WEBVTT 1 00:01.790 --> 00:02.450 Welcome back. 2 00:02.450 --> 00:06.770 In the previous lesson, we already managed to fish out this password: "pineapple." 3 00:06.770 --> 00:11.900 And if we wanted to solve this, you just need to patch from here to here with a NOP. 4 00:11.900 --> 00:14.000 So let's try the patch and see if it works. 5 00:15.380 --> 00:17.270 So now let's see. 6 00:17.810 --> 00:21.290 We are going to run this four times. 7 00:22.250 --> 00:24.260 Make sure your breakpoint is there. 8 00:24.470 --> 00:25.220 This one. 9 00:26.310 --> 00:32.790 One, two, three, four, and then go to VirtualProtect, Run to User Code. 10 00:33.330 --> 00:34.680 And then here. 11 00:35.340 --> 00:41.760 Now we run until the password is shown, and then we type one, two, three, 12 00:44.150 --> 00:46.490 four, five, six. 13 00:46.490 --> 00:52.400 But before you press Enter, let's go to our breakpoint and enable this one. 14 00:53.270 --> 00:56.900 Enable, and then go to that location in -. 15 00:58.110 --> 01:00.450 So here's where you are here. 16 01:00.450 --> 01:01.950 And graph it up here. 17 01:03.120 --> 01:03.480 All right. 18 01:03.480 --> 01:06.600 We want to come to this location, so we can run that now. 19 01:06.630 --> 01:08.490 We press Enter and you hit a breakpoint. 20 01:09.510 --> 01:11.190 So now we are here. 21 01:11.550 --> 01:13.050 We want it to go straight. 22 01:13.080 --> 01:14.580 We don't want it to jump here. 23 01:14.580 --> 01:14.760 Right. 24 01:14.760 --> 01:17.130 Because currently it's going to jump. 25 01:17.130 --> 01:20.100 You see, this jump is taken, so we can NOP this. 26 01:20.370 --> 01:26.880 We can also prevent the memcmp and this jump by NOPing all this line as well, so that 27 01:26.880 --> 01:30.690 it eventually just goes straight and shows the good message. 28 01:31.530 --> 01:32.640 So let's try that. 29 01:34.010 --> 01:35.960 Right-click, Follow in Disassembler. 30 01:36.560 --> 01:40.940 So we want to NOP all this from here to here. 31 01:41.690 --> 01:43.310 This is what we want to NOP. 32 01:43.550 --> 01:44.120 Correct. 33 01:44.300 --> 01:50.150 So we can actually select all this from here to here—from here to here. 34 01:50.150 --> 01:52.970 And NOP it: Binary, Fill with NOPs. 35 01:55.650 --> 01:56.040 Okay. 36 01:56.040 --> 02:02.520 So now if you—if you continue to run, it's just going to go straight. Watch. 37 02:03.090 --> 02:05.850 So step over, step over, step over, step over. 38 02:05.880 --> 02:07.290 Eventually it will come here. 39 02:12.310 --> 02:16.900 Then it is coming here, and now it's constructing the good message. See this? 40 02:18.400 --> 02:20.530 As you keep on stepping over, it says "Correct." 41 02:21.250 --> 02:21.670 Right. 42 02:21.670 --> 02:22.000 That's it. 43 02:22.000 --> 02:27.490 So we managed to solve it by NOPing all these few bytes. 44 02:27.640 --> 02:29.800 Let's go back to disassembly view. 45 02:30.790 --> 02:33.430 We can manage to solve it by doing this NOP. 46 02:33.430 --> 02:33.700 NOP. 47 02:33.760 --> 02:36.970 But the problem is, when you try to patch it, it fails. 48 02:38.050 --> 02:39.040 Try to patch. 49 02:41.990 --> 02:45.110 And we try to save it as "crackme2." 50 02:48.390 --> 02:49.380 "crackme2." 51 02:51.550 --> 02:52.330 Please save. 52 02:53.200 --> 02:53.650 All right. 53 02:53.980 --> 02:54.460 Patch. 54 02:54.460 --> 02:55.240 Patch applied. 55 02:55.270 --> 02:55.930 Fine. 56 02:56.680 --> 02:58.450 All right, so now we try to run it. 57 03:00.990 --> 03:03.570 "crackme2," Enter password. 