WEBVTT 1 00:01.760 --> 00:02.300 Hello. 2 00:02.300 --> 00:03.140 Welcome back. 3 00:03.140 --> 00:06.980 Our next project will be Visual C++ Crack Me by Saduz. 4 00:07.820 --> 00:12.140 So go and download this from the resource section for this lecture. 5 00:13.430 --> 00:18.050 The unzip password for this program is crackinglessons.com 6 00:18.050 --> 00:18.830 . 7 00:20.580 --> 00:23.490 After unzipping it, you will find two files. 8 00:24.150 --> 00:31.890 Make a copy of the file just in case you need a backup or you made a mistake, you can have a backup. 9 00:32.760 --> 00:39.180 After that, scan this with DIE to see whether it is a 32-bit or 64-bit program. 10 00:39.870 --> 00:47.430 I've already done it and found that it is a 32-bit program, so I need to open it with x32dbg. 11 00:47.550 --> 00:51.690 So I'll just do it here now by refreshing it since I did it before. 12 00:53.070 --> 00:58.380 So now we run this first and see what happens when you run it. 13 00:58.380 --> 00:59.790 It is a GUI program. 14 01:00.600 --> 01:07.230 It asks for the username and I will key in, uh, cracker as the username, which I don't know whether it 15 01:07.230 --> 01:07.980 is correct or wrong. 16 01:07.980 --> 01:08.850 It doesn't matter. 17 01:09.480 --> 01:15.480 For the registration number, I will assume it's 123456789. 18 01:16.770 --> 01:21.720 So this is my assumed username and registration key. 19 01:23.400 --> 01:29.640 So when I click okay, it gives me a message box with the bad message. 20 01:29.640 --> 01:30.450 Try again. 21 01:31.410 --> 01:37.200 So now I'm going to use a string search method to search for this string inside this program. 22 01:38.190 --> 01:38.940 Try again. 23 01:38.940 --> 01:40.440 So let me close this now. 24 01:41.610 --> 01:43.200 So I right-click here. 25 01:44.190 --> 01:51.840 Scroll down, search for current module string references, and I find try again over here. 26 01:52.290 --> 01:53.250 Double-click it. 27 01:53.250 --> 01:57.450 And I go to that memory where the string is found. 28 01:58.170 --> 02:02.040 If I scroll up, I can see there is a good message here. 29 02:02.040 --> 02:02.940 Good work. 30 02:04.560 --> 02:05.970 Down here is the bad message. 31 02:05.970 --> 02:06.720 Try again. 32 02:07.650 --> 02:12.840 Now if I scroll further up, I will try to look for the start of this function. 33 02:13.910 --> 02:16.970 So at the moment, I don't know where is the function. 34 02:16.970 --> 02:22.370 Normally it's push -, but scrolling up I don't find any push -. 35 02:22.370 --> 02:27.710 Instead, I find other message boxes and then followed by return here. 36 02:28.400 --> 02:36.260 So I am not sure if the line that comes after the return is the start of the function, so I assume 37 02:36.260 --> 02:36.620 it is. 38 02:36.620 --> 02:42.020 If it's wrong, I can always find another starting point, so I assume this is the one. 39 02:42.020 --> 02:50.540 So I put a comment here, mean, with a question mark to remind myself that I'm assuming that this 40 02:50.540 --> 02:51.980 is the start of the function. 41 02:53.820 --> 02:57.690 And then I will graph it by right-clicking and then graph. 42 02:58.590 --> 03:02.460 And I can now look at this, uh, control flow logic. 43 03:02.910 --> 03:07.410 And as I scroll down, I will find that there are two modules here. 44 03:07.680 --> 03:08.550 Uh, two boxes. 45 03:08.550 --> 03:09.960 The left is the bad message. 46 03:09.960 --> 03:12.660 Try again, and the right is a good message. 47 03:12.660 --> 03:13.500 Good work. 48 03:14.430 --> 03:19.200 So now I will put a breakpoint here, right-clicking this, put the breakpoint. 49 03:19.950 --> 03:27.690 And then I will turn on trace highlighting by going to Tracing, Trace coverage, enabling it, clicking on 50 03:27.690 --> 03:28.050 word. 51 03:29.340 --> 03:30.660 And then I will run. 52 03:32.460 --> 03:40.110 So now I'm going to enter the name cracker and the password 123456789. 