to 00401383. If you keep in mind, our username is saved in ESI so this has essentially just transferred us to the next notice of our username and long gone back again to the starting of this routine.

My second letter is definitely 'a' so lets observe how this can be treated with. Nicely, moving through it passes the assessment with 'A' as 61 is definitely indeed greater than 41(A). When we get to the comparison with Z though, it faiIs and thé jump is takén at 0040138F to 00401394. This can be because, as the desk displays, a(61) can be higher than Z(5A). So we get right here: 00401394 >E8 39000000 Contact Crackme1.004013D2 Which in change transmits us right here: 004013D2 /$ 2C 20 Subwoofer AL,20 004013D4. 8806 MOV BYTE PTR DS:ESI,AL 004013D6.

M3 RETN So whats happening here? Our personality will be in AL and gets 20 subtracted from it. Wháts this for? Verify out the ASCII table. You will see that my 'a' is 20 beliefs increased than 'A' i.elizabeth. A-20=A; this sub routine provides just capitalised my character!

It then jumps back to the routine, installments ESI to the next notice and continues. Stage through the sleep of the regular and you'll see that your whole username is certainly prepared to create certain its uppercase. Tháts all this bit is carrying out. My username is usually right now FATALPRIDE. A few of points to take note though are that if you just used uppercase characters in any case, this program is redundant and you wont also see the SUB AL,20 component. Furthermore, if you possess non alphabetic personas in there, they'll be used down 20 ideals too as they certainly are not really between A and Z. As soon as the last notice of your username offers been prepared, the Check AL,AL will fall short and the application leaps out of this loop to 0040139C where your newly capitalised name is sprang from the bunch to ESI.

Then comes this collection: 0040139D. Elizabeth8 20000000 CALL Crackme1.004013C2 Press N7 to trace this call - this is definitely the 2nd routine. Establishing a breakpoint right here may end up being useful too! - Area 4 - The Second Schedule - When we trace the above call we get the using: 004013C2 /$ 33FF XOR EDI,EDI 004013C4. 33DN X0R EBX,EBX 004013C6 >8A1E /MOV BL,BYTE PTR DS:ESI 004013C8.

84DT Check BL,BL 004013CA. 74 05 JE SHORT Crackme1.004013D1 004013CG. 03FT Add more EDI,EBX 004013CAge. 46 INC ESI 004013CY.^EB N5 JMP Brief Crackme1.004013C6 004013D1 >M3 RETN So whats occurring here? Nicely first of all EDI and EBX are X0R'd with themselves - yóu've approved enough difficulties to understand that this often returns a 0 outcome hence this can be just a way of removing both EDI and EBX.

Then a equivalent thing occurs to what happened in the above regimen - the just difference getting that the first letter of our capitalised username is certainly move to BL rather than AL. Its after that tested incase its 0 before landing at 004013CC. If you've read through Trope's content articles, you'll know that BL (where our personality is stored) is definitely just the lower memory in EBX. Hence Insert EDI,EBX is usually taking the worth of that character and including it to EDI - certainly, we simply stop'd EDI so for the first letter, its included to 0. We then increment to the next letter of our usérname and the procedure is repeated although notice that the loop does not include the XOR functions each period. This fundamentally offers the effect of incorporating all the ideals of our username together and keeping it in EDl.

For my usérname I obtain this: N + A + T + A + M + G + Ur + I + Chemical + E 46 + 41 + 54 + 41 + 4C + 50 + 52 + 49 + 44 + 45 = 02DG At the end of the username, we fall short the TEST BL,BL and jump out to the return statement at 004013D1. Our summed username (02DC in my case) can be still saved in EDI. Section 5 - Finish With The Usérname - So the final collection of the over routine is: 004013D1 >C3 RETN When we step over this, it requires us back to the finish of the very first routine, to where the 2nd routine has been called from.

