WEBVTT 1 00:01.190 --> 00:01.880 Welcome back. 2 00:02.000 --> 00:07.610 So in the previous lesson, I showed you how to use VirtualProtect breakpoint to locate the original 3 00:07.610 --> 00:08.150 entry point. 4 00:08.150 --> 00:08.990 So we're now here. 5 00:08.990 --> 00:10.760 This is where we stopped last lesson. 6 00:10.760 --> 00:13.670 So now we are going to trace this and see what happens. 7 00:13.670 --> 00:15.830 So we turn on trace highlighting. 8 00:17.390 --> 00:18.860 And then we step into it. 9 00:27.580 --> 00:28.450 Just step into it. 10 00:36.440 --> 00:42.770 You see, the output is being shown character by character as we step through. 11 00:45.300 --> 00:46.590 It's creating the string. 12 00:46.590 --> 00:53.880 So this is why we can't find the string in memory, because it is dynamically creating the string. 13 00:56.480 --> 00:56.690 Right. 14 00:57.140 --> 01:02.210 So all these calls are a method of hiding the string from memory. 15 01:08.760 --> 01:14.250 So we know that this entire code block here is just to create this prompt: 16 01:14.250 --> 01:15.180 "Enter password." 17 01:17.100 --> 01:22.110 So we continue to step over until it waits for us to enter the password. 18 01:24.000 --> 01:27.510 And that will happen when this paused state becomes running state. 19 01:31.090 --> 01:36.340 So let's watch this bottom left-hand corner until it becomes a running state. 20 01:39.560 --> 01:41.510 Now it is now in the running state. 21 01:41.600 --> 01:43.340 That means it's waiting for input. 22 01:43.460 --> 01:45.020 So we can type one, two, 23 01:45.020 --> 01:45.320 three, 24 01:45.320 --> 01:45.590 four, 25 01:45.590 --> 01:46.490 five, six. 26 01:46.670 --> 01:49.400 We hit Enter and control comes to— 27 01:49.400 --> 01:51.410 comes back to the debugger. 28 01:51.440 --> 01:52.610 Now it's in a paused state. 29 01:53.180 --> 01:54.830 Again, we continue stepping over. 30 02:03.260 --> 02:05.960 So now here, it's done a comparison. 31 02:06.080 --> 02:11.900 And it's going to not jump because the comparison is expecting a one. 32 02:11.900 --> 02:13.070 But you're not getting a one. 33 02:13.070 --> 02:13.850 We're getting a -. 34 02:14.330 --> 02:16.850 So let's step over and observe the behavior. 35 02:20.730 --> 02:21.420 Okay. 36 02:21.420 --> 02:24.840 So over here, it's going to jump unconditionally. 37 02:32.320 --> 02:33.490 And over here, 38 02:33.490 --> 02:34.600 it is not going to jump. 39 02:34.600 --> 02:35.800 It's going to go here. 40 02:41.970 --> 02:43.710 I continue to step over. 41 02:53.290 --> 02:54.640 Continue to step over. 42 02:57.400 --> 02:58.600 It's still jumping. 43 03:08.920 --> 03:10.240 Continue to step over. 44 03:20.040 --> 03:20.490 Okay. 45 03:20.490 --> 03:26.280 One thing interesting here: if you look at the Symbols here under crackme, you will see that it 46 03:26.280 --> 03:28.410 makes use of this memcmp. 47 03:29.130 --> 03:31.350 memcmp is used to compare two strings. 48 03:31.350 --> 03:35.820 And this comes from the Visual C++ runtime library. 49 03:35.820 --> 03:38.640 So we can keep a lookout for this function. 50 03:39.090 --> 03:39.900 memcmp. 51 03:39.900 --> 03:41.850 So so far, it hasn't called memcmp. 52 03:58.340 --> 04:02.360 But you can see that it is constructing something. 53 04:03.800 --> 04:05.120 Through that code. 54 04:08.270 --> 04:11.810 It then is constructing a string in memory. 55 04:12.110 --> 04:14.420 All this code somehow is constructing a string. 56 04:14.420 --> 04:17.300 This could be the password. 57 04:20.550 --> 04:23.790 Pineapple could be the password. 