WEBVTT 1 00:01.700 --> 00:03.200 Hello and welcome back. 2 00:03.200 --> 00:05.960 In this video, we are going to try another project, 3 00:06.080 --> 00:08.000 this crackme by Dajoh. 4 00:08.600 --> 00:14.780 I already provided this for you, so use the version that I downloaded rather than download from here. 5 00:16.070 --> 00:22.370 So after unzipping it, you should have a crackme_1 here. 6 00:24.940 --> 00:28.150 And this is the credits given to the developer. 7 00:29.410 --> 00:31.510 So let's run it and see what happens. 8 00:34.120 --> 00:38.740 It asks to enter password, so we don't know what it is. 9 00:38.740 --> 00:42.490 So we type 123456789, 10 00:42.490 --> 00:44.890 hit Enter, and it says fail. 11 00:44.890 --> 00:46.210 You entered the wrong password. 12 00:47.500 --> 00:52.960 Next thing to do is to check whether this is a 32-bit or 64-bit program. 13 00:53.560 --> 00:55.660 So we should scan this with DIE. 14 00:56.920 --> 00:59.830 So open up your DIE wherever you installed it. 15 01:03.010 --> 01:07.510 And click this to open the crackme. 16 01:18.620 --> 01:21.350 And you will see that it is a 32-bit program. 17 01:21.830 --> 01:24.170 It is written in Visual C++. 18 01:25.420 --> 01:28.300 So we should use x32dbg. 19 01:30.520 --> 01:31.090 So, 20 01:32.880 --> 01:34.710 now take note of the string 21 01:34.710 --> 01:35.250 here: 22 01:36.450 --> 01:36.870 Fail. 23 01:36.870 --> 01:38.070 You entered the wrong password. 24 01:38.730 --> 01:40.350 So we are going to search for the string. 25 01:41.280 --> 01:43.200 So let us open this now. 26 01:44.640 --> 01:45.720 Let's close this now. 27 01:47.440 --> 01:48.280 And open 28 01:48.280 --> 01:49.420 this crackme_1. 29 01:57.090 --> 01:59.820 Now let's search for the string "fail." 30 02:00.840 --> 02:06.180 So we right-click here, Search for, Current module, String references, 31 02:07.460 --> 02:11.720 and look for the string fail, fail. 32 02:13.550 --> 02:14.390 It has found it. 33 02:14.870 --> 02:18.590 So let's go to that address and scroll up. 34 02:20.160 --> 02:20.910 That's our string. 35 02:22.930 --> 02:26.350 And we scroll up to look for the start of this function. 36 02:27.070 --> 02:29.680 So scroll up and you look for -. 37 02:30.670 --> 02:32.590 So put the breakpoint there. 38 02:36.520 --> 02:37.840 And now we can 39 02:39.590 --> 02:42.290 restart this program and run to that breakpoint. 40 02:43.880 --> 02:45.080 Restart the program. 41 02:45.800 --> 02:50.780 I'm going to resize my window so I can see the program running at the back. 42 02:56.730 --> 02:58.680 So this is the program running there. 43 03:06.580 --> 03:13.270 So we run to our first breakpoint, and here we will turn on the tracing. 44 03:15.050 --> 03:16.760 Trace coverage, select all. 45 03:18.530 --> 03:19.730 Now it turns green. 46 03:19.730 --> 03:25.220 So whenever you trace, it will highlight all the paths that you have taken in green background. 47 03:25.940 --> 03:27.320 Now we are going to graph this. 48 03:27.320 --> 03:29.870 So you right-click, go to graph. 49 03:30.170 --> 03:31.730 And you can see clearer now. 50 03:32.600 --> 03:34.490 Now we step over line by line. 51 03:40.170 --> 03:43.920 And now it draws this line using this call. 52 03:48.270 --> 03:51.060 Now it draws this second line with this call. 53 03:54.690 --> 03:57.330 And it draws this text here from this call. 54 04:01.350 --> 04:03.510 And just this line now from this call. 55 04:08.170 --> 04:12.250 Now it brings the prompt "Enter password" from this call. 56 04:18.170 --> 04:21.560 And now if I keep clicking this, it doesn't move anymore. 57 04:21.590 --> 04:24.950 That means it's waiting for me to enter the password. 