WEBVTT

1
00:01.580 --> 00:02.930
Hello and welcome back.

2
00:03.410 --> 00:12.140
We are now going to try this new game from this author, so I've already downloaded this for you.

3
00:12.170 --> 00:16.100
Go and get your copy from the resource section for this lecture.

4
00:16.820 --> 00:23.120
After you have downloaded it, unzip it using the password cracking lessons.com.

5
00:23.510 --> 00:29.870
Make a copy of the original files so that you have a backup, and then scan this. If detected,

6
00:29.870 --> 00:30.440
easy.

7
00:30.620 --> 00:34.490
I've already done that and I found that it is a 32-bit program.

8
00:34.820 --> 00:38.360
So now let's analyze it by running it and see what it does.

9
00:39.290 --> 00:43.280
So you see there's an animation there for the title.

10
00:43.280 --> 00:46.220
And then it asks for the registration name.

11
00:46.340 --> 00:48.380
I'm going to key in "crackers".

12
00:51.000 --> 00:51.810
I hit enter.

13
00:52.050 --> 00:54.390
Then it asks for the registration code.

14
00:54.390 --> 00:58.560
So I'm going to key in one, two, three, four, five, six and hit enter.

15
00:58.680 --> 01:00.480
And it says "try again".

16
01:00.840 --> 01:05.340
So this keygen me takes your registration name.

17
01:05.340 --> 01:11.700
And then from there it creates a registration code based on your registration name.

18
01:11.820 --> 01:19.530
So the purpose, the objective of this project is to first do fishing to fish out the registration

19
01:19.530 --> 01:20.160
code.

20
01:20.160 --> 01:25.050
And then after that in the next lesson we will be doing the keygen itself.

21
01:25.950 --> 01:28.830
So there are two objectives here.

22
01:29.070 --> 01:36.810
So now since we have already understood the behavior, we should now start to do the first part, which

23
01:36.810 --> 01:38.010
is to do fishing.

24
01:38.310 --> 01:44.520
So to do fishing we will open this program and search for this string.

25
01:44.790 --> 01:46.620
So we open it in x64dbg.

26
01:46.650 --> 01:47.520
32-bit.

27
01:48.030 --> 01:50.580
I'm just going to reload it since I've done it before.

28
01:51.030 --> 01:52.770
And search for this string.

29
01:52.800 --> 01:53.730
"Try again".

30
01:54.240 --> 02:01.530
So right-click here and then go down to search for current module string references.

31
02:01.650 --> 02:04.350
And you should find a long list of strings.

32
02:04.350 --> 02:09.180
And so we're going to filter out "try again", "try again".

33
02:09.180 --> 02:09.960
And there you have it.

34
02:09.960 --> 02:10.710
"Try again".

35
02:11.220 --> 02:15.000
So double-click on that to go to the address for that string.

36
02:15.000 --> 02:21.690
And try to scroll up to look for the push -, which marks the start of this function.

37
02:22.440 --> 02:23.580
So there it is.

38
02:23.580 --> 02:25.590
So I put the comment "main".

39
02:25.770 --> 02:30.630
So I'm now going to put a breakpoint there by right-clicking breakpoint toggle.

40
02:31.320 --> 02:36.240
Then I'm going to turn tracing on, trace, trace coverage word.

41
02:37.020 --> 02:39.210
And then I'm going to right-click and graph it.

42
02:40.620 --> 02:45.060
Now I'm going to run it and let it hit our breakpoint, which it has done.

43
02:45.210 --> 02:49.200
Then I'm going to adjust this thing to go to the right.

44
02:49.320 --> 02:51.390
Let me close the other windows as well.

45
02:53.540 --> 02:55.850
I'm going to get the windows off.

46
02:56.480 --> 02:59.300
And so adjust this so I can see everything.

47
02:59.300 --> 03:06.230
And then I'm going to step over, step over, and step over for the ones that...

48
03:08.940 --> 03:12.840
So now it's loading the strings that are going to be used in the program.

