WEBVTT 1 00:00.750 --> 00:02.430 Hello and welcome back. 2 00:02.460 --> 00:06.210 In this next challenge, we are going to take a look at another crackme. 3 00:06.840 --> 00:10.410 And this crackme is 16 lowercase. 4 00:10.650 --> 00:16.860 Just unzip it as usual with the unzip password, which is crackinglessons.com. 5 00:17.490 --> 00:19.710 Inside this folder, you will find three files. 6 00:20.370 --> 00:24.300 There will also be an additional Python script, which I'll explain later. 7 00:24.900 --> 00:27.240 So the main crackme now is this one. 8 00:27.240 --> 00:33.300 And this is a bit challenging because it is protected with a UPX packer. 9 00:33.840 --> 00:35.430 So this is a packed file. 10 00:35.970 --> 00:44.490 What it means by being packed: packed means that the whole binary is compressed and 11 00:44.490 --> 00:45.240 encrypted. 12 00:45.690 --> 00:49.050 So it only runs when you double-click on it. 13 00:49.470 --> 00:52.470 It will then unpack itself and then only run. 14 00:52.620 --> 00:56.190 So it makes it impossible to patch the file itself. 15 00:56.340 --> 01:01.440 But there is a way to bypass it, which I'll show you in the coming lessons. 16 01:01.740 --> 01:05.700 And the second challenge with this is that strings are not shown. 17 01:05.700 --> 01:08.580 When you do a string scan, you won't find any strings at all. 18 01:08.580 --> 01:10.200 So that's the other challenge. 19 01:10.620 --> 01:16.980 Even after it has executed in memory and you perform a string scan, the strings are also not shown. 20 01:17.730 --> 01:23.490 So first thing off is to do a scan with DIE to see what type of binary it is. 21 01:26.390 --> 01:28.160 It is a 64-bit binary. 22 01:28.160 --> 01:30.320 And you can see there's a packer here. 23 01:31.100 --> 01:32.960 It is packed with UPX packer. 24 01:33.470 --> 01:36.890 Now, normally you would think that you can use the UPX 25 01:36.890 --> 01:38.180 unpacker 26 01:38.180 --> 01:38.840 to unpack this. 27 01:38.840 --> 01:39.470 That's true. 28 01:39.500 --> 01:43.220 You might be able to do that, but sometimes there are other packers. 29 01:43.220 --> 01:49.490 Like there are other packers like commercial packers, VMProtect, Enigma, and so on, where 30 01:49.490 --> 01:50.960 it is not so easy to unpack. 31 01:51.110 --> 01:58.790 So traditionally, you can unpack this using some software, for example UPX. You can unpack it using 32 01:58.790 --> 02:03.170 UPX unpacker, and sometimes you can, sometimes it doesn't. 33 02:03.350 --> 02:05.120 In this case, it might or might not work. 34 02:05.300 --> 02:11.480 But we are not going to try to unpack it because there's a better way to solve this rather 35 02:11.660 --> 02:12.860 than to unpack it. 36 02:13.610 --> 02:17.690 And anyway, in this case, you can see that it's a modified packer. 37 02:17.690 --> 02:23.060 So probably the person who wrote this crackme wants to make it difficult for you to unpack, but we 38 02:23.060 --> 02:24.020 are not going to unpack it. 39 02:24.530 --> 02:28.070 But I will show you the other way how to solve this without unpacking. 40 02:28.760 --> 02:32.540 So now we know that it is 64-bit and it is packed. 41 02:33.170 --> 02:38.210 And another way to know this is packed is to look at the entropy. 42 02:38.210 --> 02:46.340 So you go here, you look at the entropy, and you will see the entropy is more than seven, which is 43 02:47.150 --> 02:48.080 very high. 44 02:48.950 --> 02:50.360 So the maximum entropy is eight. 45 02:50.390 --> 02:53.990 If you see something so high, somewhere around seven, it means that it is packed. 46 02:54.020 --> 02:55.850 That means it is compressed and encrypted. 47 02:57.380 --> 03:03.170 So we open a command prompt here and run the crackme and see what it outputs. 48 03:03.920 --> 03:05.120 It asks for a password. 49 03:05.120 --> 03:07.760 So if you type any password, hit Enter. 50 03:07.760 --> 03:09.980 It says "Incorrect. Wrong password." 51 03:10.370 --> 03:16.460 So normally you search for this string "Incorrect" or this string "Enter password." 52 03:16.910 --> 03:18.920 So we try to search now and see what happens. 