58 04:25.670 --> 04:32.990 Since I don't know the password, I will click here and type 1234567890, 59 04:33.260 --> 04:34.010 hit Enter. 60 04:35.600 --> 04:38.900 So now we can resume our tracing. 61 04:41.820 --> 04:45.900 So now it's going to move this string into -. 62 04:46.590 --> 04:48.210 - is the register here. 63 04:48.210 --> 04:50.040 So if I step over this, 64 04:52.580 --> 04:54.230 - now has got the string 65 04:54.230 --> 04:54.560 easy 66 04:54.560 --> 04:55.190 password. 67 04:57.450 --> 05:06.960 Next, it's going to move the first character of - which is one, into the register 68 05:06.960 --> 05:07.950 -. 69 05:08.280 --> 05:11.370 - is the first byte of the - register. 70 05:12.480 --> 05:16.200 So let's step over this and see that happening. 71 05:17.460 --> 05:23.670 So now it has moved the first byte of - into -. 72 05:23.970 --> 05:25.410 The first byte is one. 73 05:26.820 --> 05:29.790 How do I know it's first byte? Because of the byte here. 74 05:30.690 --> 05:36.960 When you see byte here, it means that you are taking the first element of this string, which is one 75 05:36.960 --> 05:39.360 byte, and moving it to -. 76 05:40.410 --> 05:46.740 If you see a word here, it means it's taking two bytes, one and two, moving into here, and so on. 77 05:47.580 --> 05:49.860 So now to check what is in -, 78 05:49.860 --> 05:54.270 if you look here, you won't see it because - is the first byte. 79 05:54.810 --> 06:02.100 In order to see what's in the first byte, we can go down to the command terminal here and type 80 06:02.100 --> 06:02.520 -. 81 06:04.720 --> 06:08.320 Hit Enter, and you will see - holds the hex 31. 82 06:08.950 --> 06:10.210 Now hex 31, 83 06:10.300 --> 06:11.590 what is hex 31? 84 06:13.120 --> 06:14.170 Hex 31, 85 06:14.170 --> 06:14.920 let's take a look. 86 06:15.700 --> 06:24.130 If you go and look at the ASCII table for hex 31, 87 06:26.480 --> 06:27.350 it is one. 88 06:28.550 --> 06:35.480 So it has moved the character one, character one into -. 89 06:35.600 --> 06:38.210 That's why you see 31, 31 is one. 90 06:38.930 --> 06:45.710 Next, it's going to compare one with the first byte of, the first byte of - is E. 91 06:46.430 --> 06:49.250 That means it is comparing E with one. 92 06:50.180 --> 06:56.150 So this suggests that it is expecting you to enter E as a first character for the password. 93 06:57.920 --> 06:58.730 Let's see what happens. 94 06:59.540 --> 07:01.580 So what will happen? 95 07:02.420 --> 07:03.140 Let's step over, 96 07:03.170 --> 07:03.800 step over. 97 07:06.820 --> 07:14.830 Step over now, and you will see the comparison fails because - is not equal to the first byte of -. 98 07:15.130 --> 07:19.420 So because it is not equal, JNE will jump. JNE, 99 07:19.420 --> 07:21.520 if you click on this, it says jump is taken. 100 07:22.030 --> 07:24.100 That means it's going to jump down here. 101 07:24.100 --> 07:27.400 So now we can make a note here, a comment here. 102 07:28.930 --> 07:33.550 - has got the value of one. 103 07:36.200 --> 07:40.070 Then after we put the comment, we need to refresh the screen. 104 07:40.910 --> 07:42.410 Then we can see the new comment. 105 07:43.820 --> 07:46.640 And then it's going to compare one with -, 106 07:47.030 --> 07:49.730 so the first byte of - is E. 107 07:50.630 --> 07:55.220 So since one is not equal to E, jump not equal is true. 108 07:55.220 --> 08:01.610 So it's going to jump over to this address 561166, which is here. 109 08:02.660 --> 08:04.130 So it's going to jump there now. 110 08:05.000 --> 08:08.330 And what is it going to do? - to -. 