WEBVTT

1
00:01.840 --> 00:03.580
So let's continue.

2
00:05.320 --> 00:07.780
We open this with x64dbg.

3
00:07.780 --> 00:10.750
So we drag and drop it here.

4
00:10.750 --> 00:12.190
Open the x64dbg.

5
00:14.880 --> 00:17.010
And now we search for this string.

6
00:18.120 --> 00:18.840
Access denied.

7
00:21.010 --> 00:25.660
So you can maybe expand it a bit to the right.

8
00:25.660 --> 00:26.740
More space.

9
00:27.670 --> 00:33.250
Right-click, search for current module string references.

10
00:33.790 --> 00:36.040
And here you can see "Access denied."

11
00:37.600 --> 00:38.920
So we double-click on that.

12
00:38.920 --> 00:40.000
You can also see "Enter

13
00:40.000 --> 00:42.820
secret code" is there, and "Access granted" is also there.

14
00:43.420 --> 00:45.250
So let's go to "Access Denied."

15
00:45.370 --> 00:46.090
Double-click.

16
00:46.450 --> 00:50.860
And here is where you find the string "Access denied" over here, this line.

17
00:51.790 --> 00:55.000
Try to look for the start of this function by scrolling up.

18
00:55.990 --> 00:57.640
You find "Access granted" here.

19
00:59.050 --> 01:03.460
Then go up some more, and let's see.

20
01:03.460 --> 01:04.330
Continue to go up.

21
01:09.570 --> 01:10.140
"Enter

22
01:10.140 --> 01:11.310
the secret code" is here.

23
01:11.820 --> 01:14.250
So, like, looks like this is one big program.

24
01:14.520 --> 01:15.930
And here's the return.

25
01:15.990 --> 01:18.690
That means the start of this function is over here.

26
01:19.830 --> 01:22.320
So over here we can make a comment.

27
01:23.160 --> 01:24.990
Main function.

28
01:25.860 --> 01:27.660
Then we can graph it. Press G.

29
01:30.200 --> 01:30.980
Put a breakpoint.

30
01:32.960 --> 01:34.490
Now we start tracing.

31
01:34.670 --> 01:38.030
Trace coverage mode to turn on the syntax highlighting.

32
01:38.870 --> 01:42.920
And then now we put this thing on the right.

33
01:44.720 --> 01:48.200
So we can notice what happens as we step over.

34
01:51.800 --> 01:53.900
First, we run, let it hit the breakpoint.

35
01:54.680 --> 01:55.640
Then we step over.

36
01:56.390 --> 01:57.530
Keep an eye on the right.

37
02:01.110 --> 02:03.330
We enter the text space.

38
02:04.860 --> 02:10.770
So this is the first text it appears, but it is not waiting for your input yet because the state is

39
02:10.770 --> 02:11.610
still paused.

40
02:12.660 --> 02:16.500
We need to step over until it goes to running state.

41
02:17.430 --> 02:18.630
Continue step over.

42
02:20.990 --> 02:21.500
There you go.

43
02:21.530 --> 02:22.400
It is running state.

44
02:23.390 --> 02:26.300
That means it is waiting for you to enter something.

45
02:26.600 --> 02:27.650
So we will enter

46
02:27.650 --> 02:28.100
one, two,

47
02:28.100 --> 02:28.400
three,

48
02:28.400 --> 02:28.730
four,

49
02:28.730 --> 02:29.090
five,

50
02:29.090 --> 02:29.720
six.

51
02:33.230 --> 02:34.130
And then hit Enter.

52
02:35.270 --> 02:38.030
So now it's going back to the paused state again.

53
02:38.180 --> 02:39.590
You can continue stepping over.

54
02:40.310 --> 02:42.290
So now we are going to do tracing.

55
02:43.820 --> 02:49.160
The code that we entered—the secret code that you entered—is 123456.

56
02:49.640 --> 02:51.290
Let's convert this into hex.

57
02:52.910 --> 03:00.800
So we copy this, go to the built-in calculator, paste here. In hex, is this value: 1E240.

58
03:03.140 --> 03:05.660
So this is equal to hex 1E240.

59
03:06.950 --> 03:16.310
We do this because when the code runs, it converts all the digits into hex.

60
03:16.550 --> 03:19.640
So we convert into hex first so that you can notice it

61
03:19.640 --> 03:22.940
if it appears anywhere inside the memory or the register.