We land right here: 004013A2. 81F7 78560000 XOR EDI,5678 004013A8. 8BChemical7 MOV EAX,EDI Okay, therefore here we have got another XOR statement - this period the items of EDI are X0R'd with '5678'. We know that EDI includes our summed username so in my situation, this equation is certainly: 02DG XOR 5678 - the outcome is stored in EDI once again (54A4 in my situation) before the next statement moves it to EAX. We then jump back to the initial code we looked at in area 2. 83F8 00 CMP EAX,0 00401226.^74 BE JE Brief Crackme1.004011E6 00401228.

68 8E214000 Drive Crackme1.0040218E; ASCII 'FaTaLPrId' 0040122D. E8 4C010000 Contact Crackme1.0040137E 00401232. 50 Drive EAX 00401233. 68 7E214000 Force Crackme1.0040217E; ASCII '123456' 00401238.

Age8 9B010000 CALL Crackme1.004013D8 0040123D. 83C4 04 Combine ESP,4 00401240. 58 Crop up EAX 00401241. 3BG3 CMP EAX,EBX 00401243. 74 07 JE SHORT Crackme1.0040124C The distinction is that we have now finished the call at 0040122D and we're right now at 00401232 waiting to carry on. Best wishes you've simply tracked your 1st contact and now you recognize specifically how this programs functions a username! Right now notice if you can adhere to the exact same treatment for the second call beneath!

Trace into it with F7 and observe what you can find. Set a break point first so that if you mess up you can attempt once again or choose this guideline up where you remaining off! - Section 6 - Beginning With The Serial - How do you obtain on?

Lets discover out. Firstly we see EAX will be forced to the collection (we understand that this contains our summed usérname X0R'd with 5678 from the previous contact) and after that our entered serial (123456) is forced to the collection too. We can then make use of F7 to trace our 2nd call.

We get here: 004013D8 /$ 33C0 XOR EAX,EAX 004013DA. 33FN XOR EDI,EDI 004013DC. 33DN XOR EBX,EBX 004013DAt the. 8B7424 04 MOV ESI,DWORD PTR SS:ESP+4 004013E2 >T0 0A /MOV AL,0A 004013E4. 8A1E MOV BL,BYTE PTR DS:ESI 004013E6. 84DN Check BL,BL 004013E8. 74 0B JE Brief Crackme1.004013F5 004013EA new.

80EC 30 SUB BL,30 004013ED. 0FAFF8 IMUL EDI,EAX 004013F0.

03FC Insert EDI,EBX 004013F2. 46 INC ESI 004013F3.^EB ED JMP Brief Crackme1.004013E2 004013F5 >81F7 34120000 XOR EDI,1234 004013FM. 8BDF MOV EBX,EDI 004013FChemical. D3 RETN The first three outlines should become no concern - we're clarifying the EAX, EDl and EBX signs up by XORing them with themselves. Just cause 2 free pc. Sticking with this, our Serial quantity is relocated into ESI and the processing begins.

Area 7 - Developing The Serial - Só you should become at the starting of the cycle at 004013E2. Permits test and work out whats going on right here. First of all, 0A (10) is usually relocated into AL and after that the initial character of our seriaI (1 in my case) will be relocated into BL before being examined for 0 in the normal way. Note though that EBX includes 31 rather than 1 i.y. The hexadecimal representation of the personality 1.

After this, 30 will be deducted from our quantity i.age. 31-30 in my situation. Then EAX and EDI are multiplied and our processed character added to the result.

This is then saved in EDI. In some other phrases, EDI holds (31-30) + (10x0) = 1; after one version on my serial. The process is after that recurring but this time, remember that EDI can be no more 0 therefore when EDI will be increased by EAX, we obtain a various result.

1 (previous iteration) + ( (32-30) + (10x1) ) = 0C Continue this trough the sleep of your seriaI and we obtain a last result (1e240 in my situation). Really, what this offers done can be to transform our serial tó hex! So wé leap out of the cycle and land at 004013F5.

This will be interesting - remember in the last contact where the username was uppercased and XOR'm with 5678h? Well here we've just hexed the serial and today we're X0Ring it with 1234h (outcome is definitely 1f074 in my situation)! Basic really! The result is after that transferred from EDI tó EBX and wé jump back to our preliminary item of program code again!