111 08:08.330 --> 08:09.500 It's going to SBB. 112 08:10.100 --> 08:13.940 So SBB is, it will convert this to negative one. 113 08:14.030 --> 08:16.670 Negative one in hex is all F's. 114 08:17.060 --> 08:17.870 Let's take a look. 115 08:18.860 --> 08:20.000 See that it becomes all F's. 116 08:20.000 --> 08:26.540 So whenever you see all F's in the - register, it's bad news. It means something has gone wrong. 117 08:27.860 --> 08:30.680 Now next one is, it's going to OR - with one. 118 08:30.680 --> 08:34.280 So when you OR anything with one, it still retains the same value. 119 08:34.280 --> 08:35.150 No difference. 120 08:35.180 --> 08:35.750 Take a look. 121 08:36.230 --> 08:37.910 Step over now, it's still all F's. 122 08:37.910 --> 08:43.730 So next, it will go here and you will test whether the - is zero. 123 08:44.300 --> 08:46.580 Now - is not zero, it is negative one. 124 08:46.580 --> 08:49.730 Therefore, jump equals will fail. 125 08:51.020 --> 08:52.880 So let's see what happens. 126 08:53.270 --> 08:54.470 Now we click on this. 127 08:54.470 --> 08:56.390 You will see jump is not taken. 128 08:56.660 --> 08:57.050 Why? 129 08:57.080 --> 08:59.120 Because - is not zero. 130 08:59.150 --> 09:00.650 - is negative one. 131 09:01.640 --> 09:04.880 So it will not jump to 56110. 132 09:05.930 --> 09:07.010 It won't jump here. 133 09:08.000 --> 09:14.240 It will not jump to 56110, is a good message. 134 09:14.270 --> 09:16.130 You see that it will not jump there. 135 09:16.760 --> 09:18.590 Instead, it will go straight. 136 09:18.590 --> 09:20.570 So let's see that happening. 137 09:21.350 --> 09:25.580 So it goes straight, and it's going to show you the bad message: failed. 138 09:26.970 --> 09:28.380 You entered the wrong password. 139 09:29.220 --> 09:29.610 See that? 140 09:30.630 --> 09:34.440 All right, so if you run all the way, you will see this message here. 141 09:34.590 --> 09:35.100 All right. 142 09:35.100 --> 09:40.380 So this gives us a hint that the first character of the password should be E. 143 09:40.410 --> 09:40.890 Correct. 144 09:41.280 --> 09:45.720 From this analysis, we can summarize, we can conclude. 145 09:46.500 --> 09:48.870 So we are going to rerun this. 146 09:48.870 --> 09:53.430 This time we are going to enter E as the first character of the password and see what happens. 147 09:54.510 --> 09:59.040 So let's run to our breakpoint and then graph it. 148 10:01.640 --> 10:04.190 Next, we arrange our windows. 149 10:08.300 --> 10:09.530 Let's step over. 150 10:20.980 --> 10:21.280 All right. 151 10:21.280 --> 10:22.450 So it's reached here. 152 10:22.630 --> 10:29.080 So we can comment this part. We remembered previously, when we analyzed it, it was waiting for input. 153 10:30.390 --> 10:32.250 Let's put a comment so that it's easier to read. 154 10:32.850 --> 10:34.740 Refresh to see the comment. 155 10:36.410 --> 10:38.210 All right, so now we step over this. 156 10:39.230 --> 10:41.420 It will not move because it's waiting for input. 157 10:41.420 --> 10:42.710 So we click over here. 158 10:42.920 --> 10:45.710 And how do we know it's waiting for input? 159 10:45.710 --> 10:47.630 Because you see it's running down here. 160 10:47.630 --> 10:50.060 It is not paused. When you're stepping over, 161 10:50.060 --> 10:50.960 it should be paused. 162 10:51.080 --> 10:54.140 So let's come here and type the first character as E, 163 10:54.740 --> 10:55.850 and then the rest of it. 164 10:55.850 --> 10:58.340 We deliberately enter the wrong password. 165 10:58.430 --> 11:02.990 So we put two, three, four, five, six, seven, eight, and so on. 166 11:04.280 --> 11:04.910 Hit Enter. 167 11:05.780 --> 11:08.120 So now it's come back to our control, as you can see, 168 11:08.150 --> 11:09.650 paused, so we can continue. 