WEBVTT 1 00:01.700 --> 00:02.360 Welcome back. 2 00:02.600 --> 00:09.080 In the previous lesson, we already fished out the key and we already analyzed the algorithm. 3 00:09.080 --> 00:17.000 And now in this lesson we are going to do a self-keygen by reusing the same code from this keygen itself. 4 00:18.710 --> 00:23.990 So let's see where we can use printf to show the self-keygen, to show the key. 5 00:24.170 --> 00:30.590 Now in the previous lesson we know that when it came to this line here, it compares between what you 6 00:30.590 --> 00:36.290 enter and whether or not it is same as the number of characters. 7 00:36.320 --> 00:38.480 Let me rerun that and refresh your memory. 8 00:39.140 --> 00:43.460 So let's run it now and it hits our main breakpoint. 9 00:47.680 --> 00:50.230 Let me move this to the right so you can see the output. 10 00:50.800 --> 00:55.420 Right-click, go to graph, and then keep on stepping over. 11 00:58.880 --> 01:02.900 Let it load all the strings into the memory. 12 01:04.500 --> 01:06.300 Continue stepping over. 13 01:08.830 --> 01:10.570 And now it's coming here. 14 01:10.810 --> 01:17.830 And if you remember correctly, here is where it does the animation to print out the title. 15 01:17.830 --> 01:20.350 So we want to skip that and go straight to here. 16 01:20.350 --> 01:24.100 So enable this breakpoint. It's already been enabled there. 17 01:24.190 --> 01:28.420 So just run to this breakpoint and animation done. 18 01:28.420 --> 01:36.010 So now let's step over until it comes to the input for the registration name. 19 01:36.010 --> 01:38.050 And now it's waiting for you. 20 01:38.110 --> 01:40.780 Type "crackers", enter. 21 01:41.170 --> 01:44.410 And now it's back here in control. 22 01:44.680 --> 01:45.550 Step over. 23 01:45.820 --> 01:48.430 And here it calls the string length. 24 01:48.430 --> 01:51.850 It prints the number of characters for "crackers", which is eight. 25 01:52.780 --> 01:56.920 Then it will now double it to become 16. 26 01:57.610 --> 02:02.380 And then it's going to save that 16 into - minus 9C. 27 02:02.410 --> 02:04.660 Continue to step over. 28 02:06.460 --> 02:11.860 Now it prints "registration code" and then continue stepping over. 29 02:11.860 --> 02:14.530 And now it waits for you to enter your registration code. 30 02:14.530 --> 02:20.200 Assuming we don't know the registration code, we just type one, two, three, four, five, six, hit enter, and 31 02:20.200 --> 02:22.780 now it comes back to our control. 32 02:23.260 --> 02:24.820 We continue stepping over it. 33 02:25.240 --> 02:34.420 And here is where it is going to load the 16 which is stored in here. Earlier on it stored here, 16. 34 02:34.420 --> 02:36.460 So now it's going to load it back into -. 35 02:38.500 --> 02:38.890 Okay. 36 02:38.890 --> 02:46.030 As you can see now, it loads 16 back into - and then step over, it doubles it to become 32. 37 02:46.600 --> 02:53.110 So now it's going to compare whether or not the value that you entered, - minus 9C... 38 02:54.580 --> 02:59.440 This is what you entered. - minus 9C is 123456. 39 02:59.560 --> 03:05.020 This is the hex for 123,456 and this - is 32. 40 03:05.410 --> 03:13.000 So by the time it reaches this line, it already knows what the actual key should be. 41 03:13.240 --> 03:14.830 So it is good. 42 03:14.830 --> 03:21.670 From here onwards we want to, instead of printing the regular output, we want it to print the key out 43 03:21.670 --> 03:22.180 here. 44 03:22.450 --> 03:26.230 So to print the key out here we can make use of the printf function. 45 03:26.530 --> 03:31.360 So the printf function takes two arguments. 46 03:31.360 --> 03:34.720 The first argument is the actual value you want to print. 47 03:34.720 --> 03:37.600 And the second argument is the format specifier. 48 03:38.620 --> 03:41.860 In C programming, the printf function accepts two parameters. 49 03:42.010 --> 03:43.240 Here is one example. 50 03:43.810 --> 03:44.230 Uh. 51 03:46.000 --> 03:51.400 The C function accepts the format specifier and it also accepts the value. 52 03:51.610 --> 03:58.000 So the format specifier can be %d for integer or %s for string, and so on. 53 03:58.000 --> 04:01.930 So in this case we are interested in printing an integer. 54 04:01.930 --> 04:04.840 So we should use %d as the format specifier. 55 04:05.620 --> 04:10.750 So over here in our notes, this is the integer value. 56 04:10.750 --> 04:12.160 And this is the format specifier. 57 04:12.850 --> 04:19.750 So what we want to do is actually like this: printf, if it was C you are actually going to do this. 58 04:20.980 --> 04:23.200 And then here will be your - value. 59 04:23.440 --> 04:25.030 This is what we want to do. 60 04:25.060 --> 04:28.810 So the first parameter is your format specifier. 