49
03:12.840 --> 03:16.020
As you can see, all these are coming from the data segment.

50
03:16.020 --> 03:20.760
This is data segment which is referring to here, the data segment.

51
03:21.480 --> 03:27.510
So the data segment contains all the initialized strings which are used by the program.

52
03:28.170 --> 03:30.720
So you can see all the strings which are being loaded.

53
03:31.560 --> 03:33.630
They are going to be used in this program.

54
03:34.200 --> 03:36.930
So these steps, all this, they are not so important.

55
03:39.200 --> 03:39.560
Okay.

56
03:39.560 --> 03:41.210
So here it's doing some comparison.

57
03:41.210 --> 03:44.150
Again, not important because we have not input anything yet.

58
03:45.290 --> 03:48.380
So the comparison is unimportant.

59
03:48.920 --> 03:51.560
Continue to step over and it has jumped to here.

60
03:51.890 --> 03:56.330
Continue to step over and now continue to step over.

61
03:57.530 --> 03:57.920
All right.

62
03:57.920 --> 04:02.690
So now it's going to enter a kind of loop.

63
04:02.780 --> 04:05.900
So let's see what happens when it goes into the loop.

64
04:07.620 --> 04:08.970
And watch the output here.

65
04:09.000 --> 04:10.080
W has been printed out.

66
04:10.710 --> 04:16.500
If you continue to loop, it will print all the rest of the animation for the title.

67
04:16.500 --> 04:22.050
As you can see now, it's printing E and if you keep on looping, it will print the rest of the string

68
04:22.050 --> 04:24.900
one by one, character by character as you keep on looping.

69
04:24.900 --> 04:32.550
As you can see, L is coming out now, C, followed by O, and then followed by

70
04:33.990 --> 04:35.160
M and so on.

71
04:35.160 --> 04:41.970
So from here you can see that the loop starts here, comes here, and then loops back into here again.

72
04:41.970 --> 04:43.110
So you keep on looping.

73
04:43.110 --> 04:49.800
And from the observation we can tell that it is a loop which is actually doing the animation for the

74
04:49.800 --> 04:50.280
title.

75
04:50.280 --> 04:51.480
So we are not interested in that.

76
04:51.480 --> 04:53.040
We want to exit the loop.

77
04:53.190 --> 04:54.420
To exit the loop quickly,

78
04:54.420 --> 05:00.210
we put a breakpoint here because this is where the loop checks whether it has satisfied the counter.

79
05:00.300 --> 05:05.010
So in this case, we are going to exit the loop by putting a breakpoint here, right-click, breakpoint

80
05:05.040 --> 05:08.220
toggle, and just run to your breakpoint to exit the loop.

81
05:08.370 --> 05:12.960
And as it prints the rest of the string, it completes the loop.

82
05:13.110 --> 05:14.760
And it comes back out here.

83
05:14.880 --> 05:16.830
So this is what interests us.

84
05:16.830 --> 05:24.420
So now let's continue stepping over and observe the output here and see what happens. Okay.

85
05:24.420 --> 05:26.580
Now it's going to call a printf function.

86
05:26.730 --> 05:28.560
And it prints "registration name".

87
05:30.570 --> 05:32.250
It is still in a paused state.

88
05:32.460 --> 05:33.840
It is not waiting for input.

89
05:33.840 --> 05:39.480
So continue to step over line by line, and after this call it will wait for your input.

90
05:39.510 --> 05:45.120
Notice I put comments here and you should do the same so that it's easy to read.

91
05:45.360 --> 05:47.940
So step over now and notice what happens.

92
05:47.940 --> 05:49.410
It goes into the running state.

93
05:49.410 --> 05:51.660
This means it is waiting for input.

94
05:51.660 --> 05:53.940
So now let's put the registration name.

95
05:53.940 --> 05:54.420
"Crackers".

96
05:54.450 --> 05:58.590
Crackers, crackers and hit enter.

97
05:59.730 --> 06:02.850
Once you hit enter, the control comes back to the debugger.

98
06:02.850 --> 06:06.360
As you can see now, it's in the paused state and is waiting for you to step over.

