WEBVTT 1 00:01.700 --> 00:04.640 Hello and welcome back. In this project, 2 00:04.640 --> 00:11.300 we are going to crack this crackme and this is the author InDeineMama. 3 00:11.810 --> 00:13.490 The name of the crackme is "Who Am I?" 4 00:13.940 --> 00:16.190 So I have downloaded this for you. 5 00:16.190 --> 00:20.360 So get the copy of the download from my resource section. 6 00:20.900 --> 00:23.600 After you have downloaded, just unzip it. 7 00:23.870 --> 00:29.150 The password to unzip is crackinglessons.com. 8 00:29.480 --> 00:37.220 Remember that all the crackmes which you download from a website are zipped using this password, cracking 9 00:37.220 --> 00:39.080 lessons.com. 10 00:39.230 --> 00:46.070 So the reason why I zip them up is because sometimes they are falsely detected as malware. 11 00:46.250 --> 00:52.670 So if they are wrongly detected as malware, your computer will delete the file or might not even allow 12 00:52.670 --> 00:53.570 you to download it. 13 00:53.960 --> 00:56.810 So that's why I have to zip them up first. 14 00:57.320 --> 01:04.490 Now, all the crackmes are not malware, although your Windows Defender or antivirus might say they are 15 01:04.490 --> 01:04.940 malware. 16 01:05.570 --> 01:11.900 Now, the reason why some people say they're malware is probably because some of these software uses system 17 01:11.900 --> 01:16.100 calls in order to clear the screen and so on. 18 01:16.100 --> 01:19.430 So they're accidentally detected as malware. 19 01:20.720 --> 01:25.640 So you can verify that they are not malware by debugging it. 20 01:25.640 --> 01:31.250 As we will do, so a debugger should be able to tell whether a file is malware or not. 21 01:31.250 --> 01:37.250 So when you debug, you can see that the files are not malware; they are simply just crackmes. 22 01:37.760 --> 01:45.380 Another reason why certain files can become malware after a while is because when the people download 23 01:45.380 --> 01:49.370 the files, the first thing they do is they upload to VirusTotal. 24 01:49.730 --> 01:58.040 So VirusTotal will take your file and distribute it to all the, all the antivirus vendors, and every virus 25 01:58.040 --> 01:59.870 vendor, antivirus vendors, 26 01:59.870 --> 02:08.540 they will eventually classify this kind of files as malware because these are files which are, to them, 27 02:08.540 --> 02:15.470 is classified as undesirable programs—undesirable in the sense that you are not supposed to learn 28 02:15.470 --> 02:17.180 how to crack them. 29 02:17.180 --> 02:19.310 You are not supposed to learn reverse engineering. 30 02:19.520 --> 02:19.910 All right. 31 02:19.910 --> 02:21.260 That is undesirable. 32 02:21.260 --> 02:22.970 So this is my opinion. 33 02:22.970 --> 02:31.430 That's why all the files eventually get tagged as malware because they are undesirable as viewed by 34 02:31.430 --> 02:33.080 this antivirus vendor. 35 02:33.080 --> 02:39.320 So that's the reason why when the file first uploads, uh, on internet, it is not malware. But when 36 02:39.320 --> 02:46.220 people who download it upload them to VirusTotal, after a while, if too many people upload them to VirusTotal, 37 02:46.460 --> 02:48.890 eventually the file becomes tagged as malware. 38 02:49.880 --> 02:51.470 Okay, so now let's get started. 39 02:52.160 --> 02:58.280 So the first thing we do is to scan it with, uh, with the Detect It Easy to see 40 02:58.280 --> 03:05.060 what, uh, what, uh, what is it? A little bit or is it 64-bit? 41 03:13.450 --> 03:16.600 And you will see that it is a 32-bit program. 42 03:16.600 --> 03:20.200 That means we need to use x32dbg to open it. 43 03:21.370 --> 03:24.910 Before we open it, we will run it first to see what it does. 44 03:25.150 --> 03:28.450 And it asks, "Who am I?" 45 03:28.600 --> 03:30.040 So we don't know. 46 03:30.040 --> 03:31.990 So we just say anything. 47 03:32.020 --> 03:34.210 Maybe we say we are cracker. 48 03:35.230 --> 03:36.910 Hit enter and it says wrong. 49 03:37.480 --> 03:39.640 So this is an easy one to crack. 50 03:39.670 --> 03:41.950 So can you try this on your own? 51 03:41.950 --> 03:43.270 Now pause the video. 52 03:43.270 --> 03:45.940 See if you can find the correct username. 53 03:48.930 --> 03:49.560 All right. 