WEBVTT 1 00:01.850 --> 00:03.200 Hello and welcome back. 2 00:03.200 --> 00:06.350 Our next project is "Funny Gopher's Stupid CrackMe" 3 00:06.590 --> 00:11.960 So download this from the resource section and then unzip it. 4 00:11.960 --> 00:15.050 The unzip password is crackinglessons.com. 5 00:15.710 --> 00:18.350 Inside it, you will find two files. 6 00:18.350 --> 00:20.810 One is the credits and the crackme. 7 00:21.650 --> 00:27.020 This crackme you need to scan with DIE to find out whether it's 32-bit or 64-bit. 8 00:27.440 --> 00:32.630 I've already scanned it. It is 32-bit, so let's just run it first and see what it does. 9 00:33.140 --> 00:37.010 It asks you to find the password, so we don't know the password. 10 00:37.010 --> 00:38.360 We assume it's this. 11 00:40.350 --> 00:44.490 You hit enter and it says, "Uh oh, man. 12 00:44.640 --> 00:45.750 Very bad. 13 00:45.750 --> 00:47.070 Password not found." 14 00:47.400 --> 00:49.950 So now we are going to use the string search method. 15 00:49.950 --> 00:53.370 Look for the string phrase "the password." 16 00:53.970 --> 00:56.700 So we open up our x32dbg. 17 00:57.930 --> 00:58.770 I've already done this, 18 00:58.770 --> 01:03.420 so I just refresh and we are going to scan for this word "password" here. 19 01:04.230 --> 01:07.560 So let's go right-click on anywhere here. 20 01:08.370 --> 01:12.270 Search for current module string references. 21 01:12.600 --> 01:14.130 And then here you can see 22 01:14.130 --> 01:16.770 the string that we are looking for. 23 01:16.770 --> 01:18.180 So double-click to go there. 24 01:19.980 --> 01:21.540 And that is your string. 25 01:21.780 --> 01:28.500 So I've already put several breakpoints in. I've done this before, so I just disable all of them for 26 01:28.500 --> 01:28.920 now. 27 01:29.970 --> 01:31.380 I'll just remove everything, 28 01:33.020 --> 01:34.160 start from fresh. 29 01:34.460 --> 01:38.120 Okay, so now the string is found here. I'm going to close this one. 30 01:39.990 --> 01:44.010 And the program is now running in the background. 31 01:44.580 --> 01:50.640 This program—and I put a comment here to remind myself that this is the start of the function that 32 01:50.640 --> 01:52.800 contains the bad string. 33 01:54.380 --> 01:56.240 And then I can put a breakpoint here. 34 01:57.510 --> 02:00.330 Now I will run until I hit this breakpoint. 35 02:00.630 --> 02:02.250 So it has hit the breakpoint. 36 02:03.000 --> 02:07.050 And then, if I wanted to, I could graph this. 37 02:09.150 --> 02:12.120 And you can see here is a very simple crackme. 38 02:12.540 --> 02:13.950 It goes straight down, 39 02:14.580 --> 02:17.340 and then here it goes to the left or to the right. 40 02:17.700 --> 02:19.620 On the left is the bad message. 41 02:19.980 --> 02:21.900 On the right is the good message. 42 02:22.840 --> 02:25.390 So now we are going to trace this and see what happens. 43 02:25.390 --> 02:28.150 So let's step over and see the output here. 44 02:32.790 --> 02:34.110 After this call, 45 02:34.110 --> 02:36.060 it prints this message. 46 02:40.340 --> 02:41.660 After this call, 47 02:42.230 --> 02:43.370 it prints this message, 48 02:43.370 --> 02:43.910 "Password." 49 02:45.900 --> 02:50.820 But it is not waiting for input yet because the state is paused. 50 02:51.090 --> 02:54.780 We need to go and step over until it becomes running. 51 02:57.330 --> 02:58.410 So let's see. 52 02:58.410 --> 03:04.800 After this call, it changes to the running state and that means it is waiting for our input. 53 03:04.800 --> 03:07.380 So I have put a comment there: "read password." 54 03:08.310 --> 03:16.860 So the input—we assume—is going to be a password or 123456789. 55 03:17.400 --> 03:20.340 Just hit enter and now it's paused, 56 03:20.340 --> 03:23.280 and we can continue debugging by stepping over. 57 03:25.780 --> 03:30.520 And now before this call, we have this register value in -. 58 03:31.390 --> 03:34.030 After this call, - becomes one. 59 03:35.090 --> 03:37.520 And then I put a comment here. 60 03:39.400 --> 03:42.490 And then sometimes it's negative one, 61 03:42.490 --> 03:43.660 sometimes it's one. 62 03:44.200 --> 03:45.670 I've done this before, 63 03:46.000 --> 03:47.650 but for now it's one. 64 03:47.650 --> 03:49.780 So let's step over and see what happens. 