58 03:05.090 --> 03:05.750 Incorrect. 59 03:05.750 --> 03:06.110 See that? 60 03:06.290 --> 03:07.010 Why? 61 03:07.010 --> 03:07.820 Because when— 62 03:07.820 --> 03:10.550 after you patch it and then you 63 03:10.820 --> 03:14.930 quit the program, the program collapses back into a packed state. 64 03:15.350 --> 03:18.740 So the original file has not been patched at all. 65 03:19.130 --> 03:20.360 That's why it fails. 66 03:20.360 --> 03:21.980 So this method cannot work. 67 03:21.980 --> 03:23.630 You cannot patch a file 68 03:24.170 --> 03:25.430 which is packed. 69 03:26.000 --> 03:26.960 You cannot patch it. 70 03:26.960 --> 03:34.430 So the only way to solve it is to find a way to patch the memory itself 71 03:34.430 --> 03:36.380 after the program has run. 72 03:36.500 --> 03:42.170 That means after the program has run, you enter the password, but before you hit Enter, you patch 73 03:42.170 --> 03:42.500 it. 74 03:43.320 --> 03:46.230 You patch the memory itself. 75 03:46.590 --> 03:48.240 Then hit Enter. 76 03:48.240 --> 03:50.160 Then you'll find that you'll be—correct. 77 03:50.280 --> 03:50.700 Correct. 78 03:50.700 --> 03:51.210 Password. 79 03:51.450 --> 03:53.550 So that is called memory patcher. 80 03:53.580 --> 03:54.030 Another— 81 03:54.300 --> 03:56.130 another name for that is called loaders. 82 03:56.160 --> 03:57.360 Loaders. 83 03:57.360 --> 03:58.110 Loaders. 84 03:58.260 --> 04:03.450 Loaders are those programs which allow you to patch the runtime process memory. 85 04:03.450 --> 04:06.570 Instead of patching the file, you are patching the memory itself. 86 04:07.440 --> 04:11.910 So to know what you want to patch, we have to restore selected first. 87 04:12.210 --> 04:13.710 Restore selection. 88 04:14.330 --> 04:18.530 And then the bytes that you want to patch are all these. 89 04:18.800 --> 04:21.080 So let's see. 90 04:21.080 --> 04:25.460 So let's go and open a Notepad. 91 04:27.510 --> 04:28.920 Search for Notepad. 92 04:30.270 --> 04:32.310 Let's record down the bytes to patch. 93 04:33.090 --> 04:36.300 The bytes to patch is here to here. 94 04:36.840 --> 04:46.230 So we select all those bytes, right-click, Binary, Copy, and then come here and paste it here. 95 04:47.350 --> 04:48.580 So there are 15. 96 04:48.580 --> 04:49.270 All of them. 97 04:49.270 --> 04:59.290 You can count: one, two, three, four, five, six, seven, eight, nine, ten, eleven, twelve, thirteen, fourteen, 98 04:59.290 --> 05:01.360 fifteen—15 bytes to patch with NOP. 99 05:01.690 --> 05:05.410 So you want to patch those bytes with 15 NOPs. 100 05:06.100 --> 05:07.000 15 NOPs. 101 05:07.000 --> 05:11.770 So when you patch these bytes with 15 NOPs, you replace it with ninety zeros. 102 05:11.770 --> 05:13.120 So let's try that now and see. 103 05:13.270 --> 05:14.890 Binary, Fill, NOPs. 104 05:17.030 --> 05:17.510 Okay. 105 05:17.510 --> 05:19.670 And you see, now it has become ninety zeros. 106 05:19.670 --> 05:20.630 So you can copy this. 107 05:20.630 --> 05:21.620 Ninety zeros. 108 05:22.100 --> 05:24.350 Binary, Copy. 109 05:25.310 --> 05:30.140 Come back here and put 9-0-9-0. 110 05:30.380 --> 05:31.190 So this is NOP. 111 05:31.190 --> 05:36.110 So you want to replace this original bytes with these bytes. 112 05:36.110 --> 05:38.660 So we can write a Python script to do that. 113 05:38.660 --> 05:42.200 And I have written that for you, so you don't have to do it. 114 05:42.560 --> 05:45.470 So the Python script is shown here. 115 05:48.310 --> 05:49.750 Open your crackme. 116 05:49.750 --> 05:52.240 And this is a Python script. 