54 03:49.560 --> 03:51.090 I hope you've given it a try. 55 03:51.090 --> 03:53.040 And this is how I will solve it. 56 03:53.820 --> 03:57.870 So there is an easy way and a difficult way to solve it. 57 03:58.020 --> 04:04.050 The easy way is to use a hex editor to look for all the strings in a file, and you will find that there 58 04:04.050 --> 04:06.540 are certain strings which are revealing. 59 04:06.630 --> 04:15.420 Then you can guess that those are the correct username. But using a hex editor can only work for easy 60 04:15.420 --> 04:16.830 crackmes like this one. 61 04:16.860 --> 04:21.120 For the more difficult, advanced crackmes, hex editor will not show you anything. 62 04:21.120 --> 04:23.490 It will not show you the username or the password. 63 04:24.000 --> 04:29.640 So that is the reason why, even though in this particular category you can do it using hex editor, 64 04:29.880 --> 04:35.880 I will always want to show you how to do it the correct way by debugging it with a debugger. 65 04:36.090 --> 04:42.990 So once you have learned the skills of how to debug it with a debugger, you can crack even more advanced, 66 04:43.110 --> 04:44.610 difficult crackmes. 67 04:45.420 --> 04:46.530 So let's get started. 68 04:46.530 --> 04:49.500 So now, remember, the bad string is "wrong." 69 04:49.500 --> 04:53.130 Here we are going to search for this string inside the debugger. 70 04:54.120 --> 04:58.290 So remember, "wrong" is the string that we are searching for. 71 04:59.040 --> 05:02.610 So we open the x32dbg. 72 05:02.610 --> 05:09.090 Now open the crackme. Before you open the crackme, you should make a copy of the 73 05:09.090 --> 05:09.810 crackme. 74 05:10.500 --> 05:14.820 It's a good habit to always make a copy in case something goes wrong. 75 05:14.820 --> 05:15.840 You have a backup. 76 05:18.330 --> 05:21.930 So now we are going to right-click here and search for the string. 77 05:23.680 --> 05:28.210 Search for current module string references. 78 05:29.320 --> 05:35.530 And then now we are going to filter out the phrase "wrong," wrong, wrong. 79 05:35.530 --> 05:36.250 There you go. 80 05:36.400 --> 05:40.300 And click on the address to go over there and analyze it. 81 05:41.950 --> 05:48.340 So over here you can see this is the string where the, where the it appears in memory. 82 05:48.640 --> 05:54.310 So now we can analyze it by scrolling up to look for the main function. 83 05:54.640 --> 05:58.360 The start of this function should be the main function. 84 05:58.600 --> 06:03.400 If we scroll up here, you can see other strings like "that right" and so on. 85 06:04.600 --> 06:07.150 And then, then other strings here and so on. 86 06:07.780 --> 06:11.200 And then this is CLS, clear screen, and system call here. 87 06:11.470 --> 06:17.650 So this is the system call which makes the antivirus think that this is a malware. 88 06:18.100 --> 06:21.010 That's why it's a, it's a false positive. 89 06:21.010 --> 06:25.390 As you can see here, there's nothing, nothing dangerous here. 90 06:25.390 --> 06:31.690 All this program doesn't steal the password, doesn't, doesn't crash, doesn't, doesn't encrypt your files 91 06:31.690 --> 06:32.410 or anything like that. 92 06:32.410 --> 06:33.790 You can see very clearly. 93 06:34.150 --> 06:36.010 It's just a simple, short main. 94 06:38.530 --> 06:40.930 So now we should put a breakpoint here. 95 06:41.470 --> 06:46.270 I already put a comment there to remind yourself where we are. 96 06:46.390 --> 06:53.170 So we now put the breakpoint, and then we will, uh, now step away. 97 06:53.920 --> 07:00.040 So turn tracing on first word, and then we start with line by line. 98 07:01.390 --> 07:04.450 But before that, let us run first until it hits the breakpoint. 99 07:05.140 --> 07:07.180 So it has hit the breakpoint. 100 07:07.540 --> 07:09.490 Now you can step over line by line. 101 07:17.650 --> 07:19.630 So it's going to make our first call. 102 07:19.870 --> 07:21.820 Keep a lookout on the right console. 103 07:23.170 --> 07:24.220 Nothing happens here. 104 07:26.410 --> 07:27.460 Also nothing. 105 07:28.270 --> 07:29.230 Next call. 106 07:29.260 --> 07:30.430 Nothing happening. 107 07:32.050 --> 07:32.740 Next call. 108 07:32.830 --> 07:33.850 Nothing happening. 109 07:34.540 --> 07:35.320 Next call. 110 07:35.350 --> 07:36.460 Nothing happening. 