53 03:20.090 --> 03:21.680 We open the x64dbg. 54 03:23.120 --> 03:31.490 And now you right-click here and try to search for current module string references. 55 03:33.980 --> 03:35.600 And you find there are no strings. 56 03:35.630 --> 03:36.140 Why? 57 03:36.170 --> 03:37.400 Because it is packed. 58 03:37.640 --> 03:39.470 That's why you don't see the strings. 59 03:39.680 --> 03:40.880 Let's close this other one. 60 03:46.820 --> 03:47.780 Okay, let's close this one. 61 03:50.600 --> 03:55.280 As you can see, the program has unpacked itself because it managed to show the prompt. 62 03:55.490 --> 03:59.180 But let's try to search and see if we can find any strings. 63 03:59.900 --> 04:04.040 Search for current module string 64 04:04.040 --> 04:05.030 references. 65 04:05.720 --> 04:08.090 And again, you don't find this string here. 66 04:08.090 --> 04:12.740 Even after you enter the wrong password, you will get this "Incorrect" string. 67 04:12.740 --> 04:15.290 But this "Incorrect" string is also not found here. 68 04:15.800 --> 04:19.040 So this is the challenge of this crackme. 69 04:19.400 --> 04:22.460 So now I will show you how to solve this. 70 04:22.490 --> 04:26.330 Now the point is that: why do we want to search a string? 71 04:26.810 --> 04:31.670 Because the string allows us to set the breakpoint in the correct location. 72 04:31.790 --> 04:35.420 If we don't know where to set the breakpoint, we will not be able to solve this. 73 04:35.750 --> 04:38.480 So we want to set the breakpoint in the correct location. 74 04:38.480 --> 04:40.220 To do that, we need to look at the strings. 75 04:40.220 --> 04:42.170 Yes, but in this case there are no strings. 76 04:42.170 --> 04:44.480 So we don't know where to set the breakpoint. 77 04:44.930 --> 04:45.320 Okay. 78 04:45.320 --> 04:46.430 How do we solve this? 79 04:47.300 --> 04:50.750 Let's restart this program and I will show you a trick. 80 04:52.010 --> 04:55.220 Now, before any program unpacks itself, 81 04:55.700 --> 05:03.620 it needs to use some Windows API. Two of the common Windows APIs are VirtualAlloc 82 05:03.620 --> 05:04.910 and VirtualProtect. 83 05:04.910 --> 05:05.600 This one. 84 05:07.010 --> 05:11.540 VirtualAlloc and VirtualProtect are generally used by programs which are packed. 85 05:11.690 --> 05:18.680 They use these two functions, these two APIs, in order to help allocate memory so that it can unpack 86 05:18.710 --> 05:19.220 itself. 87 05:19.580 --> 05:22.370 So VirtualAlloc is to allocate memory for unpacking. 88 05:22.370 --> 05:27.530 And VirtualProtect is to change the protection of memory to make it writable. 89 05:28.470 --> 05:30.150 Sometimes we don't use VirtualAlloc. 90 05:30.180 --> 05:31.590 Sometimes you use VirtualProtect. 91 05:32.190 --> 05:34.380 So sometimes only VirtualProtect is found. 92 05:34.530 --> 05:40.770 So to know which of these two is being used by the program that is unpacking, you can go to Symbols. 93 05:41.250 --> 05:46.830 So you click on Symbols, you click on crackme, and look in the Symbol column. 94 05:47.550 --> 05:55.050 And here you can see it is using this function, this API: LoadLibrary, ExitProcess, GetProcAddress, 95 05:55.050 --> 05:56.160 and VirtualProtect. 96 05:56.640 --> 05:59.850 So VirtualProtect is the one which is used here. 97 05:59.880 --> 06:00.990 It doesn't use VirtualAlloc. 98 06:00.990 --> 06:03.720 So we can set a breakpoint on VirtualProtect. 99 06:03.840 --> 06:05.430 There are two ways to set a breakpoint. 100 06:05.460 --> 06:08.340 The first way is: go down here, put breakpoint. 101 06:09.350 --> 06:14.300 Type in "bp VirtualProtect" and then hit Enter. 102 06:14.330 --> 06:18.530 Or you can come here and right-click, Toggle Breakpoint. 103 06:19.190 --> 06:23.870 Once you have set a breakpoint, you can double-check on it by clicking on the Breakpoints tab. 104 06:24.440 --> 06:26.480 Here you will see the breakpoint has been set. 105 06:26.840 --> 06:32.960 So now when we run, we will see that this program will use VirtualProtect. 106 06:33.620 --> 06:35.930 It will help it to unpack itself. 107 06:36.200 --> 06:41.180 So over here, let's run and see what happens. 