how to get the serial number of a program with ollydbg

7/25/2019 How to Get the Serial Number of a Program With OllyDbg

1/10

How to get the serial number of a program with OllyDbg

http://www.behindthefrewalls.com/2013/09/how-to-get-serials-numbers-with-ollydbg.html

Some months ago ! participated in something li"e a #$ac"er %ompetition# to get a &ob in a

%'(). *ne o+ the tests consisted o+ getting the serial "ey o+ a simple program.)he organi,er sent me an eecutable called reersingtest.ee

e are going to wor" with *llybg 1.10. ou can download this awesome tool +rom

here: *llybg 1.10.

ou can see its details in the picture below.

)he frst thing ! usually do in these cases is to chec" i+ the eecutable is compressed or not.

Some programs pac" some o+ their codes in order to limit our attempt to statically analy,e
http://www.behindthefirewalls.com/2013/09/how-to-get-serials-numbers-with-ollydbg.htmlhttp://www.ollydbg.de/odbg110.ziphttp://www.ollydbg.de/odbg110.ziphttp://www.ollydbg.de/odbg110.ziphttp://www.behindthefirewalls.com/2013/09/how-to-get-serials-numbers-with-ollydbg.html


2/10

it. )o achiee this purpose we are going to use e!.!n the picture below you can see that

the program does not detect any compression #4othing +ound 5#. !+ the fle were compressed

with 67 +or eample the program would adise us about it and we could uncompress it

with this tool.

!+ we clic" on the #' Section# bottom we will see some eecutable8s details.

e can see the (. Si,e (aw Si,e #;00# and the


3/10

4ow we hae the assurance that the fle has not been compressed. )his is one o+ the frst

steps in a static analysis. e are going to ma"e a dynamic analysis with *llybg but ! want

to "now i+ the deeloper has made an e>ort in order to try to hide some code. 4otice i+ the

eecutable is pac"ed then we are not going to be able to read a lot o+ strings within the fle.

!t is possible ! will tal" about that in +uture posts...

The next step would be torun the program by double clic"ing on the eecutable. ?+ter that we

can see that a @S-*S window is launched and the program reAuires us to type the serial

number.We type a sentence in order to check the program's behavior.

e hae not fgured out the serial number... !t seems logical...

4ow we are going to run *llybg. !t does not need installation &ust download it and

uncompress it. hen *llybg is opened &ust load the eecutable clic"ing on Bile -C *pen.


4/10

4ow we can see the binary code. on8t worry remember this post is +ocused on beginners.

e are going to clic" on the play button in order to run the eecutable &ust loaded in our

debugger and chec" the fle behaiour.


5/10

)he program has started and we can see the frsts strings li"e #ress '4)'( to fnish#...


6/10

lease clic" on the picture to see the entire details

Dut... Something happens... )he program doesn8t reAuire us to type the serial number li"e it

occurs when we open the application without using a debugger... !t8s really strange... !t8s li"e

the program "nows about our intentions and it is closed by itsel+ when we try to run it with a

debugger tool...

!+ we reload the fle again on *llybg one line o+ the code draws our attention... )he

program is calling to the #!sebuggerresent# ?!.


7/10

!+ we see" this ?! on@icroso+twe can see that #)his +unction allows an application to

determine whether or not it is being debugged so that it can modi+y its behaior#.

*" the program is closed when it is open within a debugger. )here are many options to

aoid being detected by this techniAue... )o achiee this purpose we are going to use the

#$ide ebugger 1.2.;# plugin. Eust download it and uncompress the FF in the same

*llybg8s +older.

!t is necessary to restart *llybg in order to wor" with this plugin. !+ you clic" on lugins tabyou can see $ide ebugger plugin. ou don8t need to do anything else.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspxhttp://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspxhttp://tuts4you.com/request.php?57http://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspxhttp://tuts4you.com/request.php?57


8/10

e hae &ust installed the plugin to aoid being detected and now we are going to load and

play the eecutable again. 4ow the program reAuires typing the serial number. Great news...

We are going to type a sentence which will be easily recogni,able.

If we come back to OllyDbg we can see our sentence in the rg!.


9/10


!+ we continue loo"ing +or this sentence through the code we can locate the code below. e

can see the String2H#2I9393IJ# the String1H#!8m going to loo"ing +or this sentence in

*llybg now...# and the ?! call %ompareString?.

e can fgure out that the eecutable is comparing these strings to each other in order +oryou to chec" i+ both hae the same alue. e can suppose that the string #2I9393IJ# is

serial number.


*llybg o>ers us to copy the alue o+ this line by le+t clic"ing on the line we are interested

in.


10/10

)hen we are going to paste the line8s alue to the notepad and then we are going to copy

only the #String2# alue: 2I9393IJ.

!n the end we &ust need to try paste the alue &ust copied in our program and... ellKKK e

hae obtained the serial number o+ our programKKK

)his post could be applied to many o+ the simple programs which hae a "eygen integrated

but it is needed to hae more "nowledge i+ you want to crac" more comple programs.

)his post is +ocus on show you some techniAues using *llybg. !t is only a game to get more

reersing engineer s"ills to research malware. lease don8t contact me to crac" programs it

is illegal... ! recommend you use to use +ree so+twareKKKK :

how to get the serial number of a program with ollydbg

Documents