WEBVTT 1 00:00.950 --> 00:03.410 Hello and welcome back to a new project. 2 00:03.410 --> 00:09.980 In this project, we are going to learn how to do deep tracing for username and password. 3 00:10.700 --> 00:17.120 So we are going to trace many levels deep into the functions in order to trace the username and password. 4 00:17.450 --> 00:23.420 So this—I am giving credit to the author for this crackme that we are going to try next: Creeps. 5 00:24.110 --> 00:28.520 So use the version that I already provided for you from the resource section. 6 00:29.300 --> 00:33.350 Unzip it and then put it in your crackme folder on your desktop. 7 00:34.070 --> 00:35.870 Let's run it and see what it does. 8 00:36.260 --> 00:41.300 Before that, make a copy of it so that in case you make a mistake, you still have a backup copy. 9 00:41.840 --> 00:42.680 So let's run it. 10 00:42.680 --> 00:45.530 Now it asks for the username. 11 00:45.530 --> 00:48.620 So we just type in any username. 12 00:50.870 --> 00:54.680 Hit Enter, and it says "User not registered." 13 00:54.680 --> 00:56.450 It didn't even ask for the password. 14 00:56.990 --> 00:58.700 It just says "User not registered." 15 00:58.940 --> 01:05.750 So the next thing you do is to check with Detect It Easy and to confirm that it is a 32-bit program. 16 01:06.140 --> 01:07.190 So go ahead and do that. 17 01:07.190 --> 01:10.280 I've already done it and confirmed that it's a 32-bit program. 18 01:10.280 --> 01:13.910 So I'm going to use -32 debug to open this. 19 01:13.910 --> 01:20.750 And we are going to search for this string "registered" in this program. 20 01:26.420 --> 01:28.970 OK, so now search for the string "registered." 21 01:29.450 --> 01:35.780 Search for > Current Module > String References, and look for "registered." 22 01:37.650 --> 01:38.820 Registered. 23 01:39.510 --> 01:40.650 And there you have it. 24 01:40.650 --> 01:41.970 "User not registered." 25 01:42.180 --> 01:43.470 Same as this. 26 01:43.800 --> 01:48.600 So go ahead and click on this to go to that address where the string is found. 27 01:49.080 --> 01:52.620 And if you scroll up now, you will see this is the bad string. 28 01:52.620 --> 01:54.240 And on top, you have a good string. 29 01:55.020 --> 02:01.950 And then now we're going to scroll up and look for the start of this function, which is the push -. 30 02:02.550 --> 02:06.360 Then give a comment there to label it as "main." 31 02:07.080 --> 02:08.370 So I've done that already. 32 02:08.460 --> 02:12.240 So you just graph it now and try to see the 33 02:13.410 --> 02:14.160 logic. 34 02:14.400 --> 02:15.330 So we trace it. 35 02:15.360 --> 02:18.390 Now we put the 36 02:20.960 --> 02:22.190 trace—coverage password. 37 02:24.590 --> 02:26.210 OK, now it hits our breakpoint. 38 02:27.650 --> 02:29.360 So it has hit our breakpoint. 39 02:29.900 --> 02:31.100 We will step over. 40 02:34.370 --> 02:36.350 And watch the output here. 41 02:49.960 --> 02:51.430 Step over this. 42 02:52.390 --> 02:53.350 Step over this. 43 02:53.350 --> 02:56.920 And immediately after this call, username prompt is showing. 44 02:56.920 --> 03:02.140 So just put a label here to remind yourself that this is the line where the username shows. 45 03:02.950 --> 03:06.280 So now, keep on running. 