WEBVTT 1 00:00.890 --> 00:02.420 Hello and welcome back. 2 00:02.420 --> 00:05.120 In this lesson, we will take a look at another crack. 3 00:05.120 --> 00:08.060 Me, uh, this one is called Sports Stars. 4 00:08.060 --> 00:08.660 Bobby. 5 00:08.660 --> 00:14.180 And the password to unzip it is crackinglessons.com. 6 00:14.870 --> 00:16.940 Inside it, you will find this file. 7 00:17.120 --> 00:23.690 I created additional, uh, notes here for writing the notes as we observe the behavior. 8 00:24.350 --> 00:26.840 The download link is originally from here. 9 00:28.040 --> 00:31.670 So this one is, uh, a 64-bit program. 10 00:33.110 --> 00:36.680 Let me take this and scan it with DIE. 11 00:36.710 --> 00:41.630 If you see, it's 64-bit, written in Visual Studio 2022. 12 00:42.140 --> 00:46.970 So let me just run this and see what it does. 13 00:48.440 --> 00:51.440 So I just opened a command prompt here. 14 00:53.570 --> 00:54.620 And run it. 15 00:57.910 --> 01:01.240 So you see, it prompts this. 16 01:01.240 --> 01:02.560 Uh, hello? 17 01:02.560 --> 01:05.620 I'm Bobby. Can you hear me, please? 18 01:05.830 --> 01:08.410 And then enter the name of medicine for Bobby. 19 01:08.740 --> 01:10.240 So you don't know what it is. 20 01:10.240 --> 01:12.730 You just type in anything and enter. 21 01:13.330 --> 01:16.030 And it says this is bad medicine for Bobby. 22 01:17.230 --> 01:24.460 So the strings we are going to search for, uh, is actually all this. Later on, we need to search 23 01:24.460 --> 01:25.330 for these strings. 24 01:25.330 --> 01:25.900 Yes. 25 01:26.200 --> 01:31.210 And later on, you will find that, uh, this program uses encryption. 26 01:31.750 --> 01:39.280 And first, I will try to show you what it does, and then I will try to show you how to bypass the encryption. 27 01:39.820 --> 01:41.800 You don't need to go and decrypt it. 28 01:43.690 --> 01:44.080 Okay. 29 01:44.080 --> 01:49.120 So now let's take a look at this inside x64dbg by searching for this string. 30 01:49.630 --> 01:51.880 This is bad medicine for Bobby. 31 01:52.990 --> 01:56.350 So you can open it with x64dbg. 32 02:02.860 --> 02:03.850 Please, on the right. 33 02:05.020 --> 02:09.670 So right-click here and search for current module, 34 02:09.790 --> 02:11.200 string references. 35 02:11.680 --> 02:14.290 And here you can see this is bad medicine for Bobby. 36 02:14.890 --> 02:17.620 So you double-click and go to that location. 37 02:19.690 --> 02:21.700 I can now close the original one here. 38 02:23.140 --> 02:28.660 And here, if you expand this to see, the string is shown in the comments column. 39 02:29.530 --> 02:32.710 This is bad medicine for Bobby, and here is a good message: Thanks. 40 02:32.710 --> 02:33.070 Bobby is now cured. 41 02:35.530 --> 02:43.000 Then if you scroll further, you see all kinds of, uh, comparisons have been done and the conditional 42 02:43.000 --> 02:43.990 move as well. 43 02:48.150 --> 02:50.130 And then jump not equal. 44 02:51.330 --> 02:52.470 And you go further. 45 02:55.800 --> 02:59.160 And you see so many shift rights happening here. 46 02:59.160 --> 03:00.900 So these are all the encryption happening. 47 03:06.100 --> 03:12.730 And then here is the start of the program, where it prompts you to enter the name of medicine for Bobby. 48 03:15.000 --> 03:18.360 And here is the start of the function. 49 03:19.050 --> 03:20.040 After all this initialization, 50 03:20.040 --> 03:23.460 so maybe here you can put a comment: main. 51 03:31.750 --> 03:34.450 And then here you can put a breakpoint. 52 03:36.220 --> 03:39.250 I've just pressed G to go into graph mode, graphical mode. 53 03:39.850 --> 03:43.000 You put a breakpoint here, then you run. 54 03:46.690 --> 03:48.670 And now you analyze the output. 55 03:52.070 --> 03:57.080 You turn tracing, trace coverage word, and step over. 56 03:59.420 --> 04:00.410 And watch the output. 