62
03:22.940 --> 03:28.370
You can—if ever we see this in the register in memory—we know that it is referring to 123456.

63
03:28.370 --> 03:29.750
That's why we convert it here.

64
03:32.030 --> 03:37.880
So let's continue the step over and notice any compares.

65
03:38.000 --> 03:39.320
Here's one compare here.

66
03:41.510 --> 03:44.570
It is comparing 15 with 15.

67
03:45.560 --> 03:47.240
So not useful.

68
03:47.270 --> 03:48.500
Let's step over that.

69
03:50.880 --> 03:56.310
Now it's comparing six with a huge number. Six

70
03:56.310 --> 04:01.800
here is a hint that it might be the length of our—our input.

71
04:01.800 --> 04:03.780
Six—it might be the length.

72
04:04.590 --> 04:07.560
All right, so we're not sure whether it's a length or not.

73
04:08.220 --> 04:13.980
We are just assuming. It's like, if you want to be sure if it's the length or not, you rerun this program

74
04:13.980 --> 04:17.010
and you enter seven or eight, then

75
04:17.010 --> 04:23.700
and then, if this changes to eight or seven, then we know for sure that this is comparing the length of our

76
04:23.700 --> 04:24.030
input.

77
04:24.660 --> 04:29.490
For now, let's assume that it is the length of our input, which is six characters.

78
04:30.390 --> 04:39.780
Step over. Is comparing it whether it is bigger than this because of "jump above." If is bigger than this,

79
04:39.780 --> 04:41.730
then jump above is true, but it is not.

80
04:41.730 --> 04:45.750
So jump is not taken, so it will go to the right.

81
04:47.820 --> 04:52.110
Now it's comparing this with the 15.

82
04:52.110 --> 05:00.720
So let's make a comment here: cmp six with 15. F is 15.

83
05:00.840 --> 05:08.670
So does this mean that the—the secret code should be less than 15?

84
05:09.210 --> 05:10.020
We don't know.

85
05:10.020 --> 05:16.800
We just ask the question. After putting a comment, you notice it doesn't show. You have to function F5

86
05:17.310 --> 05:19.500
to see the updated comment.

87
05:21.000 --> 05:21.300
All right.

88
05:21.300 --> 05:28.200
So now we are guessing that the code should be less than 15 because here it is telling you "jump above."

89
05:28.380 --> 05:31.170
So is the code less than or equal to 15?

90
05:32.730 --> 05:38.550
To open this comment, you can press semicolon on your keyboard to open this comment box.

91
05:40.170 --> 05:41.430
So just update it.

92
05:41.430 --> 05:43.440
Is it less than or equal to 15?

93
05:44.040 --> 05:51.300
Press function F5 again to update the comment because here is testing whether is above or not.

94
05:51.300 --> 05:53.580
If it's above 15, then it goes to the left.

95
05:54.510 --> 05:58.350
So that implies that it should be less than or equal to 15.

96
06:00.730 --> 06:01.840
Right? Since ours

97
06:01.840 --> 06:05.770
is less—and it's only six—

98
06:05.950 --> 06:08.470
so it's definitely less than or equal to 15.

99
06:08.470 --> 06:10.420
So it's not—it's not going to jump above.

100
06:10.420 --> 06:13.870
So you click on this, step over, and you click on this.

101
06:13.870 --> 06:15.550
You see it is not going to jump.

102
06:16.000 --> 06:17.650
So it's going to go to the right.

103
06:19.630 --> 06:20.980
Continue stepping over.

104
06:23.140 --> 06:23.440
Okay.

105
06:23.440 --> 06:26.710
This is an unconditional jump. This step over,

106
06:26.830 --> 06:29.140
follow the blue arrow.

107
06:30.490 --> 06:33.370
Another shortcut to follow the blue arrow is to zoom out.

108
06:33.790 --> 06:39.580
Press Ctrl and use the scroll wheel of your—of your mouse to scroll up.

109
06:40.390 --> 06:44.110
Then wherever you see the black, that is where you're at now.

110
06:44.890 --> 06:51.340
So just drag this to the left and zoom in again by pressing Ctrl and scroll view.

111
06:51.850 --> 06:52.870
Here is where you are now.

112
06:55.060 --> 06:56.260
Continue to step over.

113
06:57.220 --> 07:04.090
Now it's comparing F with F—15, 15—so that is not helpful.

114
07:04.090 --> 07:04.960
Let's continue.

