WEBVTT

1
00:01.230 --> 00:01.950
Welcome back.

2
00:02.880 --> 00:07.800
Now we are going to continue with our comment tracking technique.

3
00:08.100 --> 00:12.630
So last lesson we stopped here at this call.

4
00:12.630 --> 00:17.010
So let's see what is the parameter for this call.

5
00:17.190 --> 00:24.090
So the parameter for this call is 123456789 which is our serial which we entered.

6
00:24.870 --> 00:29.760
Let me just show you again we entered this 123456789.

7
00:31.230 --> 00:39.030
And the second parameter is 7110 99731.

8
00:39.030 --> 00:41.430
So this must be the actual serial key.

9
00:41.430 --> 00:42.600
So we just copy this out.

10
00:43.350 --> 00:47.190
It is comparing the two. String compare function compares two strings.

11
00:47.190 --> 00:52.470
So right-click on this, copy line, and then open your notes.

12
00:52.470 --> 00:54.540
And then paste your line here.

13
00:57.320 --> 00:59.000
Right-click and paste it here.

14
00:59.210 --> 01:01.820
So you got this serial key.

15
01:02.720 --> 01:04.400
Let's see what happens next.

16
01:04.820 --> 01:06.560
So let's step over the code.

17
01:06.560 --> 01:09.530
And straight away you see - is negative one.

18
01:09.710 --> 01:15.020
That means the comparison failed because you did not enter the correct serial key.

19
01:15.590 --> 01:18.860
So the test here - is to test whether it's zero.

20
01:18.980 --> 01:21.170
But we got negative one, not zero.

21
01:21.590 --> 01:23.540
So when you come to the next

22
01:23.540 --> 01:24.890
JNE.

23
01:27.880 --> 01:32.050
So over here you will see it is not equal.

24
01:32.050 --> 01:33.880
So it will jump to the left.

25
01:35.470 --> 01:38.260
It will jump to the left because - is not equal to zero.

26
01:38.680 --> 01:44.050
So now over here is jump to the left and now is continue to step over.

27
01:45.190 --> 01:49.660
Now another call is about to be made and it's a string

28
01:49.660 --> 01:50.710
compare again.

29
01:50.710 --> 01:53.530
And now we see what are the parameters for this.

30
01:54.040 --> 01:58.420
Again we have the first parameter as the key which we entered.

31
01:58.780 --> 02:02.770
And another parameter, another parameter which is the actual serial key.

32
02:02.770 --> 02:07.900
So right-click on this, copy line and paste down here.

33
02:07.900 --> 02:10.150
So we got two serial keys now.

34
02:11.410 --> 02:13.510
So continue to step over.

35
02:15.730 --> 02:17.560
And it became negative one.

36
02:17.560 --> 02:21.820
That means again failed because we did not enter the second serial key.

37
02:24.550 --> 02:31.360
Now let's continue stepping over because - is not zero.

38
02:32.200 --> 02:34.390
So it's going to jump to the left.

39
02:35.470 --> 02:36.550
So let's see.

40
02:36.580 --> 02:40.810
Jumping to the left again, another string compare.

41
02:41.680 --> 02:43.660
Click on this and see the parameter.

42
02:43.990 --> 02:46.240
First parameter is our serial key.

43
02:46.240 --> 02:49.840
Second parameter is the actual serial key.

44
02:50.020 --> 02:52.630
So now we fished out our third serial key.

45
02:52.750 --> 02:58.660
Right-click, copy line and then come here and paste below.

46
02:59.530 --> 03:01.540
So now we have three serial keys.

47
03:02.380 --> 03:05.290
So click on this, step over.

48
03:05.290 --> 03:07.150
And now we see it's negative one.

49
03:07.330 --> 03:10.180
So it's testing for - value is zero.

50
03:10.180 --> 03:10.960
It is not.

51
03:10.960 --> 03:14.680
It is negative one. Step over.

52
03:14.680 --> 03:19.450
So JNE will jump because it is not equal to zero.

