TITLE:
Finding a hardcoded serial and patching the program to except any serial
============================================================================
TOOLS USED:
OllyDbg v1.09d(step 4)
UltraEdit-32 Professional Text/HEX Editor Version 10.00c
Brain (Preferably version human or above)
============================================================================
TARGET PROGRAM:
Brad.exe
============================================================================
PROTECTION:
S/n
============================================================================
LOCATION OF TOOLS AND PROGRAM:
http://www.grinders.withernsea.com/tools/odbg109d.zip
http://www.grinders.withernsea.com/tools/uedit32.zip
http://www.grinders.withernsea.com/tools/Brad.rar
============================================================================
CONTACT INFORMATION:
Msn Messenger - jammysa@hotmail.com
Icq# - 46313648
Email Address - Merlin@accessroot.com
============================================================================
TUTORIAL VERSION:
v1.0 written 11th of August 2003
============================================================================
AUTHOR AND OTHER ALIASES:
Merlin

Nilrem2
Nilrem
Grimgnaw
Khulad
Khulad Illphukiir
(-~Merlin~-)
============================================================================
LESSON 1 - FINDING THE HARDCODED SERIAL
Ok firstly this may seem cruel but this tutorial will not teach you the ins and outs of OllyDbg or UltraEdit, there are plenty of tutorials out there on the web that go over the basics of those fine two tools.
Right, let's fire up OllyDbg and go to File - Open, and choose Brad.exe.
Once OllyDbg has finished loading Brad.exe left click in CPU - main thread module so that the black outline is around it (so we know it is selected). Now right click and choose "Search for->Name (label) in current module" (make sure the current module is Brad and not something like Kernel32)
Hmm, it's a little bit of a mess, so right click and choose "Sort by->Type".
Now what we want to look for is an Import (Third column - Type) function, an import function that could anaylze/retrieve the serial we will enter.
Usual ones used are:
GetDlgItemText(A) (A if it's 32-bit)
GetDlgItemInt
GetWindowText(A)
lstrcmpA
Ahh, we have found lstrcmpA, basically what this does is compares strings, so now we know that if we enter a serial it will be compared with another serial, meaning that this program has a hardcoded serial (Please note this isn't always the case it could be comparing any two strings, but I know this isn't the case in this crackme). Right now what we want to is left click our new find and right click, now choose "Find references to import", we won't choose Follow import in Dissambler because that will takes us out of Brad.exe and into Kernel32.dll, if by some ill forgotten fate your Logitech Balless mouse now and then jumps suddenly when you left click and you chose Follow Import in Dissambler by accident (No? Just me then) hit F8 to get back to Brad.exe
Right now we see there is only one reference, left click it to select it, then hit F2 to set a breakpoint. Basically what this will do is, when we run the program from OllyDbg, once the program gets to that specific part of it, it will break back to OllyDbg, thus we can see what has happened.
Right, now right click our newly aqquired breakpoint and choose Follow in Dissambler. Now hit F9 to run the program from OllyDbg. Enter any serial of any length you want, for example enter 77777777 or 88888888, something that you'll remember/spot if you see it again. Now click check, you'll be sent to your breakpoint, hmmm what's this, on the far left handside in the Registers (FPU) window we some interesting values.
EAX 00000008	-This represents the number of bytes/characters we entered, 
		 mine says 8 at the end because I entered 77777777.
ECX ASCII "<BrD-SoB>"	-The correct serial.
EDX ASCII "77777777"	-The serial entered.
Now hit F9 again and you should here a message beep, click Brad.exe and it will say "Incorrect try again!!"
Now enter <BrD-SoB> and hit check, now press F9, and voila!
Well done you have just successfully found a hardcoded serial.
Ok if you are wondering how I knew those were the two strings been compared then read on.
Go back to OllyDbg, scroll up in the CPU module and select:
00401588	51	PUSH ECX	String2
and set a breakpoint on it.
Now click the Crackme to bring it back up, and enter the serial you entered (or any serial just make sure it isn't the correct one) and click check.
Now we'll be back in Olly at our breakpoint we just set.
We see that String2 is <BrD-SoB>, press F7 twice and you 'll be at String1, we see that String1 is serial we entered and below it and in the same routine is lstrcmpA, which compares strings, well this means that our serial has just been compared and against another string, but that does not always mean that it is been compared with the correct serial, hit F7, but don't hit it again (it goes into a comparison routine that is beyond the scope of this tutorial, but luckily we don't need to understand it).
============================================================================
LESSON 2 - PATCHING THE PROGRAM TO EXCEPT ANY SERIAL
Look two lines down and you will see.
00401593	75 16	JNZ SHORT Brad.004015AD
Basically this means if the code doesn't match then jump to the address "004015AD" in "Brad.exe" (Brad.004015AD)
The "75" of the "75 16" is a jump, more on how this can be manipulated in a bit.
So let's see what is at 004015AD, ahh we can now see that this is the start of where our "Incorrect try again!!" message comes from.
Now, before loading up UltraEdit, lets hex edit in OllyDbg, the changes are only temp. and it's a good habit to do this before permantly hex editing. double click where it says "JNZ SHORT Brad.004015AD" and replace the JNZ with JE and click Assemble (the 75 16 should change to 74 16), click cancel. Now clear your breakpoints by hitting Alt+B to see your breakpoints, then right click and choose remove to get rid of them, click the Breakpoint window off to get back to the CPU Module window. Now click the crackme program back up, if it won't let you hit F9 then do it, enter any serial (but the right one), well done, you've temp. patched the program to accept any serial but the correct one!
 Right backup up Brad.exe, load up UltraEdit, go to File-Open and choose Brad.exe, now hit Ctrl+R to bring up the Find and Replace box, type in 7516 in the find field, and 7416 in the replace field and then save the program.
Reader:-"You ripped us off!! The header says "PATCHING THE PROGRAM TO EXCEPT ANY SERIAL".
Ok, ok, read-on then...
To get it to accept any serial, even the correct one (ironic eh?), replace the 7416 with (unless you never changed it from 7516 in the first place) to 9016 (The 90 stands for NOP which stands for No-Operation); I don't recommend using the NOP method because some programs detect it, but in this case it doesn't, so feel free to leave it in, also feel free to contact me if you want, please note that I will not crack programs nor assist you in any illegal activities.
============================================================================
SHOUTZ AND GREETZ:
To Kyrstie she's mighty FINE, I love her with all my heart! To Weedy he's da man! To Hoof Arted for inspiring me to write tutorials for OllyDbg, The creators of Brad.exe, Ultra-Edit, and OllyDbg.
============================================================================