117 05:56.010 --> 06:01.740 So all you need to do is open the Python script in your favorite editor. 118 06:01.860 --> 06:03.840 I'm using Visual Studio Code. 119 06:04.820 --> 06:09.290 And then in this line here, fill in the bytes you want to patch. 120 06:09.740 --> 06:11.570 So I already copied the bytes here. 121 06:11.570 --> 06:15.770 So all I need to do is copy this and replace it here. 122 06:16.600 --> 06:19.390 So just copy and paste it here to replace it. 123 06:19.390 --> 06:20.530 And I've already done that. 124 06:20.770 --> 06:27.280 Next thing is you copy the bytes that are being used to replace those bytes there and paste it here. 125 06:27.280 --> 06:28.870 And I've also done that already. 126 06:29.380 --> 06:33.670 So if you find whenever you want to use this program to patch memory, 127 06:33.700 --> 06:37.240 just put the bytes that you're searching for on top. 128 06:38.110 --> 06:41.590 And the bytes you want to use to replace it at the bottom here. 129 06:41.590 --> 06:42.130 That's it. 130 06:42.130 --> 06:43.390 That's all you need to do. 131 06:43.420 --> 06:45.160 The rest you don't need to know. 132 06:45.880 --> 06:49.750 And I'm not going to explain this because it's beyond the scope of this course. 133 06:49.750 --> 06:55.540 I just wrote this program and it will work to patch memory with any bytes you want. 134 06:55.540 --> 07:00.640 So now you save this, and then you're ready to run this Python program. 135 07:00.640 --> 07:06.040 And I also assume that you already installed Python on your computer. 136 07:06.850 --> 07:09.670 If you have not installed Python, you go ahead and install it. 137 07:09.670 --> 07:14.950 And after installing Python, you also need to install some Python libraries. 138 07:15.900 --> 07:18.210 I think you need to install 139 07:18.920 --> 07:20.090 psutil. 140 07:21.210 --> 07:24.930 Okay, I'll give you a quick hint on how to do that. 141 07:26.220 --> 07:28.050 Go and download Python. 142 07:30.710 --> 07:31.580 Like this. 143 07:32.550 --> 07:35.220 Download Python 3.12.2. 144 07:35.400 --> 07:41.190 And then when you install Python, make sure you install it globally, not for individual users. 145 07:41.220 --> 07:43.560 You need to install it globally for all users. 146 07:43.560 --> 07:50.400 And also you need to set the Python path to the environment variable, so that—you can Google it 147 07:50.580 --> 07:54.480 in Google to know how to do that. 148 07:54.480 --> 07:57.630 Then to install the Python psutil, you need this. 149 07:57.630 --> 08:00.240 You just need to open a—pip install. 150 08:00.420 --> 08:02.820 So search for cmd. 151 08:05.440 --> 08:06.640 You need to type— 152 08:06.640 --> 08:14.950 you need to run your command prompt as—you need to run your command prompt as administrator 153 08:14.950 --> 08:15.490 here. 154 08:15.520 --> 08:16.900 Run as administrator. 155 08:17.020 --> 08:19.540 And then you need to type "pip install 156 08:19.900 --> 08:20.620 psutil." 157 08:21.400 --> 08:22.390 psutil like that. 158 08:22.930 --> 08:23.680 That's it. 159 08:24.790 --> 08:28.210 Then after that, you should be able to run this Python script. 160 08:28.210 --> 08:31.420 So let's close the Python script and go to this location. 161 08:31.930 --> 08:37.330 Open the command prompt here, and let's put this to the right. 162 08:38.350 --> 08:42.610 And then we open another command prompt to run this program. 163 08:44.210 --> 08:45.830 And you put this on the left. 164 08:46.070 --> 08:47.960 So now we run our crackme. 