57 04:04.590 --> 04:06.000 You can see the animation, 58 04:06.750 --> 04:09.750 uh, the graphics appearing as you go down. 59 04:16.800 --> 04:19.050 And then it's going to come to this line. 60 04:20.850 --> 04:25.710 This call will print this prompt, and the prompt is there. 61 04:26.460 --> 04:30.450 Continue to step over until this becomes into a running state. 62 04:34.600 --> 04:36.100 Now you're in your running state. 63 04:36.250 --> 04:39.130 So it's waiting for you to enter something over here. 64 04:39.820 --> 04:43.960 So at this point here, you can put a breakpoint over here. 65 04:45.700 --> 04:46.480 And 66 04:48.740 --> 04:53.510 power on Bitcoin, and then, uh, 67 04:54.230 --> 04:54.980 okay. 68 04:55.130 --> 04:56.900 So enter anything you want. 69 04:56.930 --> 04:59.510 123456789, 70 04:59.510 --> 04:59.900 let's say. 71 05:00.590 --> 05:01.400 Hit enter. 72 05:02.030 --> 05:03.890 And you are now over here. 73 05:09.350 --> 05:10.670 Continue stepping over. 74 05:12.750 --> 05:17.130 And this is your first compare: it's comparing 30 with 10. 75 05:17.730 --> 05:21.210 And it's a loop, as you can see, it's going up in a loop. 76 05:22.470 --> 05:24.090 So continue stepping over. 77 05:26.440 --> 05:27.610 So it goes back up. 78 05:28.450 --> 05:30.340 It compares 30 with 10 just now. 79 05:31.870 --> 05:33.580 So it's going to loop three times. 80 05:35.530 --> 05:38.530 Each time it loops, it increases by 10. 81 05:39.400 --> 05:43.120 So if - is not 30, it will go up and loop again. 82 05:44.050 --> 05:45.790 That is the meaning of jump less than. 83 05:47.680 --> 05:49.420 So it will loop three times. 84 05:50.080 --> 05:50.950 Then it comes up. 85 05:54.410 --> 05:55.430 Here's another loop. 86 05:56.210 --> 05:57.740 You can see it's going back in the back. 87 05:58.370 --> 06:04.430 This time it's going to loop seven, eight times because the - is using it as a counter. 88 06:19.590 --> 06:25.320 So each time we come past this area with, uh, eight... 89 06:25.740 --> 06:31.830 So this hex is interpreted as eight in, uh, as a string character. 90 06:33.980 --> 06:36.710 So now it's comparing it's five. 91 06:39.980 --> 06:40.970 Nine, six. 92 06:45.250 --> 06:46.600 And then seven. 93 06:46.840 --> 06:50.050 And then when it finishes, it's going to quit the loop. 94 06:51.130 --> 06:54.370 Now over here is where it compares. 95 06:54.730 --> 06:56.020 It shifts the... 96 06:56.020 --> 07:00.070 Listen, uh, registers shift. 97 07:00.070 --> 07:00.340 Right? 98 07:01.000 --> 07:09.520 But the amount of the shift is coming from the - and - here shows that it is one, one. 99 07:10.060 --> 07:12.970 So at this point here, here is one. 100 07:14.350 --> 07:19.480 But as you go down, you notice the parameter changes to two. 101 07:20.770 --> 07:24.430 Let's go down. Exam three. 102 07:24.460 --> 07:25.570 - is three now. 103 07:27.040 --> 07:30.220 So this seems like it's taking from your input. 104 07:30.460 --> 07:32.890 Your input is 123456789. 105 07:33.010 --> 07:36.520 That's why - keeps increasing according to your input. 106 07:39.550 --> 07:39.940 Lower. 107 07:41.570 --> 07:43.340 - has now four, which is 108 07:43.340 --> 07:45.590 the fourth, fourth character you entered. 109 07:46.370 --> 07:53.630 It is taking whatever you entered here and shifting it by that amount over the string. 110 07:54.080 --> 08:00.410 So this, this, this location here contains several, uh, bytes of information. 