99
06:06.360 --> 06:10.350
So let's continue to step over it now, line by line again.

100
06:10.590 --> 06:15.990
And now it's going to call a string length and step over it and see what happens to -.

101
06:16.680 --> 06:20.700
Every function returns the result of the call inside -.

102
06:20.700 --> 06:23.970
So we are interested to see what is going to be the value here.

103
06:23.970 --> 06:25.470
So let's step over and see.

104
06:25.980 --> 06:27.570
And -, eight.

105
06:27.660 --> 06:28.500
So eight.

106
06:28.500 --> 06:35.850
If you notice, eight and the number of characters in "crackers" is the same. "Crackers" has got eight characters.

107
06:35.850 --> 06:38.880
So string length appears to be counting

108
06:38.880 --> 06:42.900
how many characters are there in your registration name.

109
06:43.590 --> 06:44.850
So that is what it does.

110
06:44.850 --> 06:45.990
And it returns eight here.

111
06:46.200 --> 06:49.170
So I put a comment there "- equals eight".

112
06:50.160 --> 06:50.400
All right.

113
06:50.400 --> 06:54.570
So let's continue and notice now what happens. It's add -, -.

114
06:54.750 --> 06:56.280
So it increases eight.

115
06:56.610 --> 06:59.490
So step over, - becomes 16.

116
06:59.490 --> 07:02.130
This is hex for 16, one zero is 16.

117
07:02.520 --> 07:07.560
So continue to step over and it saves your 16 into - minus 9C.

118
07:07.890 --> 07:14.610
So - minus 9C stores the length of your string times two.

119
07:15.390 --> 07:19.230
So that is what - minus 9C is storing.

120
07:19.710 --> 07:21.300
So let's continue now.

121
07:24.620 --> 07:28.490
Continue to step over and it's going to call printf again.

122
07:28.490 --> 07:31.130
And now it prints "registration code".

123
07:31.910 --> 07:34.790
So I put a comment here "shows registration code".

124
07:35.510 --> 07:37.070
Continue stepping over.

125
07:37.250 --> 07:39.650
And after this call, see what happens.

126
07:40.700 --> 07:42.290
It goes into a running state.

127
07:42.290 --> 07:45.080
That means it is waiting for you to input.

128
07:45.080 --> 07:46.820
So I put a comment there as well.

129
07:46.820 --> 07:48.590
"Waits for registration code input".

130
07:48.590 --> 07:56.030
So let's type anything: 123456, hit enter, and now control comes back to the debugger.

131
07:56.030 --> 07:59.570
As you can see, it's back to the paused state, waiting for you to step over.

132
08:00.500 --> 08:02.660
Continue stepping over line by line.

133
08:02.870 --> 08:04.940
And now it is moving

134
08:04.940 --> 08:06.560
- minus 9C to -.

135
08:06.560 --> 08:16.100
Now remember, - minus 9C contains the length of your registration name times two, and it has stored it

136
08:16.100 --> 08:16.430
here.

137
08:16.430 --> 08:19.130
Now it's recalling it back into -.

138
08:19.490 --> 08:25.490
Step over and you see now - stores the value one zero, which is hex for 16.

139
08:26.210 --> 08:28.250
It will now add - to -.

140
08:28.250 --> 08:30.140
That means it's going to double it.

141
08:30.170 --> 08:32.990
It becomes two zero, which means 32.

142
08:33.290 --> 08:35.960
So from 16 it becomes 32.

143
08:36.650 --> 08:37.970
Originally it was eight.

144
08:38.960 --> 08:39.890
It was eight.

145
08:40.190 --> 08:43.670
And then it doubles it, it becomes 16.

146
08:43.790 --> 08:47.600
And then here it doubles it again to become 32.

147
08:48.020 --> 08:54.410
So now it's going to compare this 32 with whatever is in - minus 9C.

148
08:54.410 --> 08:59.570
Look at it here. - is 32.

149
08:59.600 --> 09:01.160
This is hex for 32.