46 03:06.280 --> 03:09.520 Keep on stepping over until you see this thing in the running state 47 03:12.110 --> 03:13.520 on the bottom left. 48 03:20.650 --> 03:22.360 OK, now it's in the running state. 49 03:22.390 --> 03:26.680 It means that it is waiting for you to enter a username. 50 03:27.790 --> 03:29.380 So let's enter a username. 51 03:31.000 --> 03:32.860 "Cracker." 52 03:34.830 --> 03:40.500 And once you hit Enter, it goes back to a paused state, and it waits for you to debug. 53 03:41.190 --> 03:42.360 So let's step over. 54 03:45.140 --> 03:45.470 OK. 55 03:45.470 --> 03:50.000 So now over here, let's graph this and follow the graph view. 56 03:50.990 --> 03:55.310 We are now here, and it's going to come over here. 57 03:55.310 --> 03:56.750 So let's step over. 58 03:58.500 --> 04:07.500 And then step over again, and notice that after this step over, the value in - becomes zero. 59 04:10.080 --> 04:17.910 It then moves the value zero to -, and then now it's going to test whether - is zero. 60 04:18.480 --> 04:21.720 If - is zero, - is zero is true. 61 04:21.870 --> 04:26.190 It's going to jump to D995D9. 62 04:26.490 --> 04:28.410 So it's going to jump to the left. 63 04:28.410 --> 04:31.080 And it's going to show you this bad message: 64 04:31.080 --> 04:32.370 "User not registered." 65 04:32.850 --> 04:35.610 If you look up on the right, you will see it coming up. 66 04:38.730 --> 04:40.530 Here you are. After this call, 67 04:40.920 --> 04:43.170 this bad message shows up. 68 04:43.680 --> 04:44.730 "User not registered." 69 04:44.730 --> 04:46.890 So put a comment here to remind yourself. 70 04:46.890 --> 04:49.650 This is the line where it says "User not registered." 71 04:50.160 --> 04:56.100 So it means that this is the call which checks the username. 72 04:56.100 --> 05:04.620 Because after this call, the - becomes zero, and because - is zero, - is zero, and because - is 73 05:04.620 --> 05:05.640 zero, it jumps to the left. 74 05:05.640 --> 05:11.340 That means if you want to know what is the username, we have to step into this to investigate. 75 05:11.340 --> 05:14.760 Why does this make - 76 05:15.120 --> 05:16.980 why does it make - zero? 77 05:16.980 --> 05:18.480 So we put a breakpoint here. 78 05:18.480 --> 05:22.440 Now we are going to run to this breakpoint now. 79 05:22.530 --> 05:30.210 So let's close everything and restart. Run, run. 80 05:32.260 --> 05:34.750 Now we enter any username. 81 05:37.900 --> 05:41.380 And then it hits our call here: "Check username." 82 05:41.800 --> 05:47.230 So we have to step into this to see why is it setting - to zero. 83 05:47.230 --> 05:48.190 So we step into it. 84 05:48.970 --> 05:50.590 So I'm going to jump there. 85 05:50.590 --> 05:52.690 So step over and jump there. 86 05:53.410 --> 05:57.370 So this is the function which checks for username. 87 05:57.490 --> 06:01.300 And also later on, I found out it also checks for password. 88 06:01.540 --> 06:04.450 But the first time it runs, it is checking for username. 89 06:04.690 --> 06:07.210 So now let's go and trace this. 90 06:07.210 --> 06:10.300 Let's first graph it and see the control flow. 91 06:11.140 --> 06:13.030 So it's very linear—straight line. 92 06:13.030 --> 06:14.140 So we don't need to graph it. 93 06:14.140 --> 06:18.970 Go back to Disassembly view and step over. 94 06:21.520 --> 06:21.880 Introduce. 