111 08:00.410 --> 08:08.450 You can go there, select this, right-click, follow in dump, and then follow this address down, so you 112 08:08.450 --> 08:11.270 can see this address. Four is this. 113 08:12.080 --> 08:14.510 And then nine five is this one. 114 08:15.890 --> 08:17.600 And nine six, this one. 115 08:18.740 --> 08:20.060 And nine seven is this one. 116 08:20.060 --> 08:27.740 So it's taking your input and doing a shift right operation on all of this, all of this, uh, fixed 117 08:27.740 --> 08:28.490 uh, data. 118 08:31.420 --> 08:35.290 So you can see happening now is this 97, 97 is here. 119 08:36.070 --> 08:42.610 So it's going to change this value to something else by shifting it right with the parameter -, which 120 08:42.610 --> 08:44.800 is two, which is four. 121 08:45.580 --> 08:46.870 So take a look at this. 122 08:46.870 --> 08:50.710 Now as it happens, this four becomes zero. 123 08:53.450 --> 08:54.170 And so on. 124 08:54.170 --> 08:56.840 Now it's taking nine eight, which is this. 125 08:56.840 --> 08:57.290 This is nine. 126 08:57.290 --> 09:00.140 Eight is going to perform shift 127 09:00.140 --> 09:00.680 right. 128 09:01.880 --> 09:05.870 Uh, -, - is five, which is your fifth input here. 129 09:06.350 --> 09:12.740 Shift right to change this, shift this right by this amount of bits. 130 09:12.740 --> 09:15.110 So it's going to do that. 131 09:15.140 --> 09:16.070 What happens? 132 09:16.280 --> 09:17.180 It becomes zero. 133 09:17.540 --> 09:20.450 So you keep doing this using your input, right? 134 09:20.450 --> 09:22.640 So this is what it means by encryption. 135 09:22.970 --> 09:25.610 It takes your input, encrypts it, and saves it somewhere. 136 09:26.840 --> 09:27.710 That's what it's doing. 137 09:27.710 --> 09:29.870 So let's quickly run through all this. 138 09:50.560 --> 09:52.330 It's performing all the encryption. 139 09:56.950 --> 09:58.330 It's calling a function, 140 09:58.330 --> 09:59.770 calling another function. 141 10:03.030 --> 10:05.250 We are only interested in the compares. 142 10:07.080 --> 10:07.380 All right. 143 10:07.380 --> 10:08.280 This is a compare. 144 10:09.330 --> 10:15.750 It is now comparing - with this zero. Zero comes from here. 145 10:16.620 --> 10:17.760 Right? This compare, 146 10:17.760 --> 10:20.400 it will affect this. 147 10:20.460 --> 10:21.810 Remove conditional move. 148 10:24.700 --> 10:28.390 So this conditional move is based on this compare. 149 10:29.710 --> 10:31.540 So CMOVE, 150 10:31.750 --> 10:38.230 that means if this comparison is true, that means if whatever is inside here is same as whatever is in 151 10:38.230 --> 10:41.110 -, then this will be true. 152 10:41.110 --> 10:42.850 Then it will move to -. 153 10:43.120 --> 10:44.800 That's the meaning of CMOVE equal. 154 10:47.440 --> 10:49.060 So C equal. 155 10:49.060 --> 10:51.700 So if, if this is equal, 156 10:52.210 --> 10:53.230 if this CMOVE, 157 10:53.470 --> 10:56.260 if these two is equal, the zero flag will be set. 158 10:57.040 --> 11:00.190 So it will check the zero flag. Since it is equal, 159 11:00.190 --> 11:03.490 so it will move - to - like that. 160 11:05.110 --> 11:09.940 So if you notice, it says - now is -. - is here. 161 11:09.940 --> 11:14.410 If - is here, notice that one will be moved into here after this instruction. 162 11:17.790 --> 11:18.300 And there you go. 163 11:18.330 --> 11:25.140 One is there. Another compare is comparing one with 20. 164 11:25.770 --> 11:28.620 So in this case, it is not same. 165 11:29.130 --> 11:34.980 Therefore, this jump will happen because there are, because the value in - is not the same as the value 166 11:34.980 --> 11:35.190 here. 167 11:35.190 --> 11:36.300 So it will jump. 168 11:36.750 --> 11:37.680 It will skip this part. 169 11:39.000 --> 11:42.930 We can say that it is expecting these two values to be the same. 170 11:45.300 --> 11:45.690 Right. 171 11:45.690 --> 11:47.910 It wants these two variables to be the same. 172 11:48.090 --> 11:52.560 So because they are not the same, it means that our password somehow is wrong. 173 11:52.590 --> 11:54.240 That's why it's going to jump. 174 11:56.010 --> 11:56.970 So we just 175 11:59.160 --> 11:59.970 continue. 176 12:00.270 --> 12:01.320 Then another compare. 