61 04:28.810 --> 04:31.510 And the second parameter is your -. 62 04:31.900 --> 04:34.690 So how do we implement this in assembly language? 63 04:34.960 --> 04:41.830 We must push - first and then push the format specifier and then call the printf function. 64 04:42.040 --> 04:47.800 So if you forgot about this you can just Google "printf function in C" and you can read all about it. 65 04:48.430 --> 04:53.470 So the second parameter is pushed to the stack first as push -. 66 04:54.010 --> 04:58.450 Then the first parameter is pushed next, which is your format specifier. 67 04:58.450 --> 05:01.450 And finally you call the function printf. 68 05:01.660 --> 05:09.820 So now this part of memory is where we have to put our string, our format specifier. 69 05:09.910 --> 05:15.520 So we have to hunt for the location in memory which is available for us to put our string. 70 05:15.760 --> 05:21.790 Then we can push the address of that string to the stack. To get this free memory, 71 05:21.820 --> 05:27.250 all you need to do is go to Memory Map and look at the data section for your program. 72 05:27.250 --> 05:31.810 Since "keygen me" is our program, look for the data section. 73 05:32.350 --> 05:37.630 Don't use the data section from the reserved here or kernel or other places. 74 05:37.630 --> 05:40.000 Look for the one for your program. 75 05:40.030 --> 05:41.740 Double-click on that. 76 05:41.740 --> 05:44.980 And down here you can scroll and look for an empty space. 77 05:45.310 --> 05:51.490 For example, the one I'm using is 403F1B0, it's all blank. 78 05:51.490 --> 05:52.720 So I can use this. 79 05:52.720 --> 05:57.100 So I select two dwords, one dword, two dwords. 80 05:57.100 --> 05:59.410 So that is long enough for my string. 81 05:59.860 --> 06:01.720 This string here that I want to put in. 82 06:01.840 --> 06:05.800 So I right-click here, go up to Binary Edit. 83 06:05.800 --> 06:13.990 And then from here in ASCII, backspace to the left corner and type "key colon %d". 84 06:14.620 --> 06:15.970 Then I click okay. 85 06:16.750 --> 06:19.390 So now I've got my string in memory. 86 06:19.390 --> 06:25.930 I can now push this to the stack over here: 403F1B0, 403F1B0. 87 06:25.960 --> 06:26.470 Yes. 88 06:26.470 --> 06:27.910 So copy this here. 89 06:28.090 --> 06:32.110 And then next one is to look for a printf function that you can use. 90 06:32.380 --> 06:35.290 So over here let's hunt for a printf function. 91 06:36.100 --> 06:36.670 All right. 92 06:36.670 --> 06:39.490 It's easier to go back to disassembly view. 93 06:39.490 --> 06:45.040 Press G to go back to this disassembly view. 94 06:45.460 --> 06:51.580 Or you just click "follow in disassembler" and look for any function, for example this one. 95 06:52.150 --> 06:52.570 Right. 96 06:52.570 --> 06:55.750 And you want to know what is the address of this printf. 97 06:55.930 --> 07:00.760 Just select it, press the space bar and you will see the address. 98 07:00.760 --> 07:04.990 So just copy this whole thing here including the address. 99 07:05.470 --> 07:08.920 Click cancel and then paste it here. 100 07:09.400 --> 07:11.500 That is the address of your printf function. 101 07:11.890 --> 07:14.950 So now we've got that, we are ready to assemble 102 07:15.100 --> 07:22.840 these three lines, insert these three lines from here onwards. 103 07:24.160 --> 07:33.370 Now to do that we can go directly here and do our first one which is push -, press spacebar and type 104 07:33.370 --> 07:35.110 in push -. 105 07:36.670 --> 07:37.480 Okay, okay. 106 07:37.780 --> 07:44.020 Then the next one is here which is push your format specifier. 107 07:44.020 --> 07:47.380 So copy this and put it here and paste. 108 07:47.470 --> 07:48.370 Click okay. 109 07:49.090 --> 07:54.130 And the next one will be call your printf function. 110 07:54.130 --> 07:58.360 So copy that and put it in here and click okay. 111 07:59.290 --> 07:59.890 All right. 112 08:00.040 --> 08:02.890 Next we have to tidy up the rest of the code. 113 08:03.070 --> 08:08.920 Because after this printf it's going to fall through and do all these things here which we don't want 114 08:08.920 --> 08:09.580 it to do. 115 08:09.580 --> 08:14.350 So since we don't want it to do all these things here, we can just NOP them. 116 08:14.500 --> 08:22.660 You can select all these, all the way until maybe, maybe here, until this printf here. 117 08:23.110 --> 08:24.760 Then the rest should be harmless. 118 08:24.760 --> 08:27.460 So all this we just right-click and NOP. 119 08:29.530 --> 08:38.830 So we NOP that. That means after it finishes pushing this value for - to the stack and pushing the format 120 08:38.830 --> 08:42.670 specifier to the stack, it will call our printf function, which we created. 