58 04:24.240 --> 04:24.960 It is constructing. 59 04:24.960 --> 04:27.690 As we step over, you can see the string being constructed here. 60 04:45.620 --> 04:46.310 There you go. 61 04:47.030 --> 04:49.880 At this point, the entire string has been constructed. 62 04:49.880 --> 04:50.480 Pineapple. 63 04:50.480 --> 04:53.240 So this, I suspect, is the password itself. 64 04:54.650 --> 04:55.220 Okay. 65 04:55.220 --> 04:56.030 Let's see. 66 04:56.390 --> 04:57.890 So where are we? 67 04:58.520 --> 05:00.050 Okay, we are here. 68 05:01.600 --> 05:02.320 All right. 69 05:02.980 --> 05:05.380 Let's continue to step over and observe. 70 05:05.380 --> 05:06.670 Just observe for now. 71 05:08.890 --> 05:09.850 So it's jumping. 72 05:09.850 --> 05:11.050 It's jumping over here. 73 05:16.710 --> 05:18.120 Now it jumps over here. 74 05:18.870 --> 05:23.760 Still no bad messages coming up, and still no use of the memcmp function. 75 05:26.130 --> 05:27.300 Okay, it is here now. 76 05:36.890 --> 05:39.830 Just continue to step over and observe. 77 05:53.280 --> 05:57.300 The first time I debugged this, I had to do it slower than now. 78 05:57.300 --> 06:00.270 But since I know where to look, I don't have to go so slow. 79 06:01.500 --> 06:04.230 Okay, now you can see there is a memcmp here. 80 06:04.290 --> 06:04.680 See that? 81 06:05.520 --> 06:09.630 So you either go straight to do memcmp, or it will avoid it. 82 06:10.020 --> 06:13.020 And if you click on this now, you will see that jump is taken. 83 06:13.020 --> 06:15.090 That means you will avoid the memcmp. 84 06:15.720 --> 06:18.330 If it avoids the memcmp, it will go to the left. 85 06:18.540 --> 06:20.700 So let's put a breakpoint on this. 86 06:23.010 --> 06:23.580 Breakpoint. 87 06:23.610 --> 06:24.090 Toggle. 88 06:24.390 --> 06:24.900 All right. 89 06:25.590 --> 06:28.710 So now let it go to the left and see what happens. 90 06:30.740 --> 06:34.070 So it's going to the left instead of going straight and doing a memcmp. 91 06:34.070 --> 06:34.520 Compare. 92 06:39.530 --> 06:44.000 And you see, it is constructing the bad message: "Incorrect." 93 06:44.510 --> 06:49.520 So all this function is constructing a character to show up. 94 06:49.520 --> 06:52.040 That's why the string cannot be found in the string search. 95 06:52.160 --> 06:55.460 See that? It's creating the string. 96 06:56.210 --> 06:57.530 As you continue going, watch. 97 06:57.530 --> 06:58.460 Here it comes. 98 06:58.460 --> 06:59.390 The string is coming up. 99 07:00.500 --> 07:03.980 So by this time, we already know that we have a wrong password. 100 07:04.280 --> 07:10.160 And so now we can restart this and try to come back to this location and make it go straight and do 101 07:10.160 --> 07:11.390 a memcmp instead. 102 07:11.390 --> 07:12.890 So let's restart this. 103 07:14.910 --> 07:15.210 Okay. 104 07:15.210 --> 07:20.910 Let it hit the—our breakpoint. I've already set the breakpoint on VirtualProtect. 105 07:20.910 --> 07:24.990 So let it run four times: one, two, three, four. 106 07:25.170 --> 07:26.700 And then go to the breakpoint. 107 07:27.300 --> 07:29.220 And then here, Run to User Code. 108 07:30.190 --> 07:34.000 And so now we are inside our—press G to graph. 109 07:34.150 --> 07:36.040 So now we are here, right? 110 07:36.040 --> 07:38.470 So let it hit our second breakpoint, 111 07:39.510 --> 07:41.130 which is this breakpoint here. 112 07:41.670 --> 07:42.990 So let's go there now. 113 07:43.140 --> 07:43.920 Run! 114 07:43.920 --> 07:45.690 And now it has a breakpoint. 