WEBVTT 1 00:00.710 --> 00:02.570 Hello and welcome back. 2 00:03.350 --> 00:10.220 We are now going to do another keygen project, and this is the credit I am giving to the author, 3 00:10.220 --> 00:11.030 Submin King. 4 00:11.570 --> 00:18.770 Please download the keygen crackme from the resource section for this lecture. 5 00:19.670 --> 00:24.440 The password to unzip it is crackinglessons.com. 6 00:26.040 --> 00:27.630 After you've unzipped it, 7 00:27.750 --> 00:30.060 inside you'll find two files. 8 00:30.090 --> 00:38.610 Just make a copy of the original and then scan it with DetectItEasy to find out if it's 32-bit or 64-bit. 9 00:38.910 --> 00:44.610 I've done that and I found that it is 32-bit, so I need to use the x32dbg. 10 00:45.480 --> 00:47.790 Let us first run it to see what it does. 11 00:48.540 --> 00:53.520 It is a graphical user interface and you are supposed to enter the name. 12 00:53.640 --> 00:54.720 You don't know the name, 13 00:54.720 --> 01:00.000 so I'm just going to put "cracker" and the serial. I don't know the serial, 14 01:00.000 --> 01:04.470 so I'm just going to put 123456789. 15 01:05.220 --> 01:06.780 And then I will click check. 16 01:07.350 --> 01:14.400 But there is no message box pop-up which should tell you that you have entered the wrong serial. 17 01:14.910 --> 01:20.040 So without a bad message box, can we still crack this? The question is, 18 01:20.520 --> 01:21.960 the answer is yes. 19 01:22.140 --> 01:26.880 We use another technique called the intermodule calls technique. 20 01:27.950 --> 01:31.940 So we shall now open it with x32dbg. 21 01:34.070 --> 01:35.480 We will close this first. 22 01:35.990 --> 01:38.000 Open it with x32dbg. 23 01:40.250 --> 01:43.370 I am going to refresh because I've already done this before. 24 01:44.240 --> 01:47.570 And now we need to do an intermodule call. 25 01:47.780 --> 01:53.840 So we just right-click this and then search for current module, 26 01:54.140 --> 01:55.970 intermodule calls. 27 01:56.420 --> 02:04.700 Intermodule calls are the Microsoft API functions which are being called by this program. 28 02:05.240 --> 02:11.450 So once you do a search, it will list out all the intermodule calls which this program uses. 29 02:12.350 --> 02:15.200 Now of interest to us would be your MessageBox API. 30 02:15.230 --> 02:16.820 So just scroll, scroll down, 31 02:16.820 --> 02:22.340 or if you don't want to scroll to look for it, you can just filter it out here by typing "MessageBox." 32 02:22.340 --> 02:24.260 And you will find there is one here. 33 02:24.800 --> 02:28.910 So the MessageBox is being used to display messages. 34 02:28.910 --> 02:34.280 In this case, it is going to be used to display the congratulatory message. 35 02:35.000 --> 02:41.660 We know that it doesn't display the error message when you enter the wrong serial, but we suspect 36 02:41.660 --> 02:45.170 it will display the congratulatory message if you enter the right serial. 37 02:45.260 --> 02:48.920 So that is the reason why we are filtering out for MessageBox. 38 02:49.250 --> 02:55.190 So just click on this to go to the address and you will find that this is the location. 39 02:55.340 --> 02:58.490 So we right-click and put the breakpoint there, 40 02:58.820 --> 03:01.250 toggle, just to mark the spot. 41 03:01.370 --> 03:04.430 And true enough, there is a congratulatory message. 42 03:04.430 --> 03:05.000 "You did it! 43 03:05.000 --> 03:05.750 Congrats! 44 03:06.290 --> 03:08.480 Make me a little tutorial please." 45 03:08.990 --> 03:14.840 And if you scroll up, you try to look for the start of this function. 46 03:15.080 --> 03:18.050 But there is no push -, 47 03:18.050 --> 03:19.400 but there is something here. 48 03:20.240 --> 03:24.740 So maybe this is the start of the function, but we are not sure. 49 03:25.070 --> 03:32.900 So we can see there's a GetDlgItemText. GetDlgItemText is used to read in the text from 50 03:32.900 --> 03:35.030 the text box. 51 03:35.060 --> 03:36.230 Let me show you. 52 03:36.590 --> 03:37.580 So I open this. 53 03:37.580 --> 03:41.060 This is called the text box. 54 03:41.360 --> 03:42.260 There are two here. 55 03:42.560 --> 03:49.100 So the function that is used to read the text is GetDlgItemText. 