65 03:51.600 --> 03:53.040 Now it's going to test it. 66 03:53.490 --> 03:56.070 That means it is expecting - to be zero, 67 03:56.070 --> 03:57.990 and again I put a comment here. 68 03:59.490 --> 04:00.870 So let's step over. 69 04:02.280 --> 04:04.350 I forgot to turn on the trace coverage. 70 04:04.350 --> 04:05.340 Let's do that now. 71 04:06.740 --> 04:09.830 So now click on this and you find that jump is taken. 72 04:09.830 --> 04:11.660 That means it's going to go to the left 73 04:12.260 --> 04:13.850 and print the message. 74 04:15.230 --> 04:17.690 That means it is expecting - to be zero. 75 04:18.830 --> 04:23.270 So since - is not zero, therefore it's going to go to the left. 76 04:23.660 --> 04:25.880 That means this function is important. 77 04:25.970 --> 04:28.430 This function sets the value of -. 78 04:29.180 --> 04:32.600 We want to know why - is not zero. 79 04:33.810 --> 04:37.470 So next iteration, we are going to put a breakpoint here. 80 04:37.500 --> 04:40.440 Now I put a breakpoint and we are going to step into this. 81 04:40.830 --> 04:41.400 For now, 82 04:41.400 --> 04:44.370 just step over this and see the bad message printed on the screen. 83 04:45.030 --> 04:45.390 Okay, 84 04:45.390 --> 04:50.040 so now we know that this is the important function that we need to step into. 85 04:50.070 --> 04:55.080 So now we restart and we run to our main function. 86 04:55.590 --> 04:59.100 And then we will run to this part, right? 87 04:59.640 --> 05:01.530 So we just step over. 88 05:06.000 --> 05:08.820 Step over this, and now it's waiting for our input. 89 05:10.660 --> 05:16.720 So again, we just put 123456789, hit enter. 90 05:17.500 --> 05:18.550 Now it's back. 91 05:18.580 --> 05:20.050 We're going to step over. 92 05:21.250 --> 05:27.370 And now we are going to step into this call to see why - is not zero. 93 05:27.700 --> 05:35.050 We need to find out which function—which instruction—sets - to become other than zero. 94 05:35.770 --> 05:36.610 So we write— 95 05:36.610 --> 05:40.870 so we now can step into this. Step into it. 96 05:41.290 --> 05:42.070 Click again. 97 05:42.070 --> 05:44.950 So now we are inside and we can graph it. 98 05:46.830 --> 05:47.520 Like this. 99 05:47.760 --> 05:49.800 So now we continue to step over. 100 05:50.760 --> 05:54.210 So here it is just testing -, three. 101 05:55.140 --> 05:56.460 Just ignore it, 102 05:56.460 --> 05:57.300 continue. 103 05:58.950 --> 06:04.590 And then over here, it is going to move this to -, 104 06:04.590 --> 06:08.580 and then it's going to compare - with the first byte of -. 105 06:09.270 --> 06:11.940 - has got our input—our password. 106 06:12.240 --> 06:14.910 So the first byte is the character "one." 107 06:15.480 --> 06:17.820 And then -, what is in -? 108 06:17.820 --> 06:19.080 You can click on this line. 109 06:19.080 --> 06:21.420 You can see - is the character "L." 110 06:22.020 --> 06:25.890 That means the first character of the password is capital L. 111 06:26.040 --> 06:31.260 So it is comparing capital L with our input "one." 112 06:31.260 --> 06:32.670 That means we can now fish out 113 06:32.670 --> 06:37.200 the first character of the password is capital L, right? 114 06:37.200 --> 06:41.370 So this is our assumed password, which is the wrong password, 115 06:41.370 --> 06:43.710 and now we fish out the first character. 116 06:44.490 --> 06:52.740 So now let's see, because the first character is not L, therefore JNE will be jumping. 117 06:52.740 --> 06:53.400 Click on this. 118 06:53.400 --> 06:56.610 You will see jump is taken, so it's not going to go straight. 119 06:56.610 --> 06:58.980 It's going to jump all the way down here. 120 07:00.330 --> 07:06.090 And now let's see what happens to - when we come to the return. 121 07:08.620 --> 07:12.100 Okay, so by the time we come to return, - is set to one. 122 07:12.250 --> 07:14.890 So this is where - is set to one. 123 07:15.490 --> 07:18.460 We expect the - to be zero. 124 07:18.460 --> 07:19.600 Zero means good, 125 07:19.690 --> 07:22.300 but because it is a wrong password, 126 07:22.300 --> 07:24.550 so - is not zero, it's one. 127 07:24.760 --> 07:29.740 So now we step over this and we right-click and set the IP. 128 07:29.770 --> 07:31.390 We come back to the main function. 129 07:31.810 --> 07:35.410 So now we can see it is going to test the -. 130 07:35.410 --> 07:41.440 And because - is not zero, it's going to go to the left again and print the bad message. 131 07:41.440 --> 07:42.670 See that bad message? 