- Area 8 - The Last Phases - This can be it. The final phases of the crackme.

We jump back to right here: 0040123D. 83C4 04 Put ESP,4 00401240. 58 POP EAX 00401241. 3BC3 CMP EAX,EBX 00401243. 74 07 JE Brief Crackme1.0040124C 00401245.

At the8 18010000 Contact Crackme1.004124A.^EB 9A JMP Brief Crackme1.004011E6 0040124C >Y8 FC000000 CALL Crackme1.0040134D The very first line is usually a fast stack cleansing which after that leaves our prepared username value (54A4 in my situation) on the best of the collection. This is then sprang to EAX.

Then arrives the critical comparison: 00401241. 3BC3 CMP EAX,EBX EAX (the outcome of our username becoming processed) and EBX are compared - the two values should look familiar as they are the outcomes of our two phone calls i.y. In my case they are usually 54A4 and 1f074. The following jump statement is the crucial one - if the two beliefs in EAX and EBX are usually equal, we leap to the contact declaration at the bottom level of the above code get.

This is certainly our achievement box! (Therefore the cause I mentioned we could spot this leap to leap if not equal rather than if similar). If EAX and EBX are usually not equal, we dont jump and we are used down the 'No luck presently there mate' routine - this is usually where I go on this event as 123456 will be not my right serial.

Area 9 - Identifying Your Serial - So, we have got discovered that the crucial operation is a evaluation of our processed username and our prepared serial. Specifically, our prepared serial provide the exact same outcome as our prepared username in order to be legitimate. So how perform we obtain this? Nicely, this is usually where information of the XOR functionality brings us through. We understand that: if A XOR N = C then G XOR C = A. Therefore how is certainly this helpful? Well, looking at the way the serial is definitely prepared, our entered seriaI in hex X0R with 1234 must even our processed usérname (in my case 54A4).

Making use of the over reasoning then, our serial will be our processed username XOR with 1234 i actually.elizabeth. (for me) SeriaI for FaTaLPrIdE = 54A4 XOR 1234 5 4 A 4 = 0101 0100 1010 0100 1 2 3 4 = 0001 0010 0011 0100 SERIAL = 0100 0110 1001 0000 = 4690h Transfer to Decimal = 16 + 128 + 512 + 1024 + 16384 = 18064 (we need to do this as we are curing the fact that our system coverts the decimaI serial we joined into hex).

Therefore I have username FaTaLPrIdE (not really case delicate due to the uppercasing routine) and serial 18064. Section 10 - Summary - Therefore thats it!

I wish you enjoyed this and discovered it useful. As I state, I'm a complete newbie at this so I thought a beginners tutorial created by a newbie would end up being helpful to a few people. If you like this, simply put a remark below and let me understand. Similarly, if you have a critique or improvement, I'd like to hear it as well. Please don't tell me it had been too easy though as that was the point of the post - to explain as much as I couId for those whó have got never utilized a debugger before. I'm recommend attempting crackme 2 if you obtain a possibility.

Personally, I believe its easier than this one - use the same methods and function out how your password is being treated with. I'll write a tutorial when I obtain a opportunity, but experience free of charge to Evening me if you want a helping hands before the article is usually out.

As yóu for you reading this because level 8 is definitely bothering you, I wish this will assist you out. Degree 8 provides a several extra methods up its sIeeve but if yóu've obtained that much, you should end up being capable to type through them. Simply logically step through and work out exactly what is definitely taking place - write it down to maintain note. Thanks for reading through. Please dont recreate this on various other sites - its written specifically for the Geeks;-).

Section 2 - Obtaining Started - Ok, so you should have downloaded the crackme and have got Ollydebug set up. First matter to do is near this tutorial and possess a have fun with around. See what you can find and get a sense for the program. The really minimum this will do is show you how to make use of simple Ollydebug functions.