53
03:19.600 --> 03:28.000
So it's going to jump to the over here and then continue to step over.

54
03:29.830 --> 03:31.600
And now take a look at this.

55
03:31.600 --> 03:33.700
Just before this call - is zero.

56
03:34.780 --> 03:37.840
When I step over it became one.

57
03:38.470 --> 03:40.510
It became one, right?

58
03:40.510 --> 03:44.650
So I put a comment there - 1, - 1.

59
03:46.180 --> 03:49.750
And over here is testing whether - is zero.

60
03:50.200 --> 03:52.270
In this case - is not zero.

61
03:52.270 --> 04:00.130
- is the first byte of - which is 0 1. Because it is not equal to zero, JNE will take place.

62
04:00.280 --> 04:03.790
It's going to jump to 401BE3.

63
04:04.900 --> 04:05.710
So let's see.

64
04:05.710 --> 04:09.190
Jump to the left and it's going to show the bad message.

65
04:09.190 --> 04:09.790
Sorry.

66
04:10.540 --> 04:11.080
Don't give up.

67
04:11.080 --> 04:13.150
So step over this call.

68
04:13.780 --> 04:16.300
And the bad message shows over here though.

69
04:16.300 --> 04:18.070
Sorry, don't give up. Okay.

70
04:18.070 --> 04:18.910
Click okay.

71
04:18.910 --> 04:24.610
So now we know that over here it is expecting - to be zero.

72
04:25.270 --> 04:27.280
So I'm going to update this comment.

73
04:32.350 --> 04:33.400
Expecting

74
04:34.840 --> 04:37.120
- to be zero.

75
04:37.150 --> 04:42.880
- zero will be good because if - is zero, it means it will go to the right to show

76
04:42.880 --> 04:44.350
great job cracker,

77
04:44.350 --> 04:45.190
the good message.

78
04:45.550 --> 04:48.910
Okay, so now we have fished out three serial keys.

79
04:48.910 --> 04:51.160
We can test it to see whether they work.

80
04:51.580 --> 05:04.390
So let's stop this debugging now and open directly the crackme and enter our username

81
05:04.390 --> 05:05.290
which is cracker.

82
05:06.280 --> 05:10.720
And let's test our keys one by one starting with the first one.

83
05:12.600 --> 05:13.950
Click on this.

84
05:14.070 --> 05:15.270
Select it.

85
05:15.840 --> 05:17.670
Copy and paste in here.

86
05:18.540 --> 05:19.320
Click on check.

87
05:19.350 --> 05:20.130
Great job.

88
05:21.220 --> 05:22.750
Now let's try the second one.

89
05:26.360 --> 05:27.950
Copy and paste.

90
05:29.160 --> 05:31.560
In here, click check.

91
05:31.800 --> 05:32.580
Great job.

92
05:34.230 --> 05:36.180
Let's test the third one.

93
05:36.600 --> 05:38.400
So let's copy this.

94
05:38.730 --> 05:42.870
Right-click, copy and paste it in here.

95
05:43.980 --> 05:45.030
Click on check.

96
05:45.360 --> 05:46.020
Great job.

97
05:46.110 --> 05:52.920
So we have successfully solved this crackme by fishing all three serial keys.

98
05:53.640 --> 06:01.320
So that's how we can use x32dbg to trace and fish out the serial key.

99
06:01.470 --> 06:09.150
Now, in this lesson, although we did not use the comment tracking data

100
06:09.150 --> 06:15.840
that we have already gathered, but I wanted to still show it to you because it is a useful skill to

101
06:15.840 --> 06:25.080
have when you go on to more complicated crackmes where you need to figure out the serial key that is being

102
06:25.080 --> 06:26.820
built line by line.

103
06:27.420 --> 06:27.690
Right.

104
06:27.690 --> 06:30.510
That's why you need to know the comment tracking method.

105
06:30.990 --> 06:32.910
So that's all for this video.

106
06:33.000 --> 06:34.590
I'll see you in the next one.

107
06:34.590 --> 06:35.820
Thank you for watching.