150
09:01.280 --> 09:05.450
And this is hex for whatever is in - minus 9C.

151
09:05.750 --> 09:06.710
So let's take a look.

152
09:06.710 --> 09:11.210
What is this value in decimal? 1E240.

153
09:11.210 --> 09:13.160
Oh, I'll use the calculator here.

154
09:14.090 --> 09:21.290
And then key in 1E240. One is in the hex column, in the hex text box.

155
09:21.290 --> 09:27.560
1E240, 1E240

156
09:27.560 --> 09:29.810
is 123456

157
09:29.810 --> 09:38.210
in decimal, which is your input. That means it is comparing your input whether it is 32.

158
09:38.630 --> 09:41.840
So this suggests that the registration code is 32.

159
09:41.960 --> 09:44.570
So this is how we can fish out the code.

160
09:44.570 --> 09:48.140
So for "crackers", the registration code is 32.

161
09:49.040 --> 09:50.870
Very simple fishing. Okay.

162
09:50.870 --> 09:53.240
So we know that we can test our hypothesis.

163
09:53.240 --> 09:57.320
We can go here and run another copy of this program.

164
09:57.590 --> 10:03.230
And then key in "crackers" and key in 32 and see what happens.

165
10:03.770 --> 10:04.280
Correct?

166
10:04.280 --> 10:04.760
Correct.

167
10:04.850 --> 10:06.590
We have fished out the code.

168
10:07.340 --> 10:08.540
We have fished out the key.

169
10:08.540 --> 10:12.080
So for "crackers", the registration code is 32.

170
10:12.110 --> 10:14.840
That means the algorithm is very simple.

171
10:14.840 --> 10:22.100
All it does is it counts the number of characters in your input for the registration name and then doubles

172
10:22.100 --> 10:22.970
it two times.

173
10:22.970 --> 10:29.990
So if your registration name has got eight characters, it doubles it to become... eight to become 16,

174
10:29.990 --> 10:32.270
and doubles it again to become 32.

175
10:32.900 --> 10:33.320
All right.

176
10:33.320 --> 10:34.880
So that is the algorithm.

177
10:34.880 --> 10:43.820
So if your input is seven characters, then your registration code should be seven

178
10:43.820 --> 10:46.730
plus seven, 14, 14 plus 14.

179
10:46.730 --> 10:48.680
It should be 28.

180
10:49.010 --> 10:50.780
All right, let's try our hypothesis.

181
10:51.020 --> 10:53.840
So supposing we now run again.

182
10:53.840 --> 10:59.180
This time we enter a seven-character registration name.

183
10:59.390 --> 11:06.320
And the registration code should be seven plus seven is 14, 14 plus 14 is 28.

184
11:06.320 --> 11:08.600
So let's try 28. Correct?

185
11:08.600 --> 11:08.930
Correct.

186
11:08.930 --> 11:12.770
So we have already derived, fished out the algorithm for this

187
11:12.770 --> 11:14.390
keygen.

188
11:14.660 --> 11:16.160
For this simple keygen me.

189
11:16.940 --> 11:17.300
All right.

190
11:17.300 --> 11:23.960
So now that we have solved this, in the next video we are going to create a keygen for this,

191
11:23.960 --> 11:26.570
this program.

192
11:26.570 --> 11:31.940
And we are going to make use of the code itself to reveal the... to reveal the key.

193
11:32.030 --> 11:34.400
That means we are going to create a self-keygen.

194
11:34.760 --> 11:40.610
Now in this section we are going to use printf, which is already there for us to use.

195
11:40.610 --> 11:45.440
As you can see, it is using printf quite liberally. Printf over here.

196
11:46.370 --> 11:53.480
And it's got printf here and it's got so many printfs that we can tap into and show our actual

197
11:53.480 --> 11:54.500
key.

198
11:54.650 --> 12:00.080
So with that, I'll see you in the next lesson where we will do our self-keygen.

199
12:00.080 --> 12:00.530
Again.

200
12:00.530 --> 12:01.820
Thank you for watching.