No cheating today;-) Done? Properly maybe you suprised yourself and discovered issues you thought you'd certainly not find?

Maybe you discovered nothing at all and reckon you just squandered 30 mins? Either method, I'll go through the procedure I utilized to reverse this and hopefully it will teach you a several stuff. Okay, so operate the crackme and lets have a look around. Nicely, theres not really much to find but we can discover a 'Sign up' box. Enter a user title into the package and a arbitrary username. You'll get a information stating 'No good luck there partner' (by the way, if you do take place to think your serial and get the 'Great job' information, I suggest that you purchase a lottery solution nowadays).

Therefore we know what we need to perform; we need to find the serial - at this stage we dont understand if its a hard coded amount or if its generated from the usérname but thats component of the enjoyment! Okay, therefore open up Olly and select Crackme1.exe. You'll after that be provided with the operation of the software, beginning about here: 00401000 6A 00 PUSH 0 00401002 E8 FF040000 Contact 00401007 A3 CA204000 MOV DWORD PTR DS:4020CA,EAX 0040100C 6A 00 Force 0 Now, we understand that the Crackme can be acquiring whatever we entered and looking at it against the correct serial. We consequently require Olly to intercept any phone calls this crackme makes where it could be reading what we entered from the usérname and serial containers. There are usually a several ways home windows will this - its beyond the range of this post to train you the absolute depths - but I will tell you that oné of thém if using the call 'GetDlgItemTextA'. Therefore, what we need to do is make certain that if the Crackme can make this contact, Olly intercepts it and pauses for us so that we can follow what can be being carried out with the details.

Thats easy good enough. If you push Ctrl-N (or correct click on and select 'Search for' implemented by 'title (content label) in present component') you are usually presented with a checklist of phone calls made by the crackmé.

You can after that right click on GetDlgItemTextA and choose 'collection breakpoint on every research'. We're prepared to move. Press Y9 and Olly will run the crackme, presenting you with its user interface. Proceed to the sign up package and enter a title and any serial. I'm making use of 'FaTaLPrIdE' and '123456'. Push the register switch and Olly should crack here: 004012C4. Age8 07020000 CALL 004012C9.

83F8 01 CMP EAX,1 004012CM. Chemical745 10 EB0300>MOV DWORD PTR SS:EBP+10,3EB Right now, this is the 1st guide to the call 'GetDlgItemTextA' so we understand our serial is shortly going to be read through in.

If you learn the top of you Olly windowpane, it should state CPU - primary thread, component Crackme1. This can be important as when this says Kernel or Consumer32, we know we can maintaining stepping as it offers nothing at all to perform with our serial - we are only interested in the Crackme. Push N8 to action over the system and consider to get a feel for what will be heading on. Pressing just twice will provide you into User32 and after 15 action overs we are usually back with the crackme. 25 tips take us back again to User32 and 38 take us back again once again. In potential you will use N10 and Y12 to phase, N8 just displays you even more of whats involved.

If we continue this procedure we move through a lengthy program in Consumer32 and eventually land back here: 00401223. 83F8 00 CMP EAX,0 00401226.^74 BE JE Brief Crackme1.004011E6 00401228. 68 8E214000 Force Crackme1.0040218E; ASCII 'FaTaLPrId' 0040122D. Elizabeth8 4C010000 CALL Crackme1.0040137E 00401232. 50 PUSH EAX 00401233. 68 7E214000 Force Crackme1.0040217E; ASCII '123456' 00401238.

E8 9B010000 CALL Crackme1.004013D8 0040123D. 83C4 04 Add more ESP,4 00401240. 58 POP EAX 00401241. 3BM3 CMP EAX,EBX 00401243. 74 07 JE Brief Crackme1.0040124C This is certainly where the enjoyment begins.

We're completed with the User32 code and are usually back again with the major regimen of the Crackme. Olly even helps show us we'ré in the correct location by displaying that our éntered username and password are forced to the stack before calls are made and a compare and contrast is produced shortly soon after. For right now, press Ctrl-N, select 'GetDlgItemTextA' and press 'remove all breakpoints'.