111 07:36.580 --> 07:37.990 Nothing happening. 112 07:38.920 --> 07:42.100 Continue to step over until something appears in the console. 113 07:51.020 --> 07:57.890 Okay, so this call has got, uh, this parameter "cout," which is a C++ function to print something 114 07:57.920 --> 07:58.880 to the screen. 115 07:58.880 --> 08:06.230 You can see here also the parameter for this call, uh, this function call has got these parameters. 116 08:06.230 --> 08:08.810 One of it is the "whomi" string. 117 08:08.810 --> 08:11.720 And the other one is your "cout" function. 118 08:12.080 --> 08:14.000 So it's going to execute the "cout" function 119 08:14.000 --> 08:16.160 to print this string. Let's step away. 120 08:17.180 --> 08:18.230 And there you are. 121 08:18.770 --> 08:22.520 So now let's, uh, continue to step over. 122 08:24.440 --> 08:31.280 So this call is now going to read your input because you can see from the parameter here, 123 08:32.930 --> 08:37.430 this calls "cin," "cin," the C++ function to read the input from the console. 124 08:38.300 --> 08:43.130 So let's step over until this thing pauses, becomes running state. 125 08:44.420 --> 08:46.040 So now it's in the running state. 126 08:46.040 --> 08:48.500 That means it's waiting for us to type something. 127 08:49.010 --> 08:50.510 So we will type "cracker." 128 08:50.540 --> 08:53.780 Cracker. Hit enter. 129 08:54.590 --> 08:56.450 And now it comes back to pause state. 130 08:56.450 --> 08:58.310 That means we can continue stepping over. 131 08:58.310 --> 08:59.960 So let's continue stepping over. 132 09:01.670 --> 09:04.550 Now this call here, before the call, 133 09:04.550 --> 09:06.620 the value of - is like this. 134 09:07.280 --> 09:08.120 Step over. 135 09:08.360 --> 09:10.760 After the call, it becomes all zero. 136 09:10.760 --> 09:15.410 So normally all zeros or all Fs means that something is wrong. 137 09:15.470 --> 09:20.180 It means either your username is wrong or the number of characters is wrong. 138 09:20.630 --> 09:23.330 So this is an important function to examine. 139 09:23.330 --> 09:28.100 So I put all the comments here to make it easy for you to follow along. 140 09:28.700 --> 09:33.200 Like, for example, here shows the prompt "Who am I?" Here reads the input. 141 09:33.320 --> 09:35.600 This call sets - to zero. 142 09:35.630 --> 09:37.820 Later on we'll come back and analyze this. 143 09:39.050 --> 09:48.050 So continue to step over, and over here is going to jump or not to jump depending on -, is depending 144 09:48.050 --> 09:51.590 on the value in - because - is moved to -. 145 09:52.100 --> 09:55.490 So - is actually the last byte of -. 146 09:55.580 --> 09:58.070 So it is zero, zero. 147 09:58.250 --> 10:02.690 So zero, zero is moved to -, and - now becomes all zero. 148 10:02.720 --> 10:06.260 Now it's going to test -, is it, is - zero? 149 10:06.860 --> 10:08.840 In this case, - is zero. 150 10:08.840 --> 10:11.150 Therefore the jump equal will happen. 151 10:11.150 --> 10:15.380 It will jump to the address ending with C95, which is here. 152 10:19.020 --> 10:20.880 So let's continue to step over. 153 10:26.310 --> 10:26.730 Okay. 154 10:26.730 --> 10:35.310 Now over here is going to show something in the output because of the parameter is a "cout" for this call. 155 10:35.310 --> 10:39.510 So let's step over and you see the bad message showing "wrong." 156 10:39.780 --> 10:41.580 So this call shows a bad message. 157 10:41.580 --> 10:43.110 So I put a comment here. 158 10:43.110 --> 10:48.510 So now we know that the when it, when it came over here, it jumped to the left. 159 10:48.510 --> 10:50.670 That's why you are seeing a bad message. 160 10:50.760 --> 10:52.650 So we probably joined 161 10:52.650 --> 10:55.050 to the right would be the good message. 162 10:55.530 --> 10:59.340 Now why does it go to the left is because of - is zero. 163 10:59.610 --> 11:03.270 So we have to analyze this call in detail now. 164 11:03.270 --> 11:05.430 So we put the breakpoint here. 165 11:06.810 --> 11:12.270 And then in the next lesson we are going to step into this call to see what sets the return value of 166 11:12.270 --> 11:13.350 - to zero. 167 11:14.070 --> 11:15.690 So I'll see you in the next lesson. 168 11:15.690 --> 11:16.920 Thank you for watching.