177 12:02.010 --> 12:04.380 Now it's comparing one with... 178 12:04.380 --> 12:06.180 We are comparing one with zero. 179 12:06.450 --> 12:07.800 Again, they are not the same. 180 12:07.800 --> 12:13.260 So it's expecting these two values to be the same, either one one or zero zero. 181 12:13.260 --> 12:14.850 But in this case, they are not the same. 182 12:15.930 --> 12:17.340 They are not the same. 183 12:17.340 --> 12:23.430 So this will affect this instruction because this instruction depends on this compare. If they are the 184 12:23.430 --> 12:24.000 same, 185 12:24.000 --> 12:30.270 if these two values are the same, then zero flag will be set, and then zero flag will be set. 186 12:30.270 --> 12:31.320 This won't jump. 187 12:32.250 --> 12:38.670 Uh, then this instruction won't happen because this instruction means CMOVE not equal. 188 12:38.670 --> 12:42.540 That means if these two is not equal, then it will move - to -. 189 12:43.830 --> 12:45.780 Understand? If they are not equal. 190 12:45.900 --> 12:50.640 But if these two are equal, then we will not move - to -. 191 12:54.370 --> 12:58.000 Uh, if these two are not equal, then, then it will move - to -. 192 12:58.150 --> 13:02.410 But if these two are equal, it will not move this to -. 193 13:02.890 --> 13:03.820 So that's the meaning. 194 13:03.820 --> 13:07.270 So in other words, it is expecting these two to be equal. 195 13:08.470 --> 13:13.660 So in this case, uh, because these two are not equal, zero flag is not set. 196 13:14.080 --> 13:16.090 Therefore, it will move - to -. 197 13:16.090 --> 13:17.200 You can see happening here. 198 13:17.800 --> 13:22.240 If - will move to -, that means one will be moved into here. 199 13:22.690 --> 13:26.080 Step over, and you can see that indeed one is moving to here. 200 13:26.080 --> 13:27.040 So this is bad. 201 13:27.190 --> 13:27.550 All right. 202 13:27.550 --> 13:28.900 Something has gone wrong here. 203 13:29.650 --> 13:31.810 So another comparison is here. 204 13:31.810 --> 13:34.750 It compares, uh, this one with zero. 205 13:34.750 --> 13:36.790 Again, this comparison fails. 206 13:36.790 --> 13:38.560 That means again something is wrong. 207 13:39.100 --> 13:42.220 If these two should be the same, it is expecting these two to be the same. 208 13:42.220 --> 13:46.150 But because they are not the same, this move will happen. 209 13:46.390 --> 13:48.460 - will move to -, right? 210 13:48.460 --> 13:48.820 Again, 211 13:48.820 --> 13:52.330 because why? Because CMOVE not equal. 212 13:53.470 --> 13:54.850 So it will go here. 213 13:54.850 --> 14:00.520 You will see that happening. - will remove it because zero flag is not set. 214 14:00.700 --> 14:07.840 Because this is not equal, zero flag will only be set, uh, if these two is equal. Because these two 215 14:07.840 --> 14:09.490 is not equal, zero flag is not set. 216 14:09.490 --> 14:12.580 Therefore, this move not equal will happen. 217 14:13.750 --> 14:19.120 So - will move to... Take a look. - will move to -. 218 14:19.120 --> 14:21.100 That means one will be moved into here. 219 14:22.960 --> 14:24.640 And there you go. One is we move there. 220 14:25.780 --> 14:27.070 Another comparison. 221 14:27.730 --> 14:29.620 It expects these two to be the same. 222 14:29.920 --> 14:32.770 But if you compare, you can see that they are not the same. 223 14:33.190 --> 14:36.160 You are comparing one with zero. Again, something has gone wrong. 224 14:36.160 --> 14:39.250 So this will become jump not 225 14:39.250 --> 14:41.500 equal will happen, which is a bad thing. 226 14:41.500 --> 14:43.870 So it's going to jump over this. 227 14:44.470 --> 14:46.030 So it jumps over this, right? 228 14:46.780 --> 14:47.230 Again. 229 14:47.230 --> 14:52.990 So the principle in, uh, this, uh, reverse engineering is to look at all the compares. 230 14:53.500 --> 15:00.760 If the, the compare is effectively saying that it wants these two, whatever they are comparing, it 231 15:00.760 --> 15:01.930 wants it to be the same. 232 15:01.930 --> 15:03.310 That's why it's comparing. 