Download the target here
If you never use olly before, see this page
Tools : OllyDbg
1. Open TrialCrackMe using OllyDbg.
2. Start it first (F9).
3. Input password as you like, for example: 123456 than press Cek Password button
4. Write down the messagebox that appear:
---------------------------
SROeR Trial Crackme
---------------------------
Passwordnya masih salah bos... :D
---------------------------
OK
---------------------------
5. From Olly, you can see string "Passwordnya masih salah bos... :D" at
004010AF |. 8D05 C6304000 LEA EAX,DWORD PTR DS:[4030C6]
Whereas this string are stored at address 4030C6
6. Before that instruction, at address 004010AD there are instruction JE SHORT TrialCra.004010BC
JE instruction is an UNCONDITIONAL JUMP whereas this jump will be executed if ZERO FLAG is equal to 1
Let’s take a look at JE.
JE instruction having opcode 74 for SHORT JUMP and opcode 0F84 for LONG JUMP
opcode 74 and 0F84 also the opcode for JZ instruction. That’s means JZ and JE is a same instruction
JE (Jump if Equal)
JZ (Jump if Zero flag = 1)
Instruction that affect ZERO FLAG is at:
004010AB |. 0BC0 OR EAX,EAX
OR is a bitwise instruction
Operation OR looks like this:
1 OR 1 = 1
1 OR 0 = 1
0 OR 1 = 1
0 OR 0 = 0
So OR instruction will be 0 (FALSE) only if 2 value that is being compare have value 0
In assembly, if we found OR instruction, result of this instruction will be stored at ZERO FLAG, if the result is TRUE, so ZERO FLAG will have value 0, and soon.
7. Now place BreakPoint (F2) at address 004010AB
8. Press again Cek Password button. And now Olly will stop at our breakpoint.
9. As we can see (table 2) that EAX=1, so ZERO FLAG will have value 0, so JE SHORT TrialCra.004010BC will not be executed. Where is EAX=1 came from?? Look at instruction above it that change EAX value.
10. To make it simple, place break point at address:
00401084 |. 68 04010000 PUSH 104 ; /Count = 104 (260.)
And look at EAX value. Press F9 to resume the program.
11. Press Cek Password button and Olly will stop at address 00401084. The first EAX will have value 3EA, tracing using F8, we can see that EAX changing 2 times. And what we want to see is CALL 0040115A, whereas when it being executed EAX=1. Finally. CALL 0040115A is call function at API Kernel32 lstrcmp.
lstrcmp take 2 parameter, string1 and string2 to be compared. If it same lstrcmp result is 0.
This value will be stored at EAX.
To have EAX = 0, those 2 string must have a same value:
string1 our input : 123456
string2 pass from the program : Gw pengen belajar Reverse Engineering!
so the conculsion is the password are "Gw pengen belajar Reverse Engineering!"
No comments:
Post a Comment