Serial Fishing Tutorial

- Serial Fishing with OllyDbg -

Welcome to my very first cracking related tutorial. Take a comfy position on your chair and get a warm cup of hot chocolate, and start reading. This is the first part of my serial fishing tutorials which i ll be posting later on.

I will take you through the steps I took when cracking this program, this might help you or give you a better idea how to approach other programs in the future _

Some Information before we start

OllyDbg, PEiD, W32dasm, HexWorkshop, notepad

Code: dl-HexWorksh subj dl tag button

Before Starting it is wise that you would make a copy of the file you are going to crack incase you screw up, also I named my target program worldtv2.exe

Atleast for me its a habit to first examine the target with PEiD to determine the packer or protector. Open up PEiD and drag worldtv2.exe into it. The result: Microsoft Visual C 5.0. Surprisingly, the target is not packed or protected. That will make it all the easier to crack.

Now knowing that we wont need to unpack the. exe lets us do a little examination on the protection scheme. Open up worldtv, it goes directly into the nag screen letting us know that it is not registered. That is important to note because it lets us know that it is checking for a registration key maybe a keyfile or registry key before the program even loads. Try putting in a random key. Ahh, we get a little messagebox telling us Invalid Registration Code. Lets write that little message down and save it. If you have read any previous tutorials you know that it may come in handy. Press Okay and the program quits.

First we are going to try the easy way, we are going to patch the jump that returns the invalid registration box. Run w32dasm and use it to open up WorldTV.exe. We are opening the original WorldTV.exe file so we can work on the copy that we made. After the file has been disassembled, we will look for the string from the messagebox. To do this click on the String References button at the top of w32dasm. A new window opens up with a list of all strings found in the file. Scroll down until you find Invalid Registration Code and double click it. You should now be at the following lines:

By looking at the code we see a

We want to change the jne jump if not equal to jmp jump that way the program will register when you use any serial. To do this we will need to find where the jne instruction is located in WorldTv.exe. That information is found at the bottom of the w32dasm window. You should see:

52558 Pg 657 and 658 of 1734 Code Data :0041B521 Offset 0001A915h in File WorldTV.exe

We are interested in the Offset value of

0001A915h. Write this number down: ignore the at the end it just means that the value is hexadecimal.

Begin by opening up WorldTV2.exe in HexWorkshop. Next press CTRL G to bring up the Goto dialog box, Goto can also be found under Edit. We now want to type in the offset value that we wrote down, in this case

0001A915. Make sure the Hex option is checked and the Beginning of File option is checked. When you are ready press the Go button.

This will take us to the location of our

jne 0041B54C. Now hopefully from previous tutorials you know that is the opcode for the instruction

JNE and is the opcode for instruction. In this case rather than jumping on bad serials we want the program to jump on ANY serial. We will replace with which is the instruction for

Save WorldTV2.exe, I have made it a habit of choosing YES when asked if I want to make a backup. Now, find your newly patched WorldTV2.exe and run it.

It asks for a serial: give it any one you want, I will use

1234567. Press Validate Registration and Success. Registration Code Accepted. Are we done..

Close WorldTV2.exe and open it back up again. It is still asking for a serial. Now, we could just put in a serial every time we use it but that is annoying. Instead, we are going to find a real serial.

To begin, review what we know about the program so far:

1. It checks for a serial when starting up

2. After registering with a bogus serial it is unregistered the next time you start it up

This means that before the program even completely loads it is checking for the existence of a good serial. We need to find out where that serial is being stored. There are usually two places a serial is stored: the registry and in a file. We are going to start with checking the registry. Start up WorldTV2.exe and put in

1234567 as the serial. Validate the serial and then close WorldTV.

Go to your Start menu and find the Run command. A box will open asking you to Type the name of a program, folder, etc. Type in regedit, without the quotes, and press enter. You will now be in the regedit window and see a two pane window with a list of folders in the left pane. Click on the plus sign in front of

HKEY_CURRENT_USER. It will open, you now have another list of folders. Click the plus sign in front of Software. Scroll down until you find WorldTV and click on the folder. Aha. In the right pane we have a key called

RegCode with our key: 1234567 stored in it. We now know that WorldTV checks the registry for a serial before loading.