Then choose the collection 00401223 and push F2 to put a fresh breakpoint here. What this means will be that you can today come back again here whenever you operate the program without moving through all the previous actions we have taken. You dont want to research for this again if you press a incorrect button someplace!

Therefore, we most likely know how we could get the congrats information - a movie of the Z bit at 00401241 or simple patch of the JE at 00401243 should do it. But that doesn't teach us very much, we desire to know specifically what this crackme will be carrying out in order to test our username ánd serial.

Our work is definitely to track the phone calls at 0040122D and 00401238 to find out exactly what can be heading on right here. Area 3 - The Initial Routine - You should still end up being at 00401243. Press F8 until you highlight the following row: 0040122D. Age8 4C010000 CALL Crackme1.0040137E Today press Y7. The distinction between F7 and N8 is certainly that F8 measures over calls and F7 steps into them. In some other terms, if a call can be of no curiosity to you, you can press F8 to phase over it and bring on.

If you believe that it might contain some vital information, push N7 to action into it ánd you can appear at it in fine detail. You should right now be right here: 0040137E /$ 8B7424 04 MOV ESI,DWORD PTR SS:ESP+4; Crackme1.0040218E 00401382. 56 Force ESI 00401383 >8A06 /MOV AL,BYTE PTR DS:ESI 00401385. 84C0 Check AL,AL 00401387. 74 13 JE SHORT Crackme1.0040139C 00401389.

3C 41 CMP AL,B. 72 1F JB SHORT Crackme1.004013AC 0040138D. 3C 5A CMP AL,5A 0040138F. 73 03 JNB SHORT Crackme1.0041391. 46 INC ESI 00401392.^EB EF JMP SHORT Crackme1.0041394 >Age8 39000000 Contact Crackme1.004013D2 00401399. 46 INC ESI 0040139A.^EB Elizabeth7 JMP Brief Crackme1.004139C >5E Crop up ESI 0040139D.

Y8 20000000 CALL Crackme1.004013C2 Ok, therefore we notice at 0040137E that our username is loaded into ESI prepared for refinement. The initial character of our username (N in my case) is then shifted into AL before getting examined to discover if it is certainly 0. Then the interesting stuff starts - at 00401389 the F is likened with 41. A strange assessment you might believe? Open up up a browser home window and proceed to and you'll obtain a better understanding. The personal computer offers with personality values in hex i actually.e. Following to my N in Olly is certainly the amount 46.

If you appear at the ASCII table you will see that 46 is certainly the hexadecimal counsel of 'N' and 41 is definitely the counsel of 'A new'. What the line at 00401389 is usually doing then, can be its getting the very first notice of our username and comparing it with A. The outcome of this comparison effects what happens at the leap on the following series (0040138B) as if the 1st notice of our title is less than A (see the ASCII desk) it jumps elsewhere. My N will be above A though so we continue to 0040138D. Here a similar operation is usually carried out. A fast look at our ASCII ideals shows us that our personality is right now being likened with Z .

- this time á jump is takén if the vaIue is abové Z. Certainly, my N is great and we carry on. At 00401399 ESI is definitely incremented before a jump is used back again to 00401383. If you keep in mind, our username is kept in ESI so this provides essentially just relocated us to the next notice of our username and long gone back to the beginning of this program.

My 2nd letter is usually 'a' therefore lets see how this will be dealt with. Well, stepping through it passes the comparison with 'A' as 61 is definitely indeed better than 41(A). When we obtain to the assessment with Z though, it faiIs and thé jump is takén at 0040138F to 00401394.

This will be because, as the table displays, a(61) is definitely higher than Z(5A). So we land here: 00401394 >Elizabeth8 39000000 Contact Crackme1.004013D2 Which in convert transmits us here: 004013D2 /$ 2C 20 Bass speaker AL,20 004013D4. 8806 MOV BYTE PTR DS:ESI,AL 004013D6. M3 RETN So whats happening here? Our personality is certainly in AL and will get 20 subtracted from it. Wháts this for?