95 06:21.880 --> 06:22.180 OK. 96 06:22.180 --> 06:27.790 So we have to determine which of the calls causes - to become zero. 97 06:27.790 --> 06:29.380 So step over, and you will find 98 06:31.980 --> 06:34.890 you will know that it is after this call. 99 06:35.010 --> 06:37.080 It has become zero because I have done it before. 100 06:37.080 --> 06:40.770 I know. I put a comment there, so you can do the same. 101 06:41.340 --> 06:43.650 Step over and see if it became zero. 102 06:43.650 --> 06:46.800 That means this is the call which sets the - to become zero. 103 06:47.040 --> 06:52.980 So we have to go into this now and trace why - is becoming zero. 104 06:54.030 --> 06:54.390 All right. 105 06:54.390 --> 06:57.930 So let's restart. Run. 106 07:05.970 --> 07:07.830 Now enter the 107 07:09.000 --> 07:10.590 enter the username "cracker." 108 07:11.970 --> 07:13.140 Step into this. 109 07:16.410 --> 07:19.290 And then now it's checking for your username. 110 07:19.410 --> 07:21.000 So we're going to go to this line. 111 07:21.000 --> 07:25.650 So run to that line and step into it to see why - becomes zero. 112 07:26.340 --> 07:27.690 So step into it. 113 07:28.200 --> 07:30.300 Step over. OK. 114 07:30.300 --> 07:33.330 So now we're not sure whether this is string compare, but just temporarily 115 07:33.330 --> 07:36.240 give it a name "string compare function." 116 07:36.840 --> 07:41.700 And then here also we have to trace which line says - becomes zero. 117 07:41.700 --> 07:47.910 So let's graph it first to see the control flow logic. It's also linear. 118 07:47.910 --> 07:51.900 So there's no advantage in graphing it because it's linear. 119 07:51.900 --> 07:54.240 So let's go back to Disassembly view. 120 07:55.170 --> 07:59.280 So let's step over and see which line causes - to become zero. 121 08:04.950 --> 08:06.060 Just step over. 122 08:13.280 --> 08:17.270 And you will find it is this line where - becomes zero. 123 08:18.410 --> 08:19.910 So let's see it happening. 124 08:26.010 --> 08:29.460 Step over, and straight away you see - becomes zero. 125 08:30.090 --> 08:30.390 OK. 126 08:30.390 --> 08:33.000 So this is the line which causes - to become zero. 127 08:33.000 --> 08:35.850 So now our next target is to go into this. 128 08:36.960 --> 08:44.160 So we set our breakpoint here. At this function, we are going to investigate this next. 129 08:44.160 --> 08:48.630 So restart. You notice we are stepping into three levels deep. 130 08:49.440 --> 08:51.930 So this is part of tracing—deep tracing. 131 08:54.070 --> 08:55.990 And then enter the username. 132 08:57.370 --> 08:58.120 Hit Enter. 133 09:00.290 --> 09:01.610 And then check the username. 134 09:01.610 --> 09:05.000 Step into this. Jump. 135 09:05.810 --> 09:07.130 Run to this line. 136 09:08.600 --> 09:09.680 Step into it. 137 09:14.090 --> 09:17.360 Step over, and then go to this line. 138 09:17.480 --> 09:22.940 So you run to that line and step into it and see why - becomes zero. 139 09:23.480 --> 09:24.500 Step into it. 140 09:26.240 --> 09:27.080 Step over. 141 09:27.980 --> 09:28.760 All right. 142 09:28.880 --> 09:31.520 And now we can graph it. 143 09:32.780 --> 09:33.980 We can graph it. 144 09:35.680 --> 09:41.500 And we see the logic—which module, which box sets the - to become zero. 145 09:41.500 --> 09:44.080 And we can see probably this one. 146 09:46.410 --> 09:46.740 Right? 