132 07:42.910 --> 07:43.420 Okay, 133 07:43.420 --> 07:46.810 so now we know the first character of the password is capital L. 134 07:47.260 --> 07:53.470 We are going to restart this and run and step over this call. 135 07:54.460 --> 07:55.960 So step over. 136 07:58.130 --> 07:59.000 It's time for the call. 137 07:59.810 --> 08:02.120 So now it's waiting for input. 138 08:03.320 --> 08:10.070 So we managed to fish out the first character, capital L, so we know the first character of the password 139 08:10.070 --> 08:13.520 is capital L, but the second character onwards we don't know. 140 08:13.520 --> 08:17.510 So we just put 23456789, hit enter. 141 08:18.350 --> 08:19.640 So now it's come here. 142 08:19.640 --> 08:21.230 Let's step over, step over. 143 08:21.230 --> 08:26.570 Continue to step over until it comes to this call and step into this. 144 08:29.270 --> 08:33.140 And then step into it again, and then right-click and graph. 145 08:34.130 --> 08:36.050 Now we're going to use tracing. 146 08:38.110 --> 08:44.560 Okay, now it's testing the first character of the password, capital L, and our input is also capital 147 08:44.560 --> 08:46.210 L for the first character. 148 08:46.690 --> 08:51.520 Now notice here it's pointer byte, 149 08:51.520 --> 08:58.390 pointer byte means you are reading one character, which is one character of the string. 150 08:59.500 --> 09:00.670 So let's continue. 151 09:00.670 --> 09:07.060 Step over. Because the password we entered for the first character is correct, 152 09:07.060 --> 09:08.410 so it's not going to jump. 153 09:08.410 --> 09:09.010 Let's see. 154 09:09.880 --> 09:10.570 Click on this. 155 09:10.570 --> 09:11.650 Jump is not taken. 156 09:11.650 --> 09:13.540 Instead, you go straight. 157 09:14.200 --> 09:20.440 Now this line here is also testing whether - is zero. 158 09:20.890 --> 09:22.030 Now - zero, 159 09:22.090 --> 09:28.030 in programming, means that null terminator. Every string ends with a null terminator, 160 09:28.240 --> 09:34.270 and in the programming, null terminator is denoted by the hex value zero. 161 09:34.600 --> 09:35.770 So in this case, 162 09:35.770 --> 09:38.350 null terminator means the end of the string. 163 09:38.380 --> 09:41.230 It is checking whether you have reached the end of the string. 164 09:41.620 --> 09:48.340 So in this case, step over, because we haven't reached the end of the string, 165 09:49.180 --> 09:50.560 it will go straight. 166 09:50.770 --> 09:55.870 If you have reached the end of the string, it will come out and jump to this address, which is down 167 09:55.870 --> 09:56.290 here, 168 09:57.820 --> 09:58.540 down here. 169 09:59.290 --> 10:01.660 So because it's not the end of the string, 170 10:02.680 --> 10:04.210 it is going to go straight. 171 10:06.010 --> 10:09.160 Now it's going to compare. Click on this. 172 10:09.160 --> 10:11.680 You can see it's comparing - with "two." 173 10:11.860 --> 10:13.990 "Two" is our second character, 174 10:14.350 --> 10:16.090 and then it's comparing - with that. 175 10:16.090 --> 10:20.380 That means the second character of the real password is "i." 176 10:20.950 --> 10:22.990 So we can put "i" here. 177 10:22.990 --> 10:24.430 We fished out the second character. 178 10:25.510 --> 10:27.070 So now we continue. 179 10:28.000 --> 10:34.210 And because we did not enter the correct character, it's going to jump to this part here, 180 10:34.210 --> 10:39.040 and then it's going to set the value to one again. 181 10:39.040 --> 10:40.690 So again, we have failed. 182 10:41.260 --> 10:43.390 We have fished out the second character now. 183 10:43.900 --> 10:52.600 So now we can restart and run to our main and step until we reach this call. 184 10:53.110 --> 10:59.470 Step over and enter the first two characters which we have fished out, which is "Li." 185 11:00.100 --> 11:04.300 So we type L, i, and then the third character onwards 186 11:04.300 --> 11:05.080 we don't know, 187 11:05.080 --> 11:12.520 so we type three, 456789, hit enter, and step over. 188 11:14.300 --> 11:15.170 Come to this line, 189 11:15.170 --> 11:16.310 step into it again. 190 11:17.390 --> 11:18.800 Step into it again, 191 11:19.580 --> 11:21.830 graph it, and trace it. 192 11:22.520 --> 11:26.270 So continue to step over and trace. Again, 193 11:26.270 --> 11:29.240 this part is checking for the first character, which is L. 194 11:30.750 --> 11:33.540 Which we entered correctly, so it will go straight. 