165 08:50.900 --> 08:52.970 And enter the wrong password. 166 08:54.620 --> 08:55.610 It says "Incorrect." 167 08:55.640 --> 08:55.970 Yes. 168 08:55.970 --> 08:57.350 So we run it again. 169 08:57.920 --> 09:00.200 We're going to patch it and run it and see what happens. 170 09:00.560 --> 09:02.120 Again, open the command prompt. 171 09:04.420 --> 09:05.470 Put you on the left. 172 09:07.230 --> 09:09.150 And run the crackme. 173 09:10.470 --> 09:12.120 But don't enter a password yet. 174 09:12.150 --> 09:13.260 Run your script. 175 09:13.410 --> 09:16.230 So your script is—what do you call your script? 176 09:17.280 --> 09:19.500 Let's run the dir to see the name of the script. 177 09:19.530 --> 09:22.200 The script is called "patchmem.py." 178 09:22.230 --> 09:24.540 So to run it, you type "python 179 09:25.990 --> 09:26.350 patch- 180 09:26.350 --> 09:27.520 mem.py" 181 09:29.380 --> 09:36.550 and the name of your crackme: "crackme.exe." Hit Enter. 182 09:37.680 --> 09:39.870 So it says "Successfully wrote data to it." 183 09:39.870 --> 09:41.130 So it's managed to patch it. 184 09:41.160 --> 09:44.460 So now if you enter any password—any wrong password—hit Enter. 185 09:44.460 --> 09:45.420 It says "Correct." 186 09:45.960 --> 09:47.130 So the script works. 187 09:47.700 --> 09:52.110 Now another way to use the script is instead of providing the name of the crackme here, you can provide 188 09:52.110 --> 09:52.530 the PID. 189 09:52.590 --> 09:54.510 The PID—process ID. 190 09:54.540 --> 09:58.560 So let me try this again, this time by entering the process ID. 191 09:59.770 --> 10:04.210 So this time I'm going to rerun—open command prompt here. 192 10:06.300 --> 10:08.130 Put it on the left. 193 10:08.160 --> 10:09.300 On the left. 194 10:12.080 --> 10:16.280 And then I'm going to use my Task Manager. 195 10:16.610 --> 10:20.480 Look for the process ID for the crackme. 196 10:21.470 --> 10:21.830 Okay. 197 10:21.830 --> 10:22.490 I haven't run it. 198 10:22.490 --> 10:23.180 I'm sorry. 199 10:24.170 --> 10:25.940 So I should run it first. 200 10:27.290 --> 10:31.220 Crackme. Then come here and look for it. 201 10:32.990 --> 10:34.220 I think this is the one. 202 10:34.220 --> 10:35.180 This is the one. 203 10:36.140 --> 10:37.220 Yeah, this is the one. 204 10:37.220 --> 10:38.720 So to get the PID, 205 10:39.770 --> 10:41.090 so this is the one here. 206 10:41.090 --> 10:43.040 If you double-click, you will see "crackme." 207 10:43.040 --> 10:49.520 So to get the PID number, you just right-click and then go here to "Go to details." 208 10:50.240 --> 10:54.230 Go to details, and you can see—yeah, there you go. 209 10:54.980 --> 10:57.980 The PID is 5336. 210 10:57.980 --> 11:04.790 So here you can run your—earlier—earlier—earlier script. 211 11:04.790 --> 11:09.650 But this time instead of the name of the crackme file, you supply the PID. 212 11:10.760 --> 11:12.860 So the PID is 213 11:13.550 --> 11:18.440 5-3-3-6—5336. 214 11:18.440 --> 11:21.140 Hit Enter, and it successfully patched the file. 215 11:21.500 --> 11:23.360 And now you enter anything you want. 216 11:24.320 --> 11:25.130 It says "Correct." 217 11:25.130 --> 11:27.050 So there are two ways to use this script. 218 11:27.050 --> 11:31.760 Either you supply the name of the process, which is "crackme.exe," or the PID. 219 11:31.760 --> 11:33.440 So the PID is a bit troublesome. 220 11:33.440 --> 11:35.840 You need to open Task Manager to look for the PID. 221 11:36.650 --> 11:39.230 Okay, so that's all for this video. 222 11:39.230 --> 11:40.520 Thank you for watching.