121 08:42.850 --> 08:47.800 Then it will NOP everything over here, everything all the way until here. 122 08:47.800 --> 08:51.370 And then do all these things here and then eventually quit. 123 08:52.060 --> 08:52.330 All right. 124 08:52.330 --> 08:53.920 So should be quite safe now. 125 08:54.010 --> 08:58.120 And we can assemble it. File, patch file. 126 08:59.500 --> 09:05.320 And then let's give a name with a dash E extension at the back. Dash... 127 09:05.800 --> 09:06.460 dash two. 128 09:06.490 --> 09:06.790 Sorry. 129 09:06.790 --> 09:09.190 Dash two for patch two. Click save. 130 09:09.940 --> 09:10.420 Okay. 131 09:10.420 --> 09:11.950 So now we are ready to test it. 132 09:11.950 --> 09:15.220 So let's go and get the path for this. 133 09:15.220 --> 09:21.520 Select the path for this program, and then right-click, copy this path. 134 09:21.730 --> 09:23.740 We are going to go there in the command prompt. 135 09:23.740 --> 09:27.550 So come down to the bottom, right-click, search for the command prompt. 136 09:28.150 --> 09:30.100 You can type "cmd" down here to search. 137 09:30.100 --> 09:33.910 Or if it's there you just click it. Type "cd" to change directory. 138 09:33.910 --> 09:37.780 Enter a space, right-click to paste your path. 139 09:38.980 --> 09:45.250 Press enter, type "dir" and you should see the file that you want to execute, your second, your patch. 140 09:45.250 --> 09:46.870 So you want to execute this. 141 09:46.870 --> 09:53.470 Just type "syn", S-Y-N, the first few characters of the name of the file, and press the tab key a few times 142 09:53.470 --> 09:54.820 until you see the right one. 143 09:55.210 --> 09:58.270 Once you got it, just press enter and it will run. 144 09:58.750 --> 10:03.970 So enter "crackers". Hit enter. Registration code. 145 10:03.970 --> 10:04.780 Just press anything. 146 10:04.780 --> 10:05.800 It doesn't matter what. 147 10:05.800 --> 10:08.590 Press enter and you get "key is 32". 148 10:08.620 --> 10:11.350 So this "key 32" is coming from here. 149 10:12.220 --> 10:16.660 It prints "key colon" as you can see, "key colon". 150 10:16.660 --> 10:19.720 And then %d is the format specifier. 151 10:19.720 --> 10:21.640 It substitutes the value of - in that. 152 10:21.640 --> 10:23.140 So it is 32. 153 10:23.290 --> 10:25.810 So this - value is actually two zero in hex. 154 10:25.810 --> 10:32.140 But because your format specifier is %d it converts the hex value into decimal number which 155 10:32.140 --> 10:33.040 is 32. 156 10:33.160 --> 10:37.030 That means now your self-keygen is working. 157 10:37.450 --> 10:38.770 So "crackers". 158 10:38.770 --> 10:42.160 If your registration name is "crackers" your key is 32. 159 10:42.220 --> 10:42.670 Okay. 160 10:42.670 --> 10:44.800 We can test it out to see if it's working. 161 10:44.980 --> 10:46.300 Open your... 162 10:48.580 --> 10:50.020 another version of it here. 163 10:50.920 --> 10:54.010 Open this one or take the original copy and run. 164 10:55.180 --> 10:57.100 And now we type in "crackers". 165 10:58.360 --> 10:59.560 Type in 32. 166 10:59.590 --> 11:02.320 Hit enter and you see it's working. 32. 167 11:02.620 --> 11:02.980 Yes. 168 11:02.980 --> 11:03.460 Correct. 169 11:03.910 --> 11:05.110 Now let's try another one. 170 11:05.620 --> 11:08.950 What if... let's run our... let's run our keygen again. 171 11:10.360 --> 11:12.490 This time we enter a different name. 172 11:12.490 --> 11:18.460 Maybe we enter, "apple of the eye". 173 11:19.690 --> 11:22.330 Hit enter. Registration code. 174 11:22.330 --> 11:23.380 Just type anything. 175 11:24.190 --> 11:24.520 All right. 176 11:24.520 --> 11:26.530 So "apple of the eye", registration name. 177 11:26.530 --> 11:28.000 The key is 52. 178 11:28.090 --> 11:29.560 So let's try it here. 179 11:30.520 --> 11:31.690 Run the original. 180 11:34.930 --> 11:39.880 Type "apple of the eye", "of the eye". 181 11:40.510 --> 11:41.860 Registration code 52. 182 11:41.860 --> 11:42.550 Enter. 183 11:42.550 --> 11:43.900 Yes, it works. 184 11:43.900 --> 11:46.270 So our self-keygen is working. 185 11:46.270 --> 11:56.080 So this is how we can use the data section of the memory in conjunction with your printf. 186 11:56.320 --> 11:59.950 So the data segment is to put in your format specifier. 187 12:00.160 --> 12:07.750 And then once you got that in, you can just find any part in your code section and 188 12:07.750 --> 12:13.570 inject your three codes here: one, two and three, and NOP whatever the rest you don't need. 189 12:14.500 --> 12:15.370 So that's it. 190 12:15.370 --> 12:17.410 So that's all for this lesson. 191 12:17.410 --> 12:18.640 Thank you for watching.