Check out out the ASCII desk. You will notice that my 'a' is 20 ideals higher than 'A' i actually.y. A-20=A; this subwoofer routine has just capitalised my personality! It then jumps back again to the program, installments ESI to the next notice and proceeds.

Stage through the rest of the regular and you'll see that your entire username can be processed to create sure its uppercase. Tháts all this little bit is performing. My username can be now FATALPRIDE.

A couple of points to take note though are usually that if you only utilized uppercase characters anyway, this program is unnecessary and you wont actually see the Subwoofer AL,20 part. Also, if you possess non alphabetic characters in now there, they'll end up being taken down 20 values too simply because they obviously are not between A and Z.

Once the last letter of your username offers been processed, the TEST AL,AL will fail and the software leaps out of this cycle to 0040139C where your newly capitalised title is sprang from the stack to ESI. Then comes this line: 0040139D. Elizabeth8 20000000 CALL Crackme1.004013C2 Press Y7 to track this call - this is usually the second routine. Placing a breakpoint here may end up being useful too! - Area 4 - The Second Schedule - When we trace the above contact we obtain the pursuing: 004013C2 /$ 33FF XOR EDI,EDI 004013C4.

33DW X0R EBX,EBX 004013C6 >8A1E /MOV BL,BYTE PTR DS:ESI 004013C8. 84DM TEST BL,BL 004013CA new. 74 05 JE Brief Crackme1.004013D1 004013CChemical. 03FB ADD EDI,EBX 004013CY. 46 INC ESI 004013CN.^EB N5 JMP Brief Crackme1.004013C6 004013D1 >Chemical3 RETN So whats occurring here?

Well firstly EDI and EBX are X0R'd with themselves - yóu've handed enough issues to know that this usually results a 0 outcome hence this is certainly just a method of clearing both EDI and EBX. Then a very similar thing happens to what happened in the above regimen - the just difference being that the 1st letter of our capitalised username is definitely shift to BL instead than AL. Its then examined incase its 0 before getting at 004013CD. If you've study Trope't articles, you'll know that BL (where our character is stored) is usually just the lower memory in EBX.

Therefore Insert EDI,EBX will be having the value of that character and including it to EDI - obviously, we simply zero'd EDI therefore for the 1st letter, its included to 0. We after that increment to the next notice of our usérname and the procedure is repeated although see that the loop does not include the XOR functions each period. This generally offers the impact of incorporating all the beliefs of our username collectively and keeping it in EDl. For my usérname I get this: F + A + Testosterone levels + A + T + G + R + I + D + E 46 + 41 + 54 + 41 + 4C + 50 + 52 + 49 + 44 + 45 = 02DC At the finish of the username, we fail the TEST BL,BL and jump out to the come back declaration at 004013D1. Our summed username (02DM in my case) can be still saved in EDI.

Area 5 - Finishing With The Usérname - So the last range of the above routine can be: 004013D1 >C3 RETN When we action over this, it takes us back again to the finish of the initial program, to where the 2nd routine has been called from. We get here: 004013A2. 81F7 78560000 XOR EDI,5678 004013A8. 8BC7 MOV EAX,EDI Okay, therefore here we have another XOR declaration - this time the contents of EDI are usually X0R'd with '5678'. We know that EDI includes our summed username therefore in my case, this equation is usually: 02DM XOR 5678 - the outcome is saved in EDI again (54A4 in my situation) before the following statement moves it to EAX. We after that jump back again to the preliminary code we looked at in section 2.

83F8 00 CMP EAX,0 00401226.^74 End up being JE Brief Crackme1.004011E6 00401228. 68 8E214000 PUSH Crackme1.0040218E; ASCII 'FaTaLPrId' 0040122D. E8 4C010000 CALL Crackme1.0040137E 00401232.