195 11:34.470 --> 11:37.440 It will check whether we have come to the end of the string. 196 11:37.890 --> 11:38.910 In this case, no, 197 11:38.910 --> 11:40.110 so it will go straight. 198 11:40.620 --> 11:43.500 Now it's checking for the second character, which is "i." 199 11:43.650 --> 11:46.440 In this case, we entered "i" correctly, 200 11:46.590 --> 11:49.590 so it will go straight. 201 11:49.590 --> 11:52.500 And now it's checking whether we've come to the end of the string. 202 11:52.590 --> 11:53.160 No, 203 11:53.160 --> 11:54.300 so it goes straight. 204 11:55.590 --> 11:57.270 And now step over. 205 11:57.270 --> 11:59.220 And now it's checking for the third character. 206 11:59.970 --> 12:04.320 The character is again L, but we entered 3—see 3? 207 12:05.070 --> 12:09.180 We entered three instead of L, so this suggests that the third character of the password is capital 208 12:09.180 --> 12:09.660 L. 209 12:10.050 --> 12:13.890 So we fished out the third character of the password like that. 210 12:14.790 --> 12:18.600 Okay, so at this point in time, you can see where we are going with this. 211 12:18.720 --> 12:23.460 We are going to loop through over and over and over until we fish out the entire password. 212 12:23.730 --> 12:25.530 So let's continue. 213 12:28.380 --> 12:31.500 So now we fished out the first three characters, 214 12:31.500 --> 12:33.360 and then let's continue with this. 215 12:33.360 --> 12:35.550 So we continue to step over, 216 12:35.550 --> 12:40.890 and because our third character is wrong, 217 12:40.890 --> 12:46.890 so it's going to come to here and give the bad value, which is one. 218 12:46.890 --> 12:55.830 So we restart now and run to our main, step until we come to this call, and step over it. 219 12:57.410 --> 13:04.340 And now we enter the first three characters which we have fished out, which is L, i, L—L, i, L. 220 13:05.510 --> 13:06.920 And the fourth one we don't know, 221 13:06.920 --> 13:13.250 so we type four, five, six, seven, eight, nine, hit enter, and then continue to step over. 222 13:14.210 --> 13:15.560 Step into this call. 223 13:16.490 --> 13:20.330 Step into it again, right-click and graph. 224 13:21.650 --> 13:22.940 And now we trace it. 225 13:25.000 --> 13:25.420 Okay, 226 13:25.420 --> 13:29.230 over here is capital L, which we got right. 227 13:32.940 --> 13:36.600 Over here is lowercase i, which we also got right. 228 13:42.750 --> 13:46.140 Over here again is capital L, which we got right. 229 13:46.440 --> 13:47.100 L, i, L. 230 13:51.550 --> 13:54.040 It's checking—is it the end of the string? 231 13:54.040 --> 13:55.930 No, it's not the end of the string. 232 13:55.930 --> 13:58.300 End of the string means when you press the enter key. 233 13:58.300 --> 14:04.150 When you press the enter key after the input, that inserts a null terminator at the end. A null terminator 234 14:04.150 --> 14:06.040 is simply the hex value zero. 235 14:06.400 --> 14:10.120 So because it is not null terminator, therefore it's going to go straight. 236 14:12.330 --> 14:18.120 Now it's going to check for the next character, which is the character "2," 237 14:18.330 --> 14:20.640 but we entered "4," so it's wrong. 238 14:20.640 --> 14:23.550 So this suggests that the fourth character is "2." 239 14:23.730 --> 14:25.560 So we put down here "2." 240 14:26.820 --> 14:33.360 And then now, if we continue, because it is not "2," it is going to go to this part and give the bad 241 14:33.360 --> 14:36.120 return value, which is this time negative one. 242 14:36.570 --> 14:36.840 All right, 243 14:36.840 --> 14:40.920 so this is how I know that the bad value is either 1 or -1. 244 14:41.880 --> 14:43.320 The right value would be zero, 245 14:43.320 --> 14:45.150 but in this case we are getting negative one. 246 14:45.150 --> 14:52.080 So when it comes back, if you step over this and right-click "Set IP," go back to the main function. 247 14:52.860 --> 14:55.950 As we come here, it is expecting zero, remember, 248 14:55.950 --> 14:59.610 but because we are negative one, it is not zero, 249 14:59.610 --> 15:04.590 so it's going to go to the left and show the bad message, as you can see. 250 15:04.770 --> 15:05.190 All right, 251 15:05.190 --> 15:09.960 so now let's restart again and I will continue this in the next lesson. 252 15:09.960 --> 15:11.040 See you then.