147 09:46.740 --> 09:53.760 Because over here it says it moves zero to this stack, and then it moves the stack to -. 148 09:54.270 --> 09:56.430 That means, what if this is zero? 149 09:56.940 --> 09:58.680 This will be zero as well. 150 09:58.710 --> 09:59.730 - will be zero. 151 09:59.730 --> 10:02.580 So this is the one that sets - to zero. 152 10:03.600 --> 10:05.370 So let's compare and see. 153 10:05.370 --> 10:07.110 Let's step over and see that happening. 154 10:12.430 --> 10:15.820 OK, this is my comment from my previous analysis. 155 10:15.820 --> 10:17.050 Just ignore it for now. 156 10:17.380 --> 10:22.300 So now you will see when it came over here, jump not equal is taken. 157 10:22.510 --> 10:24.310 That means it's going to jump here. 158 10:25.660 --> 10:27.160 It's going to jump here. OK. 159 10:27.580 --> 10:28.930 And it's going to jump. 160 10:29.410 --> 10:32.950 And you can see it sets zero to this stack. 161 10:33.250 --> 10:39.250 And then when you step over, it moves zero into -. 162 10:39.250 --> 10:40.870 So take a look at - now. 163 10:43.150 --> 10:44.320 It becomes zero. 164 10:44.590 --> 10:47.470 All right, so now we know this. 165 10:48.010 --> 10:50.470 This jump moves to the left. 166 10:50.500 --> 10:53.980 If we don't want it to go to the left, we have to examine 167 10:54.040 --> 10:57.580 why does it go to the left? 168 10:58.300 --> 11:01.270 It goes to the left because of this comparison: jump not equal. 169 11:01.510 --> 11:04.420 That means - is not equal to - plus 14. 170 11:04.420 --> 11:05.890 That's why it goes to the left. 171 11:06.610 --> 11:13.210 So we have to know what is the - and what is - plus 14. 172 11:13.990 --> 11:14.500 All right. 173 11:14.500 --> 11:18.580 So let's now put a breakpoint here. 174 11:19.660 --> 11:20.950 We are going to jump. 175 11:21.130 --> 11:26.410 We are going to come here now and analyze what is inside 176 11:26.860 --> 11:28.120 - plus 14. 177 11:29.050 --> 11:30.340 So let's restart. 178 11:31.180 --> 11:32.770 Remember the name of the function: "String 179 11:32.770 --> 11:35.980 compare inner function." OK. 180 11:43.060 --> 11:43.660 Enter 181 11:43.660 --> 11:44.440 username. 182 11:44.620 --> 11:45.190 "Cracker." 183 11:49.260 --> 11:50.130 Right here. 184 11:50.160 --> 11:51.120 Step into. 185 11:59.200 --> 12:03.190 Step over, and then run to this line. 186 12:05.640 --> 12:06.600 Step into it. 187 12:09.620 --> 12:13.460 Step over, and then run to this line. 188 12:14.450 --> 12:15.860 Step into this. 189 12:16.010 --> 12:18.050 So we are going deeper and deeper. 190 12:18.260 --> 12:19.580 Step over. 191 12:20.660 --> 12:22.190 Now we are at the correct function. 192 12:22.460 --> 12:26.330 So we want to analyze what is inside - plus 14. 193 12:27.140 --> 12:31.040 So let's step back line by line until we reach that line. 194 12:35.600 --> 12:36.020 OK. 195 12:36.020 --> 12:44.330 So at this point now—remember, let me graph this so you can remember what we are trying to do. 196 12:49.200 --> 12:50.580 Click on this and graph. 197 12:52.450 --> 12:54.100 All right, so we know we are here. 198 12:54.760 --> 12:58.060 We are trying to find out why is it going to the left? 199 12:58.090 --> 13:02.080 It's going to the left because - is not the same as - plus 14. 200 13:02.530 --> 13:05.230 So we want to know what is inside - plus 14. 201 13:05.920 --> 13:10.330 OK, so you look at -. It's called seven. 