WEBVTT

1
00:00.890 --> 00:01.100
Okay.

2
00:01.100 --> 00:02.690
Let's continue from where we stopped.

3
00:02.900 --> 00:08.030
This time we are going to enter a longer secret code, which is 15 characters long.

4
00:08.030 --> 00:10.670
So let's restart and run.

5
00:12.020 --> 00:13.100
It hits our breakpoint.

6
00:13.100 --> 00:17.870
So we move this to the right, and then we graph it.

7
00:19.160 --> 00:21.200
We step over until we come—

8
00:21.380 --> 00:25.010
We just run, click run, and then it will ask for secret code.

9
00:25.850 --> 00:35.990
And this time, maybe we put the breakpoint somewhere, somewhere here. Put another breakpoint there

10
00:35.990 --> 00:37.490
so that it won't run away.

11
00:38.690 --> 00:47.510
So we enter 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14.

12
00:48.320 --> 00:48.530
Hit

13
00:48.530 --> 00:49.130
Enter.

14
00:52.590 --> 00:55.470
So there's a breakpoint here and bottom here.

15
00:56.190 --> 00:57.930
So now we can continue running.

16
00:59.280 --> 01:03.720
So now it's going to step over compare.

17
01:03.720 --> 01:07.770
Its code is 14, less than 15.

18
01:07.770 --> 01:09.870
So our hypothesis was correct.

19
01:10.680 --> 01:14.220
So this one is actually the length of the serial code.

20
01:14.640 --> 01:17.070
Earlier when we put six, this thing was six.

21
01:17.100 --> 01:20.280
Now we put 15 characters long,

22
01:20.280 --> 01:22.710
so now this one shows 15 is 15.

23
01:23.160 --> 01:26.880
So this is actually measuring the length of the serial code.

24
01:27.870 --> 01:30.660
So is it, uh, above?

25
01:32.130 --> 01:35.250
So this implies that it should be less or equal to 15.

26
01:35.970 --> 01:40.710
So it's not going to jump since it's less than 15.

27
01:40.920 --> 01:44.130
Our code is only 14 years, so it's not going to jump.

28
01:45.000 --> 01:47.100
Step over. Is going to the right.

29
01:47.520 --> 01:49.140
Continue stepping over.

30
01:50.280 --> 01:51.150
Step over.

31
01:55.190 --> 01:57.350
Follow the arrow.

32
01:57.350 --> 02:02.570
If you—so is here now. You can step, then you do that. Now is comparing

33
02:02.570 --> 02:05.690
then 15, 18. Not happy to go right.

34
02:06.290 --> 02:09.050
So, so much comparing.

35
02:09.050 --> 02:13.040
It's now comparing 14 with 14.

36
02:13.040 --> 02:13.520
14 already.

37
02:13.940 --> 02:18.830
So it's correct. Earlier on, when we put six, is comparing 6, 14?

38
02:18.830 --> 02:19.310
Yes.

39
02:19.580 --> 02:21.170
Now we put 15

40
02:21.170 --> 02:23.210
character code. Is comparing 15, 15?

41
02:23.210 --> 02:24.950
That means our hypothesis is correct.

42
02:25.190 --> 02:32.060
So now, because we entered 15 characters long code, therefore we satisfy this requirement.

43
02:32.150 --> 02:36.410
So it's not going to jump. Take over. Step over.

44
02:36.410 --> 02:38.060
And you see it's not going to jump.

45
02:38.060 --> 02:39.980
So it's going to go to a different path.

46
02:39.980 --> 02:41.330
It's going to go straight this time.

47
02:43.010 --> 02:44.630
Earlier on, it jumped down here.

48
02:44.630 --> 02:45.680
This time it go straight.

49
02:47.120 --> 02:50.030
So continue stepping over.

50
02:50.240 --> 02:53.900
And now it's going to call a function called memory compare.

51
02:53.900 --> 02:57.200
So go to internet and search for memory compare.

52
02:57.200 --> 02:58.700
And you'll come to this website.

53
02:59.930 --> 03:05.360
And memory compare is a function which has three parameters: one, two, and three.

54
03:05.840 --> 03:10.700
The first parameter is the first string. Second parameter is the second string.

55
03:11.870 --> 03:15.380
Pointers are how you reference strings back.

56
03:15.500 --> 03:24.350
So ptr1 is referencing the first block of string. Pointer 2 is referencing the second block of a string,

57
03:25.010 --> 03:32.570
and then num is the third parameter—is a size of the—of the compare. We have studied before in x64 calling

58
03:32.570 --> 03:33.500
convention.

59
03:33.590 --> 03:41.360
The first parameter is -, -, and then you can see from here -, -.

60
03:42.320 --> 03:45.710
So this is called x64 calling convention.

