WEBVTT

1
00:01.340 --> 00:01.970
Welcome, back.

2
00:02.120 --> 00:03.680
Let us now continue.

3
00:03.680 --> 00:08.150
In the last lesson, we already found the array of bytes that we want to scan.

4
00:08.150 --> 00:12.890
So now let's open our Python script that I have written for you.

5
00:15.760 --> 00:19.000
I open it with my Visual Studio Code.

6
00:21.670 --> 00:24.580
You can use other code editor if you want.

7
00:25.660 --> 00:29.920
So over here, these are the instructions.

8
00:31.090 --> 00:39.910
Use x64dbg, x64dbg, to determine the target area of bytes, array of bytes, to search for, and this will become

9
00:39.910 --> 00:42.490
your data defined over here.

10
00:44.750 --> 00:47.330
And then the bytes to replace it with.

11
00:47.600 --> 00:52.790
This will become your, your data to replace, which is here.

12
00:54.140 --> 00:57.110
Make sure your array of bytes is long enough to be unique.

13
00:57.770 --> 00:59.750
You don't have to replace the entire array of bytes.

14
00:59.900 --> 01:02.840
So in this case we are only going to replace 74.

15
01:02.870 --> 01:04.940
We, we don't need to replace the entire thing.

16
01:06.890 --> 01:10.310
So what you need to do is, I've already done it,

17
01:10.310 --> 01:15.950
but if you haven't, you just copy this and put it in here.

18
01:17.940 --> 01:21.360
And copy this and put it here.

19
01:21.690 --> 01:24.090
So now you're ready to run this program,

20
01:24.090 --> 01:24.840
this script.

21
01:26.680 --> 01:31.600
Notice here that the usage for this script is different from the previous script.

22
01:32.230 --> 01:35.830
In the previous lesson, you have to run the program first.

23
01:35.830 --> 01:39.730
That means you have to run the Crackme first before you run the script.

24
01:40.450 --> 01:45.550
But in this script, this program, the loader.py, you don't have to.

25
01:46.090 --> 01:49.150
This loader will automatically run the program for you.

26
01:49.780 --> 01:52.960
So the usage is you type this command.

27
01:54.450 --> 02:00.120
So the file name, you need to replace it with the name of your Crackme, then it will automatically run

28
02:00.120 --> 02:05.010
the program, and then you wait five seconds for it to start, and then it will patch.

29
02:05.670 --> 02:12.090
So there is a delay here of five seconds which you can adjust accordingly to your liking.

30
02:14.360 --> 02:17.390
Time sleep optional.

31
02:17.390 --> 02:22.970
Add a five-second delay to ensure the application has started and unpacked itself into memory.

32
02:27.220 --> 02:29.530
So it's necessary to have this system.

33
02:29.560 --> 02:36.040
Otherwise, uh, if you don't have the delay, the program won't have time to unpack,

34
02:36.400 --> 02:36.850
and the,

35
02:36.880 --> 02:37.930
and the patch will fail.

36
02:38.020 --> 02:39.730
So that's why you need to put a delay.

37
02:39.730 --> 02:43.300
If you feel five seconds is too long, you can reduce it to four seconds,

38
02:43.900 --> 02:49.300
or you can use, uh, fractions, for example, 4.5 seconds and so on.

39
02:49.420 --> 02:50.470
It's up to you.

40
02:50.500 --> 02:53.140
I, five seconds just works just fine.

41
02:54.830 --> 02:56.720
So now we can run this.

42
02:56.720 --> 02:59.150
So what we need to do is we right-click here,

43
02:59.900 --> 03:01.160
open in terminal.

44
03:03.380 --> 03:07.550
And then straight away we type the command "python."

45
03:09.930 --> 03:10.470
Loader.

46
03:10.920 --> 03:11.760
Press spacebar.

47
03:12.330 --> 03:19.560
It will auto-complete the name of the script for you, and the name of your Crackme that you want to start.

48
03:19.590 --> 03:24.600
Make sure these two are in the same folder, so you type in the name of the Crackme.

49
03:26.250 --> 03:32.340
Press spacebar and it completes the name for you, but you will have to remove this backslash, otherwise

50
03:32.340 --> 03:34.740
it won't find it like this.

51
03:36.460 --> 03:37.870
This one is optional.

52
03:37.870 --> 03:40.000
If you want to remove this first layer, you can go ahead.

53
03:41.680 --> 03:43.000
Now you're ready to run.

54
03:43.480 --> 03:49.210
Press Enter and it takes five seconds for it to, for it to unpack itself.

55
03:49.210 --> 03:52.180
So there's a message "Waiting for it to initialize."

56
03:52.180 --> 03:54.790
That means it needs to wait for it to unpack.

57
03:55.150 --> 03:57.280
After five seconds it will flash.

58
03:57.280 --> 04:03.130
It will scan this array of bytes and then it will patch it with your byte.

59
04:03.490 --> 04:06.310
It will scan for this.

60
04:06.430 --> 04:09.730
Once it finds it, you patch the first byte with -.

61
04:10.330 --> 04:15.520
If it's successfully patched, you will get a message "Successfully wrote data" to the address that it

62
04:15.520 --> 04:16.060
patched.

63
04:16.750 --> 04:24.490
So now you can enter any wrong data, wrong key, and you click on "Check" and it says "Correct key."

64
04:24.700 --> 04:28.120
So we have successfully patched the memory itself.

65
04:28.780 --> 04:32.110
So this is the power of memory patching,

66
04:32.110 --> 04:38.680
and, and potentially it can be used to bypass, uh, software protection or packing.

67
04:38.860 --> 04:44.860
And this is easier than unpacking because in unpacking you have to go through a lot of tedious work

68
04:44.860 --> 04:50.380
to unpack and dump and then fix the IAT table and the PE header and so on.

69
04:50.920 --> 04:59.020
But using this method is so much easier because we just let the program unpack itself.

70
04:59.020 --> 05:03.070
Then all you need to do is just patch the memory after it has unpacked itself.

71
05:03.760 --> 05:05.680
So that's all for this video.

72
05:05.680 --> 05:07.300
Thank you for watching.