115
07:05.020 --> 07:13.000
Step over. Is comparing 6, 15. E is 14.

116
07:13.420 --> 07:15.250
So this is important.

117
07:15.250 --> 07:22.300
So it is comparing six with 14. E is 14.

118
07:22.750 --> 07:28.570
So we make a comment here. It says: So your code—code length, code length

119
07:30.380 --> 07:31.970
should be equal to—

120
07:32.150 --> 07:34.460
should be equal to—

121
07:34.460 --> 07:37.250
colon—should be equal to 14.

122
07:37.640 --> 07:39.440
That's a question mark; you're asking.

123
07:41.060 --> 07:43.880
So let's function F5 to update the comment.

124
07:47.430 --> 07:48.180
Step over.

125
07:49.680 --> 07:54.900
So because it is not equal to 14, so the jump will be taken.

126
07:54.930 --> 07:55.260
See that?

127
07:55.470 --> 07:59.070
So this suggests that the code length is actually 14,

128
07:59.070 --> 08:00.270
but we entered six only.

129
08:00.510 --> 08:01.140
See that?

130
08:01.170 --> 08:02.640
So it's going to go to the left.

131
08:04.020 --> 08:06.390
So this already fails the test already.

132
08:06.600 --> 08:09.870
So it's going to go to the left and continue.

133
08:09.870 --> 08:10.710
Step over.

134
08:10.770 --> 08:14.250
Now it's comparing 15 and 15.

135
08:14.250 --> 08:15.090
Not helpful.

136
08:16.350 --> 08:17.430
Just continue.

137
08:18.030 --> 08:19.050
Continue.

138
08:19.860 --> 08:20.910
So where are we?

139
08:20.940 --> 08:22.050
We are now here.

140
08:23.640 --> 08:25.020
And then continue.

141
08:27.300 --> 08:30.360
Keep a lookout on the output as you continue to step over.

142
08:30.780 --> 08:34.050
And here is where it is going to—

143
08:37.480 --> 08:38.860
Suppose you happen

144
08:38.860 --> 08:40.900
step over this, and you see "Access denied."

145
08:41.770 --> 08:42.010
Right?

146
08:42.010 --> 08:45.250
So this call here shows the banned message.

147
08:45.250 --> 08:47.170
So this is where you show the banned message.

148
08:47.170 --> 08:52.810
So put the comment there: shows "Access denied."

149
08:56.690 --> 08:57.020
All right.

150
08:57.020 --> 08:59.390
So you know that we are on the wrong path, right?

151
08:59.390 --> 09:02.270
So now we are going to restart it,

152
09:02.270 --> 09:06.830
but this time we are going to enter the length to be 14.

153
09:06.830 --> 09:07.070
Why?

154
09:07.070 --> 09:11.630
Because if you look at the comments here, code length should be 14.

155
09:11.630 --> 09:13.130
This is what we suspect,

156
09:13.130 --> 09:15.050
but we entered only six, right?

157
09:15.050 --> 09:18.170
So we try to enter a code which is 14 characters long.

158
09:19.250 --> 09:20.930
So how would you access this?

159
09:21.140 --> 09:22.640
You click this here: comments.

160
09:22.730 --> 09:24.680
Then you can see all the comments that you write.

161
09:25.160 --> 09:31.130
And to go to that comment, you just double-click, and you can see the comment here: code length 14.

162
09:32.360 --> 09:35.420
Then you can graph it to see where it is. Press G.

163
09:35.570 --> 09:40.550
So the press G is to switch between the graph and the linear view.

164
09:40.550 --> 09:41.420
This is graph view.

165
09:41.420 --> 09:42.470
This is linear view.

166
09:42.620 --> 09:43.940
Press G to toggle.

167
09:45.860 --> 09:47.300
So now we are going to restart,

168
09:47.300 --> 09:50.570
but this time, our code—we are going to increase the length.

169
09:51.080 --> 09:59.630
We are going to put 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14.

170
10:00.200 --> 10:01.370
We are going to put this in.

171
10:03.500 --> 10:04.040
Okay.

172
10:04.550 --> 10:11.570
So, so with that, we will continue in the next lesson where we will put in a longer code.

173
10:12.170 --> 10:13.490
See you in the next lesson.

174
10:14.960 --> 10:16.100
Don't close this yet.

175
10:16.100 --> 10:17.540
I will see you in the next lesson.

176
10:17.780 --> 10:19.010
Thank you for watching.