108 06:41.660 --> 06:43.430 It hits VirtualProtect one time. 109 06:44.370 --> 06:46.020 It hasn't completed unpacking. 110 06:46.020 --> 06:46.830 How did we know? 111 06:46.830 --> 06:48.660 Because there are no outputs here. 112 06:49.790 --> 06:50.660 Run again. 113 06:51.110 --> 06:52.910 It hits VirtualProtect a second time. 114 06:53.300 --> 06:53.690 Again. 115 06:53.720 --> 06:54.320 No output. 116 06:54.860 --> 06:55.760 Run again. 117 06:56.570 --> 06:58.370 It hits the third time. Again, 118 06:58.370 --> 06:59.300 no output. 119 06:59.810 --> 07:00.590 Run again. 120 07:01.860 --> 07:04.320 Hits the fourth time. It's still not done. 121 07:04.800 --> 07:05.610 Run again. 122 07:06.630 --> 07:08.310 So it only hits four times. 123 07:08.310 --> 07:10.620 But when you run, it shows the output. 124 07:10.620 --> 07:18.270 That means after the fourth time it calls VirtualProtect, the program has completely unpacked itself 125 07:18.270 --> 07:19.050 into memory. 126 07:19.050 --> 07:20.640 And it is running. 127 07:20.640 --> 07:29.190 So this gives us a hint where to—how to trace the location for putting a proper breakpoint. 128 07:29.760 --> 07:33.540 So let's restart this and let it hit VirtualProtect four times. 129 07:34.640 --> 07:35.930 So we start it. 130 07:38.250 --> 07:41.850 Be sure you have a breakpoint on VirtualProtect. 131 07:42.870 --> 07:43.350 Okay. 132 07:43.620 --> 07:44.490 It is on. 133 07:44.790 --> 07:49.560 So let it run until four times: one, two, three, four. 134 07:50.250 --> 07:50.640 All right. 135 07:50.640 --> 07:51.720 So now you take a look. 136 07:52.440 --> 07:55.950 If I were to run again, it will show the output string. 137 07:55.950 --> 08:02.010 But I don't want to run—I don't want to click Run now because it will not call VirtualProtect again. 138 08:02.850 --> 08:03.330 It will— 139 08:03.330 --> 08:09.390 It only calls it four times because we already did see this just now, that it only calls it four 140 08:09.390 --> 08:09.720 times. 141 08:09.720 --> 08:11.790 And if you run now, it will show the output string. 142 08:11.790 --> 08:15.510 So we know that by this time it has fully unpacked itself. 143 08:15.510 --> 08:20.340 So what we do: we go to the location where VirtualProtect was hit. 144 08:21.120 --> 08:25.560 So double-click on this, or right-click and Follow in Disassembler. 145 08:26.570 --> 08:29.450 Follow in -. And you can see here, VirtualProtect. 146 08:29.840 --> 08:36.050 But this VirtualProtect is inside the KERNEL32.DLL. And KERNEL32, 147 08:36.050 --> 08:37.880 this is a system DLL. 148 08:38.150 --> 08:41.180 So we have to go back to user—user module. 149 08:41.180 --> 08:43.730 The user module is the crackme module. 150 08:43.730 --> 08:45.110 This one here, crackme. 151 08:45.110 --> 08:46.340 So how do we go back there? 152 08:47.000 --> 08:51.410 You can go back there by doing this: Run to User Code. 153 08:51.500 --> 08:53.960 So just click on Execute. 154 08:53.960 --> 08:55.370 That means you run to user code. 155 08:55.790 --> 08:58.520 It will go back to the crackme module. 156 08:58.700 --> 09:04.790 If you scroll up, you can see that this was where the user module called VirtualProtect. 157 09:04.790 --> 09:06.020 And now we are here. 158 09:06.320 --> 09:09.920 That means we just came back from the fourth call to VirtualProtect. 159 09:09.920 --> 09:13.430 And now we are inside the main itself. 160 09:13.820 --> 09:17.900 So this is where we can put our breakpoint, this location here, if we wanted to. 161 09:18.200 --> 09:24.620 So if we were to graph this now, we can look down and see that this is all the main module. 162 09:25.520 --> 09:29.330 We can zoom out the main module. Okay. 163 09:29.330 --> 09:36.170 So this is the trick on how you can locate the original entry point for this unpacked code. 164 09:36.410 --> 09:39.320 This is the original entry point. Okay. 165 09:39.320 --> 09:42.500 So don't close this program. 166 09:42.830 --> 09:45.950 We will stop here, but we will continue in the next video. 167 09:45.950 --> 09:47.570 So leave this program running. 168 09:47.570 --> 09:48.350 I'll see you then.