53 03:41.220 --> 03:42.720 So I'll type in cracker. 54 03:45.000 --> 03:55.020 As a name and 123456789 as the registration key, I click okay, and it hits my breakpoint. 55 03:55.800 --> 03:57.150 Now I'll step over. 56 03:59.890 --> 04:04.930 And then when I come to this line here, it is comparing - and -. 57 04:05.500 --> 04:15.610 - is the first byte of the - register, which is 31 in hex, and 31 in hex is interpreted as the character 58 04:15.610 --> 04:17.410 one in ASCII. 59 04:19.330 --> 04:25.720 - is the first byte in the - register, which is 39, and 39. 60 04:25.720 --> 04:31.900 As you can see from here, is a hex code for the character nine. 61 04:33.850 --> 04:37.810 All right, so it seems that it is comparing one and nine. 62 04:37.810 --> 04:38.830 So what is one? 63 04:38.860 --> 04:43.060 One is my first character of the registration key. 64 04:44.050 --> 04:50.080 One, that means it is comparing my first character with nine. 65 04:50.350 --> 04:58.510 So this implies that the first password, the first character of the registration key, is nine. 66 04:59.710 --> 05:08.170 Now we can confirm this by stepping over and see what happens over here. 67 05:08.590 --> 05:15.640 Because the - is one and - is nine. 68 05:15.850 --> 05:20.080 So obviously they are not the same because they are not the same. 69 05:20.080 --> 05:21.160 Jump is not equal. 70 05:21.160 --> 05:23.290 Jump will happen because they are not equal. 71 05:23.830 --> 05:25.690 So now I click on the jump not equal. 72 05:25.690 --> 05:27.100 And you see jump is taken. 73 05:28.150 --> 05:32.620 That means it will jump to this address 401246, which is here. 74 05:33.250 --> 05:35.590 So I step over, and it jumps there. 75 05:36.070 --> 05:40.690 And then I continue stepping and see what happens to -. 76 05:41.980 --> 05:44.320 - becomes negative one, which is bad. 77 05:44.320 --> 05:46.870 That means the password, the first character, is wrong. 78 05:46.870 --> 05:48.460 So first character is nine. 79 05:48.460 --> 05:49.870 But I entered one. 80 05:50.110 --> 05:52.420 That's why - is negative one. 81 05:52.870 --> 05:54.880 So I continue to step over. 82 05:54.880 --> 05:57.910 And now it's going to test whether - is zero. 83 05:58.120 --> 06:00.580 So it is expecting - to be zero. 84 06:00.910 --> 06:04.930 But instead, it finds that - is not zero. 85 06:04.930 --> 06:06.640 It is negative one. 86 06:06.820 --> 06:08.830 So jump not equal is true. 87 06:08.830 --> 06:10.030 So it will jump. 88 06:11.380 --> 06:16.450 Since this jump is taken, it will jump to 401271, which is here. 89 06:16.720 --> 06:21.160 And it will push the message to the stack. 90 06:21.370 --> 06:22.540 Let me try again. 91 06:24.040 --> 06:28.720 And then it will now step over, and it will show the bad message. 92 06:28.720 --> 06:30.130 Try again, coming from here. 93 06:30.730 --> 06:32.680 So our hypothesis was right. 94 06:32.680 --> 06:38.230 That means most probably the first character of the serial key should be nine. 95 06:38.590 --> 06:42.370 So with that, we will now run again. 96 06:42.850 --> 06:46.630 And then over here, we are going to enter the first character. 97 06:46.780 --> 06:48.040 Change it to nine. 98 06:50.320 --> 06:52.780 Click okay again, and again. 99 06:52.780 --> 06:56.290 It stops at our breakpoint over here. 100 06:58.070 --> 06:58.790 Let's step over. 101 07:02.010 --> 07:05.820 Now it's comparing - and -, because we entered nine. 102 07:05.820 --> 07:07.680 So it's true, both are same. 103 07:08.970 --> 07:09.900 And now click on. 104 07:09.900 --> 07:14.040 This jump is not taken, which means that it is not going to go to this address. 105 07:14.040 --> 07:15.300 It's going to go straight. 106 07:17.800 --> 07:20.470 Now it's going to test whether - is zero. 107 07:20.500 --> 07:23.650 - is the first byte of the - register. 