50 Force EAX 00401233. 68 7E214000 Drive Crackme1.0040217E; ASCII '123456' 00401238.

E8 9B010000 CALL Crackme1.004013D8 0040123D. 83C4 04 ADD ESP,4 00401240. 58 Crop up EAX 00401241. 3BM3 CMP EAX,EBX 00401243.

74 07 JE SHORT Crackme1.0040124C The distinction is that we have got now completed the call at 0040122D and we're right now at 00401232 waiting to continue. Best wishes you've just tracked your first call and today you know precisely how this programs processes a username! Right now observe if you can follow the same process for the second call below!

Trace into it with F7 and notice what you can find. Set a break point first so that if you clutter up you can try out again or pick this tutorial up where you remaining off! - Section 6 - Starting With The Serial - How did you get on? Let us discover out. Firstly we see EAX can be pushed to the collection (we understand that this contains our summed usérname X0R'd with 5678 from the earlier contact) and after that our entered serial (123456) can be moved to the collection too.

We can then make use of F7 to track our 2nd call. We get right here: 004013D8 /$ 33C0 XOR EAX,EAX 004013DA new. 33FY XOR EDI,EDI 004013DChemical. 33DT XOR EBX,EBX 004013DE. 8B7424 04 MOV ESI,DWORD PTR SS:ESP+4 004013E2 >N0 0A /MOV AL,0A 004013E4. 8A1E MOV BL,BYTE PTR DS:ESI 004013E6.

84DN Check BL,BL 004013E8. 74 0B JE SHORT Crackme1.004013F5 004013EA new. 80EB 30 Bass speaker BL,30 004013EG. 0FAFF8 IMUL EDI,EAX 004013F0. 03FW Insert EDI,EBX 004013F2. 46 INC ESI 004013F3.^EB ED JMP SHORT Crackme1.004013E2 004013F5 >81F7 34120000 XOR EDI,1234 004013FN.

8BDF MOV EBX,EDI 004013FN. G3 RETN The very first three lines should be no concern - we're clarifying the EAX, EDl and EBX registers by XORing them with themselves. Adhering to this, our Serial amount is shifted into ESI and the control begins.

Area 7 - Refinement The Serial - Só you should become at the starting of the loop at 004013E2. Permits test and function out whats heading on right here. Firstly, 0A (10) can be moved into AL and after that the very first personality of our seriaI (1 in my situation) will be moved into BL before becoming tested for 0 in the typical way. Take note though that EBX contains 31 rather than 1 we.y. The hexadecimal manifestation of the character 1. After this, 30 will be subtracted from our number i.at the.

31-30 in my case. After that EAX and EDI are multiplied and our processed character added to the result. This is definitely then saved in EDI. In additional terms, EDI holds (31-30) + (10x0) = 1; after one version on my serial. The process is then recurring but this period, keep in mind that EDI can be no more 0 so when EDI is definitely increased by EAX, we get a different outcome.

1 (previous version) + ( (32-30) + (10x1) ) = 0C Continue this trough the rest of your seriaI and we get a final outcome (1e240 in my case). Really, what this provides done can be to convert our serial tó hex! So wé leap out of the loop and land at 004013F5. This will be fascinating - remember in the last call where the username has been uppercased and XOR'chemical with 5678h?

Nicely here we've simply hexed the serial and now we're X0Ring it with 1234h (outcome can be 1f074 in my case)! Simple actually!

The result is after that moved from EDI tó EBX and wé leap back to our preliminary piece of program code once again! - Area 8 - The Last Phases - This can be it. The final levels of the crackme. We leap back to right here: 0040123D. 83C4 04 Put ESP,4 00401240.

58 POP EAX 00401241. 3BChemical3 CMP EAX,EBX 00401243. 74 07 JE SHORT Crackme1.0040124C 00401245. At the8 18010000 Contact Crackme1.004124A.^EB 9A JMP Brief Crackme1.004011E6 0040124C >Elizabeth8 FC000000 CALL Crackme1.0040134D The first line is a fast stack clean-up which after that results in our prepared username worth (54A4 in my situation) on the best of the collection. This is then sprang to EAX. Then comes the crucial assessment: 00401241.

