WEBVTT 1 00:01.640 --> 00:03.290 Hello and welcome back. 2 00:03.470 --> 00:09.980 Now that we have already enabled the register button, we can try to register. 3 00:10.730 --> 00:16.880 So we type in "user" and any random numbers. 4 00:17.720 --> 00:20.960 When we hit Enter, we hit the register button. 5 00:20.960 --> 00:23.150 We get this error message: "Wrong serial." 6 00:24.050 --> 00:27.800 And then when you click OK, it gives us this nag. 7 00:30.710 --> 00:36.680 So the next goal is to get rid of this—this nag over here. 8 00:37.400 --> 00:47.150 So in order to do that, we need to open this program with -dbg and then search for where in the code 9 00:47.330 --> 00:49.190 this nag comes from. 10 00:49.340 --> 00:52.730 So just remember the string here: "Get rid." 11 00:52.790 --> 00:56.480 We are going to search for this string in the -dbg. 12 00:57.200 --> 00:58.820 So let's open our -dbg 13 00:58.850 --> 00:59.300 now. 14 01:00.490 --> 01:01.720 Let's close this. 15 01:06.230 --> 01:08.990 And then open the crackme. 16 01:08.990 --> 01:09.380 Me? 17 01:12.300 --> 01:14.670 And then search for "Get rid." 18 01:15.090 --> 01:22.920 So we right-click here, Search for > Current Module > String References. 19 01:24.450 --> 01:27.870 And then we filter out the string 20 01:27.870 --> 01:28.620 "Get rid." 21 01:30.690 --> 01:31.920 And we found it here. 22 01:31.950 --> 01:33.210 "Get rid of this." 23 01:33.210 --> 01:34.860 So this is the one we want. 24 01:35.160 --> 01:39.600 Let's go to that address by clicking on anywhere in this line. 25 01:40.710 --> 01:44.670 And you will see that the string is found at this memory address. 26 01:45.960 --> 01:49.380 And then just above it, we see a jump that can bypass it. 27 01:50.400 --> 01:57.000 So could it be so simple that we can just do a surface patch to reverse this jump? 28 01:57.780 --> 01:58.740 We can try. 29 01:58.860 --> 02:02.970 So let's just put a breakpoint here to test it out. Toggle. 30 02:03.540 --> 02:04.680 And now we run. 31 02:05.520 --> 02:13.830 And then we come here. We enter any username and any number. 32 02:15.360 --> 02:16.830 And we hit Register. 33 02:17.100 --> 02:18.000 Hit OK. 34 02:18.450 --> 02:19.590 It hits our breakpoint. 35 02:19.980 --> 02:21.510 So now it hits our breakpoint. 36 02:21.510 --> 02:29.160 We want to test whether or not we can just simply jump over this bad message. 37 02:29.250 --> 02:33.270 So at the moment, if you click on this, you will see that jump is not taken. 38 02:33.360 --> 02:37.530 That means it's not going to jump; it's going to go straight and show this bad message. 39 02:37.770 --> 02:45.840 So in order to test to reverse this jump for testing purposes, before we patch it, we can toggle the 40 02:45.840 --> 02:46.530 zero flag. 41 02:46.530 --> 02:47.460 Now is zero. 42 02:47.460 --> 02:49.560 So we toggle it to one. 43 02:49.560 --> 02:51.660 So now it's going to jump over. 44 02:51.660 --> 02:52.800 Jump is taken. 45 02:52.800 --> 02:54.300 So let's step over. 46 02:54.300 --> 02:56.790 So it has jumped over this bad message. 47 02:57.360 --> 02:58.620 Let's jump over this call. 48 02:59.370 --> 03:02.250 This is a call which shows this string. 49 03:02.310 --> 03:11.100 So now we run all the way, and we come here and see we have successfully bypassed the bad message. 50 03:11.820 --> 03:15.090 So now we can patch this to make it permanent. 51 03:15.210 --> 03:18.840 So to patch this, we are going to reverse the jump. 52 03:19.830 --> 03:21.870 So this is a jump equal. 53 03:22.170 --> 03:27.090 We want it to jump irrespective of whatever condition. 54 03:27.210 --> 03:32.070 So we can assemble a jump here—an unconditional jump. 55 03:33.000 --> 03:37.650 So we can just put a comment just for our understanding. 56 03:43.290 --> 03:44.130 "Jump this." 57 03:44.940 --> 03:46.500 OK. Now we assemble a jump. 58 03:46.500 --> 03:49.650 We press spacebar and convert this. 59 03:49.650 --> 03:55.470 Make sure you check "Keep size" and "Fill with NOPs" in case the size is smaller. 60 03:56.880 --> 04:00.480 After we assemble, so we put JMP. 61 04:03.600 --> 04:05.370 And instruction—same size. 62 04:05.460 --> 04:06.780 So we click OK. 63 04:06.780 --> 04:10.800 And now we assemble the jump there, so we can patch it. 64 04:10.800 --> 04:13.500 Now, File. 65 04:14.840 --> 04:15.620 Patch File. 66 04:16.790 --> 04:23.660 Patch, and then select it and give it a new name with "-1" at the back. 67 04:25.650 --> 04:26.340 Click Save. 68 04:27.350 --> 04:28.280 Click OK. 69 04:29.090 --> 04:30.290 Now you can test it out. 70 04:31.010 --> 04:34.070 We close everything and we try our new patch. 71 04:35.330 --> 04:36.770 And there you go. 72 04:37.280 --> 04:38.390 Our patch is running. 73 04:38.390 --> 04:39.650 So now we open. 74 04:39.650 --> 04:43.430 Now we key in our username and type in any password. 75 04:43.970 --> 04:48.980 Hit Register, click OK, and the nag screen is gone. 76 04:48.980 --> 04:50.360 So it is working. 77 04:50.360 --> 04:56.960 So this is how we can do a surface patch to bypass—to get rid of a nag screen. 78 04:57.800 --> 04:59.720 So that's all for this video. 79 04:59.750 --> 05:06.230 I'll see you in the next one where we will solve the remaining challenges. 80 05:07.820 --> 05:09.200 Thank you for watching.