WEBVTT 1 00:01.610 --> 00:03.470 Hello and welcome back. 2 00:03.500 --> 00:09.410 In this lesson, I'm going to show you some preliminary skills for this course. 3 00:10.010 --> 00:13.910 All of my crackmes are provided for you to download. 4 00:14.270 --> 00:15.920 Every one of them is a zip file. 5 00:15.920 --> 00:22.880 For example, in this lesson, the crackme is 01_easiest_crackme.zip. 6 00:23.000 --> 00:29.390 So go and download this from the resource section and then put it in the folder. For me, 7 00:29.390 --> 00:31.760 I put a folder on the desktop called Crackmes. 8 00:32.540 --> 00:36.410 So to unzip it, just unzip, extract. 9 00:38.510 --> 00:43.340 And you can open it, and you can see there are two files inside it. 10 00:43.460 --> 00:46.640 One is the executable, and the other is the credits. 11 00:46.820 --> 00:50.570 So open the credits, and you will see where I got this file from. 12 00:51.080 --> 00:55.640 So this file was originally downloaded from a website. 13 00:56.570 --> 00:58.700 So let me show you the website. 14 01:04.660 --> 01:06.490 Crackmes, crackmes.one. 15 01:06.490 --> 01:11.080 And so I give credit to the author, which is gen246. 16 01:11.500 --> 01:12.580 This guy wrote it. 17 01:13.300 --> 01:18.820 Now, I won't advise you to download from here because in future this website might not be available 18 01:18.820 --> 01:19.420 anymore. 19 01:20.020 --> 01:25.180 So instead, always use my copy that I provided for you. 20 01:28.060 --> 01:31.480 So this is how you get the crackmes into your computer. 21 01:32.770 --> 01:41.380 So the first thing you want to do before you perform any kind of analysis is to go and find out this 22 01:41.380 --> 01:41.920 crackme. 23 01:44.390 --> 01:46.160 What is it written in? 24 01:46.190 --> 01:47.870 Is it an executable file? 25 01:47.870 --> 01:53.330 Is it a Windows program, or is it a Mac 26 01:53.480 --> 01:55.880 Mac program, or is it a Linux program? 27 01:56.180 --> 01:58.160 Whether it's 64-bit or 32-bit. 28 01:58.790 --> 02:02.330 So that's where you need to use a tool called 29 02:03.870 --> 02:04.860 Detect It 30 02:04.860 --> 02:05.370 Easy. 31 02:07.800 --> 02:09.330 So you use Detect It 32 02:09.330 --> 02:12.210 Easy to open the crackme. 33 02:14.630 --> 02:21.110 And then it will tell you whatever it is, whether it is a 64-bit program or 32-bit program. It will 34 02:21.110 --> 02:21.920 be shown here. 35 02:22.850 --> 02:25.340 So in this case, it's a 64-bit program. 36 02:25.550 --> 02:32.180 So if it is a 64-bit program, you need to use x64dbg, this one. 37 02:33.200 --> 02:36.350 If it's 32-bit, then you use x32dbg. 38 02:40.300 --> 02:43.120 So now we can go and open it, 39 02:43.480 --> 02:48.070 x32dbg, sorry, x64dbg. 40 02:52.290 --> 02:53.610 Go to your desktop. 41 02:58.570 --> 02:59.140 Crackme. 42 03:03.070 --> 03:04.810 And you will see it is open. 43 03:05.740 --> 03:08.500 Once you open it, it is already running, as you can see here. 44 03:09.370 --> 03:09.850 All right. 45 03:09.850 --> 03:11.830 So this is how you open it. 46 03:12.100 --> 03:19.090 Normally, before we open it with the x64 debugger, we will want to run it first to see what it does. 47 03:19.660 --> 03:22.600 So when you run it, it will give you this prompt. 48 03:24.850 --> 03:26.560 So can you guess the password? 49 03:26.560 --> 03:27.910 If you don't know, 50 03:27.910 --> 03:32.410 if you don't know the password, you just press any key, any number, and press Enter. 51 03:32.440 --> 03:33.250 It says wrong. 52 03:33.280 --> 03:34.030 Try again. 53 03:35.770 --> 03:36.250 Right. 54 03:36.250 --> 03:43.360 So this is the steps that you will do when you are trying to reverse engineer: analyze the behavior first, 55 03:43.720 --> 03:46.000 then only you will open it with x64dbg. 56 03:46.870 --> 03:52.360 So when you open it with x64dbg, you will notice there are a few panels here. 57 03:52.720 --> 04:00.610 The center panel is the disassembler view, where the binary has been disassembled into assembly code. 58 04:01.210 --> 04:03.490 This one is the binary view. 59 04:03.760 --> 04:07.180 This one shows you the raw binary code. 60 04:09.030 --> 04:15.360 It is in hex notation, and this one has been translated from here. 61 04:15.630 --> 04:22.050 So every one of these hex notations, when you translate it into assembly, you can see the text. 62 04:23.310 --> 04:25.020 So this has got meanings. 