202 13:10.690 --> 13:14.140 Now seven is probably the 203 13:14.140 --> 13:18.310 length of our username. "Cracker" has got seven characters. 204 13:18.310 --> 13:21.940 So - stores the length of our username. 205 13:22.510 --> 13:28.150 Let's suggest that - plus 14 is the length of the actual username. 206 13:28.360 --> 13:35.470 So to find out what is the length of the actual username, we can come down here and type the command: same 207 13:35.470 --> 13:43.750 as this - plus 14—in square brackets—in square bracket [- plus 14]. 208 13:44.920 --> 13:46.030 And then we hit Enter. 209 13:46.030 --> 13:48.820 We can see that - plus 14 is four. 210 13:49.270 --> 13:53.680 This suggests that the value stored at this stack is four. 211 13:53.680 --> 13:55.570 So it's comparing four with seven. 212 13:55.930 --> 13:58.390 Our username is seven characters. 213 13:58.390 --> 14:02.260 This suggests that the actual username is only four characters. 214 14:02.650 --> 14:03.340 All right. 215 14:03.340 --> 14:10.480 So if we put a four-character as our username, then probably it won't jump to the left. 216 14:10.480 --> 14:11.380 It will go straight. 217 14:11.380 --> 14:13.180 So let's test our hypothesis. 218 14:13.750 --> 14:14.950 So now we're going to restart. 219 14:15.970 --> 14:17.350 And then we're going to run. 220 14:18.340 --> 14:29.620 And we're going to enter a four-character username. Four-character name is CRAK. CRAK—four characters. Hit Enter. 221 14:30.880 --> 14:32.680 OK, so now we are here. 222 14:34.390 --> 14:36.370 Let's run again. 223 14:38.880 --> 14:39.090 OK. 224 14:39.090 --> 14:40.200 Step into this. 225 14:41.730 --> 14:42.690 Step over. 226 14:44.280 --> 14:45.510 Run to here. 227 14:48.410 --> 14:49.730 Step into this. 228 14:51.810 --> 14:52.740 Step over. 229 14:54.870 --> 14:58.560 OK, so now we are going to come here and see what happens. 230 15:04.360 --> 15:06.820 We are going to come here—just like in the comparison line. 231 15:09.780 --> 15:12.120 OK, now you see our - is four. 232 15:12.450 --> 15:19.230 That means we were right in assuming that this - is the length of our username. 233 15:19.230 --> 15:20.340 So this is four. 234 15:20.460 --> 15:22.440 And what is - plus 14? 235 15:23.850 --> 15:26.430 Press the up arrow key to retrieve the previous command. 236 15:26.430 --> 15:31.980 Hit Enter, and - plus 14 is four. So - is four, - plus 14 is four. 237 15:31.980 --> 15:32.730 So they are equal. 238 15:32.730 --> 15:34.080 So it's not going to jump. 239 15:34.200 --> 15:35.220 Let's take a look. 240 15:36.330 --> 15:38.280 Click on this. Jump not taken. 241 15:38.310 --> 15:38.670 Correct. 242 15:38.790 --> 15:40.800 So now we click on this and graph it. 243 15:42.000 --> 15:43.290 Right-click, graph it. 244 15:45.240 --> 15:48.300 OK, so now we are here at string compare inner function. 245 15:48.300 --> 15:49.350 Let's step over 246 15:52.710 --> 15:54.390 until we come to this line. 247 15:57.960 --> 16:02.280 So - is four now—same as our username. 248 16:02.280 --> 16:09.390 Four characters long. - plus 14, as we have seen previously, is also four. 249 16:09.840 --> 16:15.000 So because they are the same, it is not supposed to jump here. 250 16:15.840 --> 16:16.560 Let's see. 251 16:17.010 --> 16:18.360 It's supposed to go straight. 252 16:21.750 --> 16:22.080 OK. 253 16:22.080 --> 16:23.100 It's going straight. 