61
03:46.310 --> 03:52.070
So when you click—when you come to the call here—by the time you come to the call, the parameters

62
03:52.070 --> 03:54.800
have already been set up for this call.

63
03:55.460 --> 03:59.540
So we need to know what parameter is used for this call.

64
03:59.540 --> 04:02.120
We just look under this window here, and you know.

65
04:04.250 --> 04:04.580
Right?

66
04:04.580 --> 04:09.710
So from here we know that the first parameter is the first string.

67
04:09.710 --> 04:17.960
Second string is second parameter. Third—third parameter is size—size of the number of characters.

68
04:18.500 --> 04:22.430
So you can see the parameter is size of the character is 15.

69
04:22.820 --> 04:25.220
So it's going to compare 15 characters long.

70
04:26.030 --> 04:31.130
So to know what is the first parameter, you can put this in the right.

71
04:31.130 --> 04:31.880
You can see it there.

72
04:32.930 --> 04:34.070
Expand this window.

73
04:35.240 --> 04:37.790
You can see first parameter is our input string.

74
04:38.090 --> 04:39.500
Second parameter—

75
04:39.500 --> 04:40.790
This is the secret code.

76
04:41.780 --> 04:45.290
Another way to see this is to inspect the memory.

77
04:45.290 --> 04:48.770
So select dump one, and then right-click on this.

78
04:49.580 --> 04:54.170
Follow this address in dump. This address is here.

79
04:54.170 --> 04:55.340
This address, follow in dump.

80
04:55.340 --> 04:58.070
And you will see this is what you entered,

81
04:58.070 --> 04:58.880
what we entered.

82
04:59.510 --> 05:02.570
Now select dump two and repeat the same thing

83
05:02.570 --> 05:06.350
for the second parameter. Right-click, follow dump.

84
05:07.220 --> 05:15.140
Follow this address in dump, and you can see this second address contains the actual secret code in memory.

85
05:16.460 --> 05:20.750
And then the number of comparisons is the third parameter: 15.

86
05:21.290 --> 05:22.910
So this is 15 characters long.

87
05:22.910 --> 05:24.230
So this is the secret code.

88
05:24.740 --> 05:26.180
So now we can fish this out.

89
05:26.450 --> 05:32.180
We can right-click, copy, copy the selected line and paste it here.

90
05:34.490 --> 05:35.510
Pull it down here.

91
05:36.170 --> 05:37.850
And this is our secret code.

92
05:38.630 --> 05:40.400
All this from here until here,

93
05:40.400 --> 05:41.300
not the dot.

94
05:41.330 --> 05:43.010
The dot is the null terminator.

95
05:44.180 --> 05:46.940
Null terminators are how you end the string.

96
05:47.510 --> 05:49.580
So don't copy the null terminator here.

97
05:49.610 --> 05:52.430
Every string ends—is not—the only copy this.

98
05:52.430 --> 05:54.170
So this is 15 characters long.

99
05:54.890 --> 05:56.060
So we fished it out.

100
05:56.060 --> 05:58.670
We suspect that this is the actual secret code.

101
05:58.670 --> 06:00.320
So what we do is we test.

102
06:01.040 --> 06:05.480
So we go here. We open a cmd prompt here.

103
06:05.660 --> 06:13.340
Right-click, search for cmd, command prompt, and then change to this directory.

104
06:14.090 --> 06:16.010
Right-click, copy this directory.

105
06:19.390 --> 06:20.920
Paste it there. Enter.

106
06:22.480 --> 06:24.250
And now we run the backup,

107
06:24.250 --> 06:25.450
copy that we had earlier.

108
06:29.770 --> 06:32.680
So now we copy the secret code and paste it there.

109
06:32.740 --> 06:33.580
See where it works?

110
06:33.580 --> 06:34.270
Copy.

111
06:35.500 --> 06:36.820
Right-click and paste.

112
06:36.820 --> 06:37.750
Enter.

113
06:37.900 --> 06:40.090
And we successfully—access

114
06:40.090 --> 06:40.540
granted.

115
06:41.170 --> 06:45.040
So this is how we can fish out the serial code,

116
06:45.310 --> 06:47.980
the secret code, by using tracing.

117
06:48.250 --> 06:50.140
So this is a two-step process.

118
06:50.140 --> 06:54.190
First step is you trace the length of the serial—of the secret code.

119
06:54.400 --> 07:00.010
Once you know the length, you satisfy the length by creating a secret code that is of that length,

120
07:00.010 --> 07:01.870
in this case, 15 characters.

121
07:02.050 --> 07:08.140
And then after that, you trace the function which compares your 15-character-long secret code with

122
07:08.140 --> 07:09.250
the actual secret code.

123
07:10.240 --> 07:13.870
And once you've done that, you manage to get out the secret code itself.

124
07:14.590 --> 07:16.450
So that's all for this video.

125
07:16.450 --> 07:18.430
Thank you for watching.