115 07:46.470 --> 07:46.980 Zoom out. 116 07:49.260 --> 07:50.850 Oh, we have to enter a password. 117 07:53.760 --> 07:55.770 One, two, three, four, five, six. 118 07:55.770 --> 07:56.550 Hit Enter. 119 07:57.090 --> 07:58.560 All right, we missed the breakpoint. 120 07:58.590 --> 07:59.100 No worries. 121 07:59.130 --> 07:59.790 Try again. 122 08:00.450 --> 08:01.650 Go to breakpoint. 123 08:01.980 --> 08:03.240 Run four times. 124 08:04.350 --> 08:05.580 Hit four times. 125 08:05.610 --> 08:07.440 Go to VirtualProtect. 126 08:08.220 --> 08:09.480 Run to User Code. 127 08:10.980 --> 08:11.670 And then— 128 08:11.670 --> 08:11.970 Now, 129 08:11.970 --> 08:15.420 by now, we are ready to output the prompt. 130 08:15.420 --> 08:20.340 So just run until the prompt comes up. 131 08:20.730 --> 08:24.540 And then one, two, three, four, five, six. Hit Enter. 132 08:25.800 --> 08:28.140 So now we should be in a breakpoint. 133 08:29.040 --> 08:30.990 Let's go to our breakpoint. 134 08:35.040 --> 08:38.670 Okay, we missed it again because the breakpoint was disabled when we reset. 135 08:38.910 --> 08:41.370 So we have to enable it when we rerun. 136 08:41.370 --> 08:42.150 I forgot to do that. 137 08:42.150 --> 08:42.750 Sorry about that. 138 08:43.230 --> 08:47.910 So now, let's do this again. 139 08:48.360 --> 08:51.390 So this is the problem with doing packed code. 140 08:51.420 --> 08:54.570 The breakpoints will be disabled when you restart. 141 08:54.570 --> 08:55.860 You have to re-enable them. 142 08:55.860 --> 08:57.150 That's what I forgot to do. 143 08:57.870 --> 09:00.360 So let's run four times. 144 09:03.340 --> 09:05.560 One, two, three, four. 145 09:06.310 --> 09:14.470 Go to VirtualProtect, Run to User Code, and go to breakpoint and re-enable this one. 146 09:16.430 --> 09:17.450 Enable it again. 147 09:17.810 --> 09:18.560 Okay. 148 09:18.980 --> 09:27.500 So now—okay, you notice the VirtualProtect was not disabled when we restart because this is not packed. 149 09:27.680 --> 09:30.890 This one is an external library, but this one is packed. 150 09:30.890 --> 09:33.140 That's why when you restart, it is disabled. 151 09:33.140 --> 09:35.720 Because when you restart, it goes back into the packed state. 152 09:36.590 --> 09:40.070 That's why you have to re-enable it manually after you restart. 153 09:41.620 --> 09:43.360 Okay, so now you are here. 154 09:43.840 --> 09:48.130 You can run until the prompt comes up. 155 09:48.910 --> 09:51.160 Then you enter one, two, three, four, five, six. 156 09:51.160 --> 09:53.650 When you hit Enter, you hit your breakpoint. 157 09:53.650 --> 09:56.230 So now press G to graph it. 158 09:56.440 --> 09:58.210 And you can see here is where we are. 159 09:58.750 --> 10:03.970 So now what we want to do is force it to go straight instead of going to the left. 160 10:03.970 --> 10:06.340 If you click on this, you will see that jump is taken. 161 10:06.340 --> 10:09.970 So we just toggle the flag, make it go straight. 162 10:09.970 --> 10:11.530 So you click on it again. 163 10:11.530 --> 10:13.180 You will see the jump is not taken. 164 10:13.180 --> 10:14.470 So now we step over it. 165 10:14.470 --> 10:14.980 We go straight. 166 10:15.400 --> 10:20.950 So now it is ready to call the memcmp function, which we discovered from here. 167 10:22.280 --> 10:24.470 See that? memcmp is being used. 168 10:24.680 --> 10:27.620 So we want to examine the parameters. 169 10:27.620 --> 10:29.660 We look at this part here. 170 10:30.410 --> 10:31.430 Just pull this to the left. 171 10:31.430 --> 10:42.650 And you can see, as you know in Win32—Windows—inside x64 programs, the parameters to a function are 172 10:42.650 --> 10:49.760 being called by setting up the parameters in registers instead of pushing parameters to the stack. 