3BChemical3 CMP EAX,EBX EAX (the outcome of our username getting processed) and EBX are compared - the two ideals should appear acquainted as they are usually the results of our two phone calls i.elizabeth. In my situation they are usually 54A4 and 1f074. The next jump statement will be the important one - if the two values in EAX and EBX are usually similar, we jump to the contact declaration at the underside of the over code extract. This can be our success box!

(Hence the reason I said we could spot this jump to jump if not really equal instead than if identical). If EAX and EBX are not similar, we dont jump and we are taken down the 'No luck there mate' routine - this will be where I go on this occasion as 123456 can be not really my correct serial. Area 9 - Determining Your Serial - So, we have discovered that the crucial operation is certainly a assessment of our processed username and our processed serial. Particularly, our processed serial provide the same result as our prepared username in order to become valid.

So how perform we attain this? Properly, this is usually where understanding of the XOR functionality brings us through. We understand that: if A XOR M = D then Chemical XOR W = A new. Therefore how is definitely this helpful? Well, looking at the method the serial is definitely processed, our entered seriaI in hex X0R with 1234 must match our processed usérname (in my case 54A4). Making use of the over reasoning then, our serial is certainly our processed username XOR with 1234 we.at the.

(for me) SeriaI for FaTaLPrIdE = 54A4 XOR 1234 5 4 A 4 = 0101 0100 1010 0100 1 2 3 4 = 0001 0010 0011 0100 SERIAL = 0100 0110 1001 0000 = 4690h Convert to Decimal = 16 + 128 + 512 + 1024 + 16384 = 18064 (we need to perform this as we are usually reversing the reality that our program coverts the decimaI serial we joined into hex). Hence I possess username FaTaLPrIdE (not really case delicate due to the uppercasing schedule) and serial 18064. Section 10 - Bottom line - Therefore thats it!

I wish you enjoyed this and found it helpful. As I state, I'm a comprehensive beginner at this so I believed a beginners guideline composed by a beginner would be useful to a few people. If you like this, just pop a opinion below and allow me understand. Likewise, if you have a criticism or improvement, I'd like to listen to it too.

Please put on't tell me it was too simple though as that had been the stage of the write-up - to explain as much as I couId for those whó have never used a debugger just before. I'chemical recommend attempting crackme 2 if you get a chance. Personally, I think its less difficult than this one - make use of the same methods and work out how your password is getting dealt with. I'll write a tutorial when I obtain a possibility, but experience free to Evening me if you desire a assisting hand before the article is out.

As yóu for you reading this because level 8 is certainly disturbing you, I wish this will assist you out. Degree 8 provides a few extra techniques up its sIeeve but if yóu've got that far, you should become capable to sort through them. Simply logically phase through and work out precisely what is certainly occurring - create it down to maintain note.

Thanks a lot for reading through. Please dont replicate this on other sites - its written specifically for the Geeks;-).

Greatest worthy of for your money, ask evaluations ivlszuwzser of the individuals who have got used inexpensive true religious beliefs. People furthermore state that as soon as they wear these denims they felt as if they are usually in paradise.If you are fashion mindful, however you including to put on clothes that are usually informal and comfy, then Monarchy denim jeans are usually among the much better choices.

You can stay in design and in fashion, as these are usually denims from designer brands, but also remain comfy and casual since these are usually denim jeans after all. This is usually a great compromise, enabling you to appear excellent and feel great at the exact same time. Boot cut is certainly a design of cheap real religion denims which will be commonly utilized by the people. Features of this design are usually it is usually simple to appear, flared at the bottom level, straight installing on the lower body. This design is exceptional put on for the individuals who have heavy upper thighs because it wiIl over the entire body.

Following style of cheap real religion can be stretch out, as the name indicates it will be made from the stretch material which will change immediately to the form of the body. This can be used by the individuals having good physique and wants to put on skin restricted skinny jeans. With therefore many benefits provided by cheap true religion, it is sensible to go to online shop and place your purchase today.