254 16:27.000 --> 16:27.570 All right. 255 16:27.600 --> 16:31.980 Now over here, it's going to test again over here 256 16:32.460 --> 16:35.010 whether to go left or right. 257 16:35.010 --> 16:37.680 So we click on this. It says "Jump is taken." 258 16:37.680 --> 16:39.600 That means it's going to go left also. 259 16:39.690 --> 16:44.880 That means probably this function here is testing for the actual username. 260 16:44.970 --> 16:47.160 This part here is comparing the length. 261 16:47.250 --> 16:52.380 And this part here is comparing—checking for the actual username. OK. 262 16:52.380 --> 16:56.400 So in this case, test -. Is - zero? 263 16:56.730 --> 16:58.350 No, it's one. 264 16:58.350 --> 17:00.000 So that's why it's going to the left. 265 17:00.000 --> 17:02.490 So it is this call that sets it to one. 266 17:02.490 --> 17:04.530 So we have to examine this next. 267 17:04.920 --> 17:08.220 So we put a breakpoint here now and come back to this. 268 17:08.520 --> 17:10.890 So here is now where it's going. 269 17:10.890 --> 17:12.240 Let's put a comment there. 270 17:12.780 --> 17:15.120 "Check actual 271 17:17.730 --> 17:18.420 actual 272 17:19.300 --> 17:20.050 username." 273 17:22.490 --> 17:25.070 OK, refresh to see the comment. 274 17:27.300 --> 17:28.200 Refresh. 275 17:28.890 --> 17:31.080 All right, so we're coming back here afterwards. 276 17:31.080 --> 17:36.630 So let's restart and run. 277 17:37.530 --> 17:38.400 Run. 278 17:39.090 --> 17:44.460 Enter our username: CRAK. 279 17:44.670 --> 17:45.540 Hit Enter. 280 17:49.170 --> 17:52.260 And then now we are going to read the input. 281 17:52.260 --> 17:53.610 So we run again. 282 17:54.240 --> 17:55.650 Step into this. 283 17:57.670 --> 18:01.600 Step over, and then run to this line. 284 18:04.200 --> 18:05.640 Step into this. 285 18:06.840 --> 18:11.370 Step over, and then we're going to run to this line. 286 18:14.320 --> 18:14.860 OK. 287 18:14.860 --> 18:15.760 Run again. 288 18:15.910 --> 18:21.280 So now we have to step into this to see how it compares the username. 289 18:21.280 --> 18:22.390 We know it's four characters. 290 18:22.540 --> 18:24.250 Now we want to know the actual username. 291 18:24.490 --> 18:25.840 So we step into it. 292 18:26.500 --> 18:27.520 Step over. 293 18:28.270 --> 18:28.750 All right. 294 18:28.750 --> 18:33.940 So now here is checking the actual username, so we can graph it. 295 18:36.940 --> 18:37.690 It's linear. 296 18:37.690 --> 18:39.430 So there's no advantage in graphing. 297 18:39.430 --> 18:42.550 So we go back to Disassembly view. 298 18:43.030 --> 18:43.330 OK. 299 18:43.330 --> 18:47.710 So let's step over now and see how or where it is comparing. 300 19:06.430 --> 19:10.390 OK, after this call, you realize that - became one. 301 19:11.020 --> 19:11.470 OK. 302 19:11.470 --> 19:12.790 It became one. 303 19:13.180 --> 19:14.230 And then 304 19:14.230 --> 19:16.240 so now it continues stepping over. 305 19:23.680 --> 19:24.340 All right. 306 19:24.340 --> 19:26.740 So now it's going to return one in -. 307 19:28.480 --> 19:30.310 It's going to return one in -. 308 19:31.090 --> 19:33.430 And then if we graph this. 309 19:38.910 --> 19:40.620 It's going to return one in -. 