169 11:09.950 --> 11:11.210 Continue stepping over. 170 11:12.020 --> 11:15.290 So step over now. It's going to move 171 11:15.290 --> 11:18.530 easy password into - again. Watch -. 172 11:20.400 --> 11:27.900 Right now it's going to move the first character of -, which is E, into -. 173 11:28.500 --> 11:30.480 So let's see that happening. 174 11:30.480 --> 11:31.560 Step over. 175 11:32.460 --> 11:34.530 And now we check what is in -. 176 11:36.180 --> 11:39.990 Hit Enter, and - now has got the hex value 65. 177 11:40.620 --> 11:43.290 And let's compare 65. 178 11:43.290 --> 11:49.800 What is 65 in hex? 65 will give us 179 11:51.210 --> 12:01.230 E. So 65 is a hex for E, so - now has got the character E after this line. 180 12:01.230 --> 12:02.670 So we update our comment. 181 12:03.960 --> 12:05.520 We put a comma at the back. 182 12:05.730 --> 12:09.180 Previously it was one, now it is E. 183 12:12.250 --> 12:13.090 Refresh. 184 12:15.270 --> 12:15.540 All right. 185 12:15.540 --> 12:17.010 So this is called comment tracing. 186 12:17.010 --> 12:18.780 This technique is called comment tracing. 187 12:19.320 --> 12:24.360 We update the comment each time we iterate through so that we can analyze and understand the algorithm 188 12:24.540 --> 12:26.130 or how the program works. 189 12:26.970 --> 12:30.900 So now we know the character in - is E. 190 12:31.410 --> 12:35.310 Next, it's going to compare E with the first character in -. 191 12:35.610 --> 12:37.920 So the first character in - is also E. 192 12:39.620 --> 12:42.110 So you can see from here as well. 193 12:42.590 --> 12:44.960 So this comparison will succeed. 194 12:45.500 --> 12:46.250 Let's step over. 195 12:46.940 --> 12:51.200 And because the comparison succeeds, jump not equal will not jump. 196 12:51.830 --> 12:52.190 See that. 197 12:52.370 --> 12:52.880 Click on 198 12:52.880 --> 12:54.290 this: jump is not taken. 199 12:54.290 --> 12:56.060 So it's supposed to go straight, 200 12:56.060 --> 12:57.170 and let's do that. 201 12:58.670 --> 12:59.780 So you go straight. 202 12:59.810 --> 13:01.010 Is - zero or not? 203 13:01.010 --> 13:04.100 - is not zero because - is 65. 204 13:04.550 --> 13:11.330 So since - is not zero, it will not jump to 56112. 205 13:11.450 --> 13:13.760 Instead, it will continue to go straight. 206 13:14.990 --> 13:22.190 Now it's going to move the second character of your password to the - register. 207 13:22.760 --> 13:23.660 How do I know that? 208 13:23.660 --> 13:28.970 Because - plus one. - plus one is an offset to the second character. 209 13:29.420 --> 13:36.410 The first character is -, second character is - plus one, third character is - plus two, fourth character 210 13:36.410 --> 13:38.150 is - plus three, and so on. 211 13:38.180 --> 13:40.850 It's just like arrays, even in programming. 212 13:40.880 --> 13:49.190 Array offsets are, you can denote them by putting zero, one, plus one, plus two, plus three, and so on. 213 13:49.280 --> 13:54.050 So the first character of the string is always - plus zero. 214 13:54.530 --> 13:56.390 Second character is - plus one. 215 13:56.390 --> 14:01.010 So - plus one refers to two, two. 216 14:01.040 --> 14:03.920 So it's going to move two into -. 217 14:04.430 --> 14:06.440 So let's step over and see that happening. 218 14:08.670 --> 14:10.620 So let's check now, -. 219 14:12.550 --> 14:12.760 Okay. 220 14:13.210 --> 14:13.570 Yeah, 221 14:13.570 --> 14:15.670 - now has got the hex value 32. 222 14:15.670 --> 14:16.960 So what is 32? 223 14:17.860 --> 14:23.710 So when you look for hex value 32, hex value 32 is two. 224 14:24.280 --> 14:27.970 So it has moved two into the - register. 