173 10:50.120 --> 10:54.710 So the four parameters are -, -, -, -. 174 10:55.340 --> 10:57.710 So we have already studied this before. 175 10:58.340 --> 11:05.450 So to know what parameters are being used by a function, you look at these four registers. You will 176 11:05.450 --> 11:06.440 know what the parameters are. 177 11:06.440 --> 11:11.840 So four parameters for memcmp is -, -, -. 178 11:11.840 --> 11:13.190 So you want to know what they are. 179 11:13.580 --> 11:19.190 You go to memcmp. So MSDN memcmp. 180 11:21.290 --> 11:23.750 And then you can look at the parameters. 181 11:24.200 --> 11:29.450 So memcmp has got these three parameters. 182 11:29.900 --> 11:34.430 This is -. Only use three. 183 11:35.330 --> 11:36.740 So -. 184 11:37.100 --> 11:37.550 -. 185 11:38.000 --> 11:38.600 -. 186 11:39.470 --> 11:40.940 So what do they mean? 187 11:40.940 --> 11:48.410 So you are comparing string one with string two, and count here refers to the number of characters 188 11:48.410 --> 11:50.840 to compare—number of characters to compare. 189 11:50.840 --> 11:51.350 That's the count. 190 11:51.350 --> 11:54.950 That means the third parameter is the number of characters to compare. 191 11:55.490 --> 11:56.690 So six in this case. 192 11:56.690 --> 11:56.870 Why? 193 11:56.900 --> 11:58.520 Because we entered six characters. 194 11:58.520 --> 12:00.860 That's why I think that it is only comparing six. 195 12:01.220 --> 12:09.200 So from here we can guess that it is trying to compare our input, which is one, two, three, four, five, six, and comparing 196 12:09.200 --> 12:11.690 that with another string, which is "pineapple." 197 12:11.690 --> 12:17.000 So from here we can guess that the password is "pineapple." 198 12:17.750 --> 12:19.430 So we can test it out. 199 12:20.190 --> 12:21.900 You need a copy of the crackme. 200 12:23.090 --> 12:23.810 And run it. 201 12:25.130 --> 12:27.500 Make a copy and run a copy. 202 12:28.550 --> 12:33.290 Open a command prompt here and run the copy. 203 12:33.290 --> 12:34.190 Enter 204 12:34.190 --> 12:34.790 "pineapple." 205 12:36.230 --> 12:37.190 Incorrect. 206 12:37.370 --> 12:38.060 We solved it. 207 12:38.060 --> 12:48.200 So this is how you can fish out the password using this method where we put breakpoints on the VirtualProtect. 208 12:49.370 --> 12:49.790 Okay. 209 12:49.790 --> 12:51.950 So that concludes this lesson. 210 12:51.950 --> 12:54.530 But next lesson, I will show you how to patch this file. 211 12:54.530 --> 12:58.070 So as we all know that packed programs cannot be patched. 212 12:58.070 --> 12:58.400 Why? 213 12:58.400 --> 13:04.460 Because if you try to patch this to make it go straight, it won't work. 214 13:04.460 --> 13:07.850 Let me show you this example. 215 13:07.880 --> 13:11.660 Now to solve this, you might want to patch. 216 13:12.350 --> 13:12.620 Okay. 217 13:12.620 --> 13:14.000 Let's graph it further. 218 13:14.690 --> 13:18.230 You might want to patch it so that this thing doesn't execute. 219 13:18.230 --> 13:21.080 So you NOP all of this, and also you NOP all of this. 220 13:21.080 --> 13:24.050 So if you NOP from here to here, it should go straight. 221 13:24.410 --> 13:25.010 Correct. 222 13:25.100 --> 13:27.410 But the patch will not be able to be saved. 223 13:27.650 --> 13:29.600 I will show you that in the next lesson. 224 13:29.600 --> 13:29.930 All right. 225 13:29.930 --> 13:30.740 See you then.