WEBVTT 00:01.370 --> 00:02.720 Hello and welcome back. 00:02.720 --> 00:05.780 In this video, I'm going to show you how to patch files. 00:06.170 --> 00:07.910 So we'll open the crackme. 00:11.270 --> 00:13.910 And you search for the bad string. 00:14.570 --> 00:15.320 Right-click, 00:16.130 --> 00:19.160 Search for, Current module, String references. 00:19.700 --> 00:21.620 And the bad string is wrong. 00:21.860 --> 00:29.480 I'll be wrong, so just double-click on it to head over to that address in memory where the string is 00:29.480 --> 00:29.990 found. 00:30.770 --> 00:35.690 Now we scroll up and look for the start of the function, which is push -. 00:36.950 --> 00:38.870 We right-click and we graph it. 00:41.700 --> 00:42.990 As we have seen before, 00:44.580 --> 00:52.080 whether or not this jump goes to the left or to the right depends on the compare operation 00:52.080 --> 00:52.530 here. 00:53.310 --> 01:01.290 So if the comparison shows that - is the same as 42, then it will go to the right. 01:03.180 --> 01:08.940 If the comparison shows that - and 42 is not the same, then it goes to the left. 01:10.050 --> 01:12.330 So JNE means jump not equal. 01:12.330 --> 01:15.450 That means - is not equal to 42. 01:15.840 --> 01:23.850 Now if we want to reverse the jump, we must convert this JNE to become jump equal, JE. 01:24.450 --> 01:32.700 So if it's jump equal, it means that whenever the password is same as 42, whenever - is the same as 01:32.700 --> 01:36.150 42, then it will go and jump to the left. 01:36.990 --> 01:44.610 But if the password is, - is not the same as 42, then it will jump to the right and show a good message. 01:44.640 --> 01:49.170 So this is how we reverse the logic just by reversing the jump. 01:49.830 --> 01:55.020 So in order to reverse the jump, first we put a comment here. 01:55.020 --> 01:56.730 Right-click, put a comment. 01:56.730 --> 01:59.250 You can also use semicolon to put a comment. 01:59.700 --> 02:04.950 And then type the comment to remind yourself that I'm supposed to convert this to JE. 02:06.690 --> 02:08.640 So this is how normally I do it. 02:08.670 --> 02:14.100 So after you have put your comment there, then you have to head back to the assembly view in order 02:14.100 --> 02:17.370 to patch it, in order to convert this to JE. 02:17.580 --> 02:21.240 So what you can do is right-click here and follow in disassembler. 02:21.960 --> 02:23.970 And there you see JE is over there. 02:24.780 --> 02:30.150 So now over here you can just convert this to JE by pressing spacebar. 02:31.800 --> 02:32.850 Press spacebar, 02:32.850 --> 02:38.370 and then make sure you check this box here and this box and this box. 02:38.370 --> 02:42.330 And then you remove the N, then click Okay. 02:43.500 --> 02:45.480 Now make sure the instructions are the same size. 02:45.480 --> 02:51.030 If it is bigger, then it will fail because it will overwrite the next byte. 02:51.060 --> 02:52.620 Currently it needs two bytes. 02:52.710 --> 02:56.520 So JE and JNE are both occupying just two bytes. 02:57.420 --> 02:59.790 Just click Okay, and you are done. 03:00.420 --> 03:02.100 So now you can patch this. 03:02.220 --> 03:05.040 Go to File, Patch file. 03:05.190 --> 03:14.640 Click Patch File and let's give it a new name, crackme_1, and click Save. 03:17.880 --> 03:21.960 Now we can close this and run the patch directly 03:24.630 --> 03:25.410 from here. 03:27.240 --> 03:29.670 So let's key in any wrong password. 03:30.810 --> 03:34.200 Hit Enter, and notice it shows you a good message. 03:34.530 --> 03:40.440 So this is how we can use a patch to reverse the jump. 03:40.440 --> 03:44.970 That means no matter what password you enter, it will still show you the good message. 03:45.690 --> 03:51.750 All right, so this is called a surface patch because we did not analyze very deep into the reason why 03:51.750 --> 03:53.730 it is showing good or bad messages. 03:53.760 --> 03:56.370 We just patch the first jump we can reverse. 03:56.400 --> 03:59.880 So in future lessons, we will look at more details, 03:59.880 --> 04:07.800 how to do deep patching, where we have to analyze in a deep manner by entering the calls and so 04:07.800 --> 04:14.670 on to analyze why it is jumping left or showing good message or showing a bad message or jumping 04:14.670 --> 04:16.020 to the right, and so on. 04:16.440 --> 04:18.330 So that's all for this video. 04:18.330 --> 04:19.620 Thank you for watching.