56 03:49.130 --> 03:50.000 This one here. 57 03:50.540 --> 03:57.050 So most probably you will need to call this twice because there are two fields here: the name text box 58 03:57.050 --> 03:58.940 and the serial text box. 59 04:03.570 --> 04:03.900 Okay. 60 04:03.900 --> 04:09.270 So now we are going to put our graph here somewhere. 61 04:09.270 --> 04:13.380 Maybe here, if you want. Just right-click this and graph it. 62 04:13.830 --> 04:14.940 And there you go. 63 04:15.510 --> 04:17.010 It gets the dialog item text, 64 04:17.010 --> 04:24.060 and then after that it will go down and perform all this. 65 04:24.060 --> 04:25.200 Maybe it's too low. 66 04:25.200 --> 04:26.310 Maybe let's go higher. 67 04:27.680 --> 04:28.730 Move it up here. 68 04:30.140 --> 04:37.130 And then from here we graph it and we see there is the start of this function. 69 04:38.550 --> 04:39.420 GetDlgItemText 70 04:39.420 --> 04:40.350 is here. 71 04:44.220 --> 04:53.400 And then if you go down further down at the bottom on the right, you will see there is a congratulatory 72 04:53.400 --> 04:54.210 message here. 73 04:55.620 --> 05:03.150 So before it can come to this congratulatory message, it will need to read in the data 74 05:03.780 --> 05:09.240 that you entered using the GetDlgItemText, which is over here. 75 05:09.780 --> 05:17.910 So it's a good idea to put the breakpoint here. Right-click and put a breakpoint and then turn tracing 76 05:17.910 --> 05:21.690 on: trace coverage word, and run the program. 77 05:23.070 --> 05:25.680 Move this to the side so it doesn't block our view. 78 05:26.400 --> 05:36.690 Now we're going to assume that the username is "cracker" and serial is 1234567, 79 05:36.690 --> 05:37.860 eight, nine. 80 05:39.900 --> 05:47.220 Now you click on check and it hits our breakpoint and we shall start tracing by stepping over 81 05:47.220 --> 05:47.490 it. 82 05:50.070 --> 05:51.240 So let's step over that. 83 05:53.160 --> 05:53.520 Okay. 84 05:53.520 --> 05:54.450 It hasn't called this yet. 85 05:54.450 --> 05:56.040 It's just moving this to -. 86 05:57.300 --> 06:06.930 And - now contains the GetDlgItemText and it will be called over here: call -. 87 06:07.410 --> 06:11.700 So it's calling this function here. - contains the address of this function. 88 06:12.180 --> 06:14.220 And then I put a comment here: 89 06:14.250 --> 06:15.660 GetDlgItemTextA. 90 06:16.440 --> 06:24.390 And because that's what is called, then when I step over it I find that it returns seven to -. 91 06:25.050 --> 06:29.580 So let us take a look at the API for this. 92 06:29.730 --> 06:35.610 Just search for MSDN GetDlgItemText and then you will find this article. 93 06:36.450 --> 06:41.400 Now I'm interested in the return value because that is what is stored in -. 94 06:41.670 --> 06:45.240 So let's scroll down and take a look at the return value. 95 06:46.080 --> 06:50.700 If the function succeeds, the return value specifies the number of characters copied. 96 06:51.600 --> 06:53.310 Okay, so we got it. 97 06:53.610 --> 07:00.090 So if we find that the number is seven, that means it has copied something from one of this text 98 07:00.090 --> 07:04.770 box, which is seven characters long, and "cracker" is seven characters long. 99 07:05.100 --> 07:06.540 That's why - is seven. 100 07:06.540 --> 07:15.210 So this GetDlgItemText here reads in "cracker," reads this string that you entered for the name and 101 07:15.210 --> 07:16.380 stores it somewhere. 102 07:17.190 --> 07:17.520 Okay. 103 07:17.520 --> 07:20.100 And then next one, let's call this now. 104 07:21.060 --> 07:23.280 So we call this and it returns zero. 105 07:23.280 --> 07:24.210 We don't know what that is. 106 07:24.210 --> 07:25.920 We just ignore it for now. 107 07:26.760 --> 07:30.660 And then we continue to step over. 108 07:31.440 --> 07:33.450 And now it's going to call -. 109 07:34.440 --> 07:35.700 And what is in -? 110 07:36.180 --> 07:37.260 GetDlgItemText. 