225 14:28.390 --> 14:31.660 And now it's going to compare two. 226 14:32.560 --> 14:38.950 It's going to compare two with what is in the second character of easy password. 227 14:39.160 --> 14:43.210 So the second character is A, A over here. 228 14:43.360 --> 14:44.110 How do I know? 229 14:44.110 --> 14:47.230 Because it says plus one is offset to the second character. 230 14:49.240 --> 14:50.410 Just like here, 231 14:50.440 --> 14:52.690 - plus one is offset to the second character. 232 14:52.720 --> 14:53.830 Same also here. 233 14:53.860 --> 14:59.890 - plus one. If - is - plus zero, then it's referring to E. 234 15:01.270 --> 15:06.070 If it's - without any plus at the back, it means - plus zero. 235 15:06.070 --> 15:07.600 So it will refer to E. 236 15:07.600 --> 15:09.130 But now it's - plus one, 237 15:09.130 --> 15:10.960 so it's referring to A. 238 15:11.230 --> 15:20.290 So now it's comparing whether or not the second character of your password that you entered is the same 239 15:20.290 --> 15:21.400 with the A. 240 15:21.910 --> 15:25.120 But in this case, it is not the same. 241 15:25.300 --> 15:26.710 So this comparison fails. 242 15:26.710 --> 15:28.270 So this will be true. 243 15:29.140 --> 15:29.920 It will jump. 244 15:30.070 --> 15:32.740 So we go to this, jump 245 15:32.740 --> 15:35.440 not equal is taken, right? 246 15:35.740 --> 15:37.450 So when it's taken, it goes back here. 247 15:37.450 --> 15:43.030 And this will be bad news because we remember from the last time we first ran, 248 15:43.030 --> 15:49.240 whenever it comes here, SBB will cause - to become negative one, so it will fail. 249 15:49.240 --> 15:49.840 Take a look. 250 15:50.980 --> 15:52.180 - becomes negative one. 251 15:52.180 --> 15:52.660 So this, 252 15:52.660 --> 15:57.490 this suggests that the password, the second character of the password is A. 253 15:57.490 --> 15:58.840 The first character is E. 254 15:58.870 --> 16:00.760 Second character should be A. 255 16:01.150 --> 16:01.690 All right. 256 16:01.690 --> 16:09.220 And from there alone, we can already more or less have a good guess that the entire password should 257 16:09.220 --> 16:10.900 be easy password. 258 16:11.380 --> 16:11.890 All right. 259 16:11.890 --> 16:15.970 So from there we can try it. 260 16:15.970 --> 16:18.190 Now let's run the program. 261 16:21.160 --> 16:26.710 Run the program, run, and then now when this thing comes up, 262 16:30.400 --> 16:31.270 you enter 263 16:31.270 --> 16:32.110 easy password. 264 16:32.890 --> 16:35.500 Easy password. 265 16:35.500 --> 16:36.280 Hit Enter. 266 16:36.430 --> 16:37.810 Congratulations! 267 16:38.260 --> 16:43.450 So we have successfully fished out the password using comment tracing. 268 16:44.140 --> 16:48.700 Okay, now there are other easy ways to solve this using hex editor. 269 16:48.910 --> 16:52.990 And if you use hex editor, you can search for all the strings in the file, 270 16:53.140 --> 16:55.870 and you might find this string there. 271 16:56.140 --> 17:01.870 But if you use the x64dbg way to solve it, it is more difficult, 272 17:01.870 --> 17:08.380 but it will give you good skills which you can use later on when you are dealing with more complex, 273 17:08.500 --> 17:15.100 complex, complicated crackmes where the strings are not easily visible in a hex editor. 274 17:15.580 --> 17:22.870 So that's why I go through the troublesome way of tracing it, so that you can gain the skill to do 275 17:22.870 --> 17:25.030 the more complicated crackmes later on. 276 17:25.270 --> 17:28.390 So that's all for this video. 277 17:28.420 --> 17:30.490 Thank you for watching.