310 19:40.620 --> 19:43.260 So you can see what happens here. 311 19:43.950 --> 19:46.050 So because - is not zero— 312 19:46.080 --> 19:48.090 - is one—it's going to go to the left. 313 19:48.210 --> 19:55.470 So that means that the previous call, if the username is not the same—not the correct username—then the 314 19:55.470 --> 19:57.120 result will be - one. 315 19:57.570 --> 19:57.960 OK. 316 19:57.960 --> 20:02.550 So we have to go back and re-examine the previous function. 317 20:02.550 --> 20:05.460 So now it's going to the left, and it's going to set zero to this. 318 20:05.460 --> 20:07.860 And it's going to move zero to -. 319 20:07.860 --> 20:08.790 And that is bad. 320 20:09.240 --> 20:09.630 All right. 321 20:09.630 --> 20:12.960 So let's go back and restart and analyze again. 322 20:21.240 --> 20:24.210 So let's enter the username "CRAK." 323 20:24.750 --> 20:25.410 Hit Enter. 324 20:29.670 --> 20:31.770 And run again. 325 20:32.460 --> 20:34.020 Step into this. 326 20:35.220 --> 20:36.270 Step over. 327 20:37.230 --> 20:38.520 Run to here. 328 20:40.260 --> 20:41.640 Step into this. 329 20:43.080 --> 20:44.070 Step over. 330 20:45.360 --> 20:46.740 Run to this. 331 20:48.780 --> 20:49.830 Run again. 332 20:50.220 --> 20:51.690 Step into this. 333 20:52.680 --> 20:53.640 Step over. 334 20:54.480 --> 20:59.100 OK, so now this is where it checks for the actual username. 335 20:59.370 --> 21:03.690 And remember, this line sets it to one. 336 21:04.410 --> 21:10.890 OK, so before that, it passes a few parameters for this call up here. 337 21:10.890 --> 21:12.450 So let's see what's happening. 338 21:18.850 --> 21:19.240 OK. 339 21:19.510 --> 21:23.470 As you can see, it is moving this to -. Step. 340 21:23.470 --> 21:27.220 This is - now. It has got this four-character "NICK." 341 21:27.700 --> 21:29.230 This is the username. 342 21:30.760 --> 21:34.540 And then it moves our username to here. 343 21:35.560 --> 21:35.890 Great. 344 21:35.890 --> 21:38.560 So now it's got two parameters on the stack. 345 21:42.940 --> 21:43.690 Two parameters. 346 21:43.690 --> 21:45.070 "CRAK" and "NICK" on the stack. 347 21:45.070 --> 21:46.510 Ready for this call. 348 21:46.540 --> 21:50.800 So from here we can more or less deduce that the username is "NICK." 349 21:50.800 --> 21:51.760 "NICK." 350 21:51.760 --> 21:54.760 Because after this call, it returns one. 351 21:54.760 --> 21:56.800 One means that it's a wrong username. 352 21:56.950 --> 22:01.510 So based on that hypothesis, let's try to enter "NICK" and see what happens. 353 22:01.990 --> 22:02.290 All right. 354 22:02.290 --> 22:03.970 So let's rerun. 355 22:15.520 --> 22:16.510 Run again. 356 22:16.660 --> 22:17.860 Enter the username: 357 22:17.860 --> 22:18.190 "NICK." 358 22:18.190 --> 22:19.180 "NICK." 359 22:19.210 --> 22:19.960 Hit Enter. 360 22:22.030 --> 22:22.990 Step into. 361 22:22.990 --> 22:24.130 Just run again. 362 22:25.940 --> 22:27.170 Step into this. 363 22:27.830 --> 22:28.880 Step over. 364 22:30.230 --> 22:31.550 Run to this line. 365 22:33.160 --> 22:33.700 Line. 366 22:34.090 --> 22:35.260 So run over there. 367 22:35.260 --> 22:36.370 Step into this. 368 22:38.290 --> 22:45.730 Step over, and then run to that line again. 369 22:45.820 --> 22:47.200 Step into this. 370 22:48.640 --> 22:49.240 Step over. 371 22:50.020 --> 22:50.440 OK. 372 22:50.440 --> 22:51.250 So now 373 22:52.670 --> 22:54.710 let's see what happens when it comes to this line. 374 22:54.710 --> 22:57.950 This line where it compares your input. 