233 15:03.490 --> 15:10.780 If they are not the same, that means that something has gone wrong and the jump will happen because 234 15:10.780 --> 15:13.060 the jump is always based on the comparison. 235 15:13.270 --> 15:13.840 Okay. 236 15:14.530 --> 15:14.830 All right. 237 15:14.830 --> 15:16.990 So that's, that's what we are doing here. 238 15:17.740 --> 15:21.820 Uh, it will not jump because this is the same, uh, this, in this case, is the same. 239 15:21.820 --> 15:23.020 So you know it won't jump. 240 15:27.390 --> 15:27.750 Okay. 241 15:27.750 --> 15:28.890 Now it's comparing. 242 15:29.340 --> 15:30.630 So they are the same. 243 15:30.630 --> 15:31.980 So that's a good thing. 244 15:33.930 --> 15:34.950 It's a good thing. 245 15:34.950 --> 15:40.080 So this move will not happen because these two are the same. 246 15:40.080 --> 15:41.010 Zero flag is set. 247 15:45.990 --> 15:47.850 And you can go on and on like that, okay? 248 15:47.850 --> 15:54.510 You just compare, you analyze and comparison, and then you predict a move or no move. 249 15:57.510 --> 16:00.720 You analyze the comparison and then you predict whether it moves or not. 250 16:03.390 --> 16:06.660 You analyze the comparison and you predict the move. 251 16:06.660 --> 16:08.670 So keep on repeating whatever we have... 252 16:08.670 --> 16:09.750 I've just showed you. 253 16:11.860 --> 16:13.390 So it comes to here. 254 16:17.310 --> 16:20.550 So this comparison, we find that they are the same. 255 16:20.550 --> 16:21.600 So it's a good thing. 256 16:21.930 --> 16:27.450 You go straight, and here again, you repeat the comparison. 257 16:28.470 --> 16:30.570 So I'm going to go a little bit faster. 258 16:32.690 --> 16:35.810 Until we see something bad happening here. 259 17:10.200 --> 17:10.710 Okay. 260 17:10.710 --> 17:12.090 Something interesting coming up. 261 17:12.690 --> 17:13.560 You see this two? 262 17:14.100 --> 17:15.600 This is bad medicine for Bobby. 263 17:15.630 --> 17:16.410 Bobby is now... 264 17:20.100 --> 17:28.380 Now, this comparison here will determine whether or not this move will happen. 265 17:28.680 --> 17:32.370 The - and - are... 266 17:32.670 --> 17:34.200 - is here. 267 17:35.070 --> 17:35.970 - is here. 268 17:37.800 --> 17:40.560 - is here. 269 17:40.890 --> 17:41.700 - is here. 270 17:45.160 --> 17:49.000 So I see what happening now is comparing this. 271 17:51.420 --> 17:53.160 Whether it is 1E. 272 17:54.120 --> 17:57.030 So it is not 1E, it is 1C. 273 17:57.870 --> 18:01.170 So because it is, it is not 1E, 274 18:01.500 --> 18:03.840 therefore this move happened. 275 18:05.730 --> 18:06.480 Take a look at that. 276 18:07.020 --> 18:08.520 You move - to -. 277 18:09.660 --> 18:12.210 - has got this good message. 278 18:12.600 --> 18:13.860 - has got a bad message. 279 18:13.860 --> 18:16.320 So it's going to move the bad message to -. 280 18:16.860 --> 18:18.750 That means there will be two bad messages. 281 18:18.900 --> 18:21.300 So this is definitely bad, right? 282 18:21.300 --> 18:27.450 Because this comparison failed, that's why it is moving the bad message into the good message and overwriting 283 18:27.450 --> 18:27.630 it. 284 18:29.640 --> 18:33.990 And after it does that, we are going to call, and watch what happens in the output. 285 18:35.190 --> 18:37.500 The bad message shows. He got it. 286 18:38.130 --> 18:39.960 So this is a hint for you. 287 18:40.080 --> 18:44.520 We can break the entire encryption just by doing something around here. 288 18:45.810 --> 18:48.720 We don't need to go and analyze the encryption and try to decrypt it. 289 18:48.720 --> 18:49.830 That is not necessary. 290 18:50.010 --> 18:54.090 So for that, we will continue in the next lesson. 291 18:54.090 --> 18:55.440 Thank you for watching.