63 04:25.200 --> 04:30.000 Each one of these has got a meaning, like JE is 74, and 46 64 04:30.000 --> 04:31.380 is probably this. 65 04:32.860 --> 04:34.270 And then and so on. 66 04:35.950 --> 04:37.750 The most important is this one. 67 04:38.050 --> 04:39.760 This is what we're interested in. 68 04:40.390 --> 04:42.190 Next most important is comment. 69 04:42.280 --> 04:50.950 So this comment here is where you can find some clues or hints to tell you about the program. 70 04:50.950 --> 04:52.810 As it is running, this thing will change. 71 04:54.010 --> 04:57.370 On the right would be a register view. 72 04:58.000 --> 05:08.860 Now in 64-bit programs, you have these registers: -, -, -, - all the way to -15, and then 73 05:08.860 --> 05:10.810 you have the instruction pointer. 74 05:11.050 --> 05:14.770 Instruction pointer points to where the program is running at the moment. 75 05:17.900 --> 05:19.430 You can click on it, and you can go there. 76 05:20.030 --> 05:20.930 Pointing to this address. 77 05:20.930 --> 05:22.340 So it is the entry point. 78 05:23.030 --> 05:28.820 So whenever you are lost, just double-click on this, and you go back to the location in the code where 79 05:28.820 --> 05:30.050 it is currently running. 80 05:31.160 --> 05:32.240 Then you have the flags. 81 05:32.270 --> 05:34.280 The most important flag is the zero flag. 82 05:36.170 --> 05:39.350 It stores the status that controls the jumps. 83 05:39.920 --> 05:41.330 Later on, we'll take a look at that. 84 05:41.660 --> 05:45.890 You have jumps, for example, JE and so on. 85 05:46.100 --> 05:49.370 And whether it jumps or not will depend on the zero flag. 86 05:52.430 --> 05:53.450 And this column 87 05:53.450 --> 05:57.260 here is the address in memory. 88 06:00.060 --> 06:03.600 So this is the address at this location. 89 06:04.140 --> 06:08.220 You have all this code at those various addresses. 90 06:08.850 --> 06:14.190 Now, in the 64-bit program, the addresses are quite long. 91 06:14.940 --> 06:17.040 It's a QWORD, QWORD. 92 06:19.810 --> 06:26.800 QWORD is, I think, eight bytes, eight bytes, 64 bits. 93 06:28.040 --> 06:28.940 Same with this. 94 06:28.940 --> 06:30.800 This is also eight bytes, a QWORD. 95 06:33.560 --> 06:38.570 On the top here, you have some of the commands that you can execute. 96 06:38.570 --> 06:40.760 If you click on this, it will run a program. 97 06:42.250 --> 06:43.300 And this pop-up. 98 06:47.490 --> 06:48.960 And you can press anything. 99 06:49.230 --> 06:54.060 Press Enter, and then it says wrong again. 100 06:54.600 --> 06:59.610 If you want to rerun the program, you just click on this button here to rerun the program. 101 07:00.270 --> 07:02.910 And the program will rerun again from the beginning. 102 07:03.840 --> 07:06.210 Then you click this button to run. 103 07:06.330 --> 07:09.120 It will show you this prompt. 104 07:11.720 --> 07:12.830 So now, 105 07:14.340 --> 07:18.300 if you enter anything wrong, any wrong password, hit Enter. 106 07:18.780 --> 07:20.190 You will see a wrong, 107 07:20.370 --> 07:21.660 try again message. 108 07:22.650 --> 07:28.320 So now we are going to learn how to find out the real password for this program. 109 07:29.400 --> 07:32.760 There is a technique called serial fishing. 110 07:33.720 --> 07:40.320 Serial fishing means to try to fish out the serial number or the password or the flag. 111 07:40.590 --> 07:44.970 So serial fishing is same as password fishing. 112 07:44.970 --> 07:47.310 And flag fishing, they mean the same thing. 113 07:49.650 --> 07:54.210 So in the next lesson, I will show you how to go about doing serial fishing. 114 07:54.780 --> 07:55.980 Thank you for watching.