375 22:57.950 --> 22:59.150 You can see input. 376 23:10.130 --> 23:10.520 OK. 377 23:11.630 --> 23:13.070 What happens after this call? 378 23:14.540 --> 23:16.070 - becomes zero. 379 23:16.070 --> 23:17.930 That means we correctly— 380 23:17.990 --> 23:21.770 we were right in assuming that "NICK" is the username. 381 23:24.270 --> 23:24.690 OK. 382 23:24.690 --> 23:25.560 So 383 23:28.120 --> 23:28.480 return. 384 23:28.480 --> 23:30.190 Let's return to the main function. 385 23:35.190 --> 23:40.500 OK, we are now in the main function. Yet we are in the string compare function. 386 23:41.490 --> 23:43.110 Let's execute till return. 387 23:45.960 --> 23:48.390 And step over to go back to our main. 388 23:49.290 --> 23:49.980 Are we in main? 389 23:49.980 --> 23:50.520 Not yet. 390 23:51.090 --> 23:52.320 We are in this function. 391 23:53.130 --> 23:54.600 Execute till return. 392 23:58.740 --> 24:01.440 Just step over and see. 393 24:01.440 --> 24:02.730 Are we in the main function? 394 24:03.540 --> 24:05.190 Yes, we are now in the main function. 395 24:05.190 --> 24:09.480 So now we can graph this and you can see what's happening. 396 24:10.440 --> 24:12.240 So now we are here. 397 24:12.240 --> 24:14.820 Let's see if we jump to the left or to the right. 398 24:18.020 --> 24:20.390 So it is now one. 399 24:20.390 --> 24:21.980 Previously it was zero. 400 24:22.010 --> 24:23.630 That means it's going to go to the right. 401 24:23.630 --> 24:25.460 That means our username is correct. 402 24:25.460 --> 24:29.000 Previously it went over to the left and said "User not registered." 403 24:29.390 --> 24:30.950 So now it's going to go to the right. 404 24:30.950 --> 24:32.990 Let's click on this. Jump not taken. 405 24:33.860 --> 24:37.700 So jump not taken means that it is not going to take this jump to 5D9. 406 24:37.700 --> 24:38.990 It's going to go to the right. 407 24:39.920 --> 24:41.330 So it's going to the right. 408 24:42.230 --> 24:43.550 And this time 409 24:46.970 --> 24:48.890 look, after this call, 410 24:49.940 --> 24:54.680 after this call, it puts up the prompt for the password. 411 24:54.950 --> 24:55.580 OK. 412 24:55.580 --> 24:57.560 So we don't know what's the actual password. 413 24:57.560 --> 24:59.960 So we can just put a fake password. 414 25:00.770 --> 25:03.920 It is not waiting for input yet. 415 25:03.920 --> 25:08.240 So let's continue to step over until this thing becomes running. 416 25:12.790 --> 25:16.270 See, it is now running, so now it's waiting for input. 417 25:16.270 --> 25:23.470 So now we type our password: "cracking lessons." 418 25:24.100 --> 25:27.610 Hit Enter. OK, so let's step over. 419 25:31.260 --> 25:34.050 Wait for a wrong error message. 420 25:38.850 --> 25:39.180 OK. 421 25:39.180 --> 25:43.080 It looks like from here it has gone into our function. 422 25:43.110 --> 25:50.610 Click on -, and we are now here. It's comparing the password itself now. 423 25:50.700 --> 25:51.090 All right. 424 25:51.090 --> 25:53.460 So I'll continue with this in the next lesson. 425 25:53.460 --> 25:59.460 In this lesson, we successfully fished out—traced the username. In the next lesson, we are going to trace 426 25:59.460 --> 26:01.320 the password. 427 26:01.890 --> 26:02.850 See you in the next one. 428 26:02.850 --> 26:03.570 Thank you.