111 07:37.260 --> 07:40.230 So this is the second time it's calling GetDlgItemText. 112 07:40.740 --> 07:42.810 Let's step over it now and see what happens. 113 07:42.810 --> 07:44.280 And it returns nine. 114 07:44.640 --> 07:52.410 So this time the number of characters that it has read in is nine, which means it probably read in 115 07:52.410 --> 07:52.980 the serial. 116 07:53.850 --> 07:55.470 It has nine characters in the serial. 117 07:56.040 --> 08:00.870 So I put a comment here: GetDlgItemText, comma, - nine. 118 08:00.870 --> 08:08.280 So now we can more or less guess quite accurately that this first call for GetDlgItemText reads 119 08:08.280 --> 08:13.560 in your name, and the second time it calls it, it reads in your serial. 120 08:14.130 --> 08:15.960 Okay, let's continue to step over. 121 08:18.960 --> 08:26.520 Now it's going to compare something, - and also the first byte of -. 122 08:27.180 --> 08:33.450 So - contains the hex 31, which is the character one. 123 08:33.450 --> 08:38.070 And the character one is the first character of our serial that we entered. 124 08:38.490 --> 08:41.880 - is the first byte of -. 125 08:42.420 --> 08:52.320 So - is 31, which is hex for the character one, and one is the first character for our serial. 126 08:54.120 --> 08:55.530 And what is it comparing 127 08:55.560 --> 08:58.080 to? Is comparing to the first byte of -. 128 08:58.380 --> 09:00.450 Now - contains this string. 129 09:00.450 --> 09:03.840 The first byte is a dash, a dash. 130 09:03.840 --> 09:05.250 You can see that it's a dash. 131 09:05.310 --> 09:09.750 So this suggests that this is the first character of the actual serial. 132 09:10.860 --> 09:19.110 Now, because it did not enter the character zero, therefore it is probably going to fail and jump. 133 09:19.110 --> 09:20.070 Not equal will jump. 134 09:20.070 --> 09:20.850 We can tick on that. 135 09:20.850 --> 09:21.030 See? 136 09:21.030 --> 09:23.190 Jump is taken, right? 137 09:23.310 --> 09:28.770 So when jump is taken, it's going to come here and then it is going to come here. 138 09:30.300 --> 09:30.540 All right. 139 09:30.540 --> 09:31.530 Let's see what happens. 140 09:32.880 --> 09:38.040 Now before we go there, let's take a look at what it is comparing. 141 09:38.160 --> 09:50.070 It is comparing this first character, -, which is one of the characters we entered with the first byte, 142 09:50.610 --> 09:53.100 the first character of -, which is dash. 143 09:53.100 --> 09:57.870 So this highly suggests that this whole string is the actual serial. 144 09:58.950 --> 10:05.670 And I bet that there will be a loop somewhere which loops through comparing byte by byte, one 145 10:05.670 --> 10:06.270 by one. 146 10:06.870 --> 10:11.790 So let's assume that this is the serial. 147 10:12.510 --> 10:14.580 So let's copy this down. 148 10:14.580 --> 10:16.560 Open the notepad. 149 10:20.360 --> 10:25.280 So we type -1632 150 10:27.220 --> 10:34.300 858569476. 151 10:36.360 --> 10:40.260 Six and nine, four, seven. Okay. 152 10:40.260 --> 10:41.460 So let's compare that. 153 10:41.460 --> 10:42.660 Make sure you got it right. 154 10:42.960 --> 10:44.190 -1 155 10:44.190 --> 10:50.190 63285856947. 156 10:50.190 --> 10:55.980 All right, so we open another copy of this here. 157 10:56.040 --> 11:00.000 Double-click on this and we begin: "cracker." 158 11:01.200 --> 11:04.710 And we paste in this one and see whether it is actually the serial. 159 11:08.520 --> 11:09.090 Click check. 160 11:09.240 --> 11:12.870 And yes, so our guess was correct. 161 11:12.870 --> 11:14.250 This is the actual serial. 162 11:14.250 --> 11:18.060 So we have managed to fish out the serial. 163 11:18.570 --> 11:24.090 So for this name, the serial is negative and so on, like this. 164 11:24.090 --> 11:24.450 So every 165 11:24.450 --> 11:28.230 time you change the name, the serial will change. 166 11:28.230 --> 11:28.710 Okay. 167 11:28.890 --> 11:39.540 So now the next trick is: how do we make a keygen, a keygen out of this program? 168 11:40.110 --> 11:43.590 So for that, we will continue in the next lesson. 169 11:43.680 --> 11:45.210 I'll see you in the next one.