108 07:23.650 --> 07:25.540 In this case, - is 39. 109 07:25.540 --> 07:26.530 It is not zero. 110 07:27.640 --> 07:35.620 So normally when you are comparing like this after a test on a character, it implies that you are testing 111 07:35.620 --> 07:37.630 whether you have reached the end of the string. 112 07:38.110 --> 07:45.700 In this case, it is not the end of the string because it is 39, it is not 0000, means end of the string, 113 07:45.700 --> 07:48.070 which we have discussed before. 114 07:48.100 --> 07:50.620 Zero zero means a null terminator. 115 07:50.860 --> 07:51.940 A null terminator. 116 07:51.940 --> 07:56.020 A null terminator denotes the end of a string. 117 07:56.680 --> 08:01.330 So since it's not the end of the string, it is going to click on. 118 08:01.330 --> 08:05.800 This jump is not taken because - is not zero, so it's not taken. 119 08:06.640 --> 08:07.840 It's going to go straight. 120 08:08.620 --> 08:10.930 And now it's going to compare - and -. 121 08:11.500 --> 08:13.540 This time - is two. 122 08:13.570 --> 08:16.390 Two is what we entered. 123 08:18.390 --> 08:18.840 Take a look. 124 08:18.870 --> 08:21.240 Two is what we entered for a second character. 125 08:22.050 --> 08:26.910 So it is comparing that with -, which is three. 126 08:27.450 --> 08:28.860 Three is a. 127 08:28.860 --> 08:31.740 This suggests that three is a correct character. 128 08:32.040 --> 08:36.210 So that means the second character should be three. 129 08:36.210 --> 08:37.530 But we entered two. 130 08:38.580 --> 08:43.440 So because it is not correct, it is going to click on this. 131 08:43.470 --> 08:45.270 It's going to jump. 132 08:45.270 --> 08:45.960 Jump is taken. 133 08:45.960 --> 08:50.010 It's going to jump here, sets - to negative one. 134 08:50.640 --> 08:52.560 And then come down to the bottom. 135 08:53.580 --> 08:57.150 And again, test -, - is not zero. 136 08:57.150 --> 08:57.960 It's negative one. 137 08:57.960 --> 09:01.440 So jump not equal, jump is taken. 138 09:01.800 --> 09:06.180 You go to the left, and again, it shows the bad message. 139 09:07.080 --> 09:08.610 So now we click okay. 140 09:08.610 --> 09:14.820 We know that the second character of the serial key is three. 141 09:15.420 --> 09:20.370 So we run now, and we will enter the second character as three. 142 09:23.390 --> 09:31.670 And now we click okay, and it hits our breakpoint. 143 09:32.090 --> 09:33.470 So we step over. 144 09:34.640 --> 09:36.860 First character is comparing, is nine. 145 09:37.640 --> 09:39.170 This one here, this nine. 146 09:41.050 --> 09:42.520 Continue stepping. 147 09:45.820 --> 09:48.310 Now is comparing the second character, which is three. 148 09:50.390 --> 09:51.200 It is correct. 149 09:51.200 --> 09:51.920 We entered three. 150 09:51.920 --> 09:53.570 So continue stepping. 151 09:54.830 --> 09:59.450 And now it is going to test whether end of the string. It is not. 152 09:59.450 --> 10:00.800 So it's going to look. 153 10:02.240 --> 10:06.110 It's going to look back up, look back up here. 154 10:06.110 --> 10:10.490 And then now it's going to compare the third character. 155 10:10.970 --> 10:12.950 So our third character is three. 156 10:14.150 --> 10:15.320 We entered three. 157 10:16.010 --> 10:18.440 But it is comparing with two. 158 10:18.470 --> 10:21.140 That means the third character is two. 159 10:23.350 --> 10:25.360 So you keep on repeating like this. 160 10:27.310 --> 10:29.650 Okay, so now it's going to show the bad message. 161 10:29.650 --> 10:32.830 I'm just going to run to let it show the bad message. 162 10:34.090 --> 10:34.900 Run again. 163 10:34.900 --> 10:42.640 And now I'm going to enter the first three characters which were fished out, which is 932, 932. 164 10:43.840 --> 10:44.560 Okay. 165 10:44.560 --> 10:48.310 So at this point, I'm going to continue with the next lesson. 166 10:48.310 --> 10:49.900 I'll see you in the next one.