Reverse Engineering Contd………
How to Clear Hacking Test 5?
Steps…..
1).Open the file in OllyDbg.
2).This program has an option to execute one line at a time (shortcut F8).
3).Keep on pressing F8 and at the same time keep an eye on all the 5 windows (upper left, upper center, upper right, lower left and lower right). Whenever you’ll press F8 you will see some changes in all these 5 windows.
4). Keep on pressing F8 until you reach the following instruction “CMP EAX, -1” followed by “JNZ Short 0040109A”.
What’s happening here?
Here Value in EAX is compared with -1 i.e. FFFFFFFF and if the result is Zero then the JNZ (Jump if not Zero) instruction will not result in a jump and the instruction following JNZ will be executed.
Check out the value stored in the EAX registers (See just above the lower left window), its FFFFFFFF.
So the Jump will not take place and hence the next instruction will get executed which will inevitably take you to “Evaluation period out of date, purchase new license”.
So we need to somehow skip this instruction.
Check out the upper right window, here you can see the flags which are set when the jump instruction is executed. Currently the value of Z flag is 1 so if we change this value to zero then the JNZ instruction will result in a jump (double click on it, the value will be changed to zero).
So, this way we were able to skip this first barrier. Check out the program you’ll find three more of them.
5).Keep on pressing F8 until you reach the following instruction “JNZ SHORT 004010B4” followed by “JMP SHORT 004010F7”.
What’s happening here?
Here you can see that if JNZ instruction will not make a jump then JMP instruction will make a jump to 004010F7 which will inevitably take you to “Keyfile is not valid, Sorry”.
So here again you have to perform the same step just change the value of Z flag from 1 to zero.
So, this way we were again able to skip the second barrier.
6).Keep on pressing F8 until you reach the following instruction “JL SHORT 004010F7”.
What’s happening here?
Here you can see that there is no JNZ instruction but the JL instruction is again making the jump to 004010F7 which will inevitably take you to “Keyfile is not valid, Sorry”.
So here again you have to perform the same step but with a twist just change the value of S flag from 1 to zero. Since, this is the flag which gets affected when the JL instruction is executed.
So this way we were again able to skip the third barrier.
The next jump instruction i.e. JE SHORT 004010D3 is not taking us to any barrier so don’t change any value, and keep on pressing F8, but again we reach the instruction JL SHORT 004010F7 which will again take us to “Keyfile is not valid, Sorry”, but if we are able to skip this instruction then the next jump is to the address 00401205 which stores the value “You really did it! Congratz !!!”.
So all we need to do is just set the S flag to zero and we will reach our destination.
Finalizing the patch-
……………will continue
No comments:
Post a Comment