We are going to start by opening Ollydbg. Using Ollydbg, open the original WorldTV.exe.

You should see something similar to the image above. Before pressing the Run key we want to set some breakpoints first. Right-click in the Code window of Olly and choose

All Intermodular Calls. This will bring up the Calls window. Sort the calls by Destination. Scroll down until you find

RegQueryValueExA. Select it and Right-Click: set a breakpoint on every call to

Now press the Run button. You will first break at

FF15 0C304400 CALL DWORD PTR DS. If you look at the Register s window on the right side of Olly, you will see

EDI is holding the ASCII value Recordings. This is not the registry key we are looking for so press Run again. We break again on the Recordings registry key so press Run again. We will have to press Run 24 more times before we break here:

EAX is ASCII RegCode. Press Run once more and we are now here:

ECX now holds the ASCII value RegCode. We know we are getting close because WorldTV just looked for the registration code. We are now going to step through the code and pay attention to the Registers. After a few steps we find that

-00000000-00000000-00000000. This is interesting, however I doubt that a bunch of zeros is the registration code. Stepping through some more, we see that

-00000000-00000000-00000000. This still does not give us the serial. Continue to step through past where EDI is replaced by C: Program Files WorldTV Scheduler.txt.tmp. You will find soon after that point that you come to here:

EDX were all zeroed out. Also we see an ASCII value moved into

EDI. It is here we are going to start seeing our serial come together. After a little more stepping through we find that we are in a loop. We can see that a serial is being made and can be seen at this address:

MOV EDI,WorldTV.004C8950. Rather than stepping through the code line by line we are going to set a breakpoint on

MOV EDI,WorldTV.004C8950 and watch our serial come together. Select the line and press to set a breakpoint. Now press the Run button a few times and we can watch our serial build itself.

EDI earlier we know that our serial is either 4 sets of 8 characters or 3 sets of eight characters. As you get near 3 full sets slow down or you will miss the serial. When you only have 2 characters left to go stop pressing the Run button and just step through the code. When you step past the following line

REP MOVS BYTE PTR ES: EDI, BYTE PTR DS: ESI you will see the last two characters of your serial added on.

Go ahead and write this number down. Press Run again to see if there is another set of characters to be added. Nope, pressing Run again will start you through another loop where a separate serial is calculated for what. I am not sure because it would not register the program.

Go ahead and close Ollydbg. Open up the original WorldTV.exe and try registering with the serial we wrote down. Registration Code Accpeted, we have succesfully registered WorldTV with a real serial.

Hope you enjoyed reading this tutorial and perhaps you learned something usefull too..

I made a basic x86 ASM tutorial it mainly has term explanations and some syntax, link at the very bottom of this topic.

Originally Posted By: Skytactic

1c3 Hackers, free hacks and accs

Last edited by malfunction on Thu Feb 28, 2008 am; edited 3 times in total.

serial fishing tutorial

Monday, May 09 2005 PM CEST Contributed by: warezhog Views: 21169: Level : newbie Serial fishing using Ollydbg. For absolute newbies only.

serial fishing tutorial

View topic - [Tutorial] Serial Fishing with OllyDbg

serial fishing tutorial
  • Serial fishing and clear form into some register or memory location or stack before compare it with the entered serial. In this tutorial the last techique is.
  • Serial Fishing and Creating a Self Registering Program Author: R dier: Author website: Description: I noticed that the approach to make a.
  • Serial Fishing Tutorial 1 by: The next time this serial will be accessesd is then it is compared to the REAL serial generated Serial Phishing Tutorial 1.
  • OllyDbg Tutorials Tutorials, papers on using our much loved OllyDbg Serial fishing. Image: no image available : Beginner Olly Tutorial Part 02.

Aug 17, 2011  Hey dudes lets start Cracking today and lets see in the real world how Crackers phishing Serial from software. Our target is a protected program that ask.