WEBVTT

1
00:01.850 --> 00:03.530
Hello and welcome back.

2
00:03.530 --> 00:10.580
Our next project is from this, uh, this author who wrote this crackme.

3
00:11.420 --> 00:16.160
So go and download this from my, from my resource section.

4
00:16.760 --> 00:19.010
So I'm giving credit to the author here.

5
00:20.240 --> 00:26.930
So download the zip file and unzip it using the password crackinglessons.com.

6
00:28.040 --> 00:32.870
After you unzip it, inside it you will find these two files. Immediately

7
00:32.870 --> 00:34.340
make a copy as a backup.

8
00:35.180 --> 00:40.910
Then scan it with DIE and you will find that it is a 32-bit program.

9
00:42.080 --> 00:44.540
So let's run it now and see what happens.

10
00:45.260 --> 00:50.420
It asks you to enter your username, so I don't know what it is.

11
00:50.420 --> 00:53.360
I just type and type any username.

12
00:54.020 --> 00:55.190
Then I hit enter.

13
00:55.190 --> 00:57.320
It asks me to enter the password.

14
00:57.320 --> 01:00.290
I type 123456.

15
01:02.570 --> 01:03.620
So I just...

16
01:07.420 --> 01:16.690
And then I press enter and it immediately closes and I can't see the output whether it's right or wrong.

17
01:16.990 --> 01:20.320
So I need to run it with a debugger.

18
01:21.280 --> 01:27.130
I open the debugger and use it to open this program.

19
01:29.400 --> 01:35.100
And then I need to search for the string

20
01:35.340 --> 01:38.010
"Enter," "enter,"

21
01:38.010 --> 01:38.910
"username."

22
01:39.360 --> 01:40.740
I right-click over here.

23
01:42.470 --> 01:46.550
And search for current module string references.

24
01:47.120 --> 01:48.560
And I find all this.

25
01:48.560 --> 01:51.470
And the one that I want is "Enter your username."

26
01:52.070 --> 02:00.710
So I go to that location and scroll up to look for the start of the function which contains this string.

27
02:02.270 --> 02:05.840
And then on the top I will find a function here.

28
02:06.470 --> 02:11.210
So I can put a breakpoint there and then graph it.

29
02:14.100 --> 02:20.670
So now I'm ready to run the program and see whether it hits this breakpoint.

30
02:22.260 --> 02:22.800
It does.

31
02:22.800 --> 02:23.910
It hits the breakpoint.

32
02:24.870 --> 02:32.880
I turn on the trace, and then I step over it and keep an eye on the output over here.

33
02:34.530 --> 02:35.700
Continue to step over it.

34
02:37.230 --> 02:42.600
And now it comes to this call. After I stepped over this call,

35
02:43.080 --> 02:44.310
it prints the message,

36
02:44.310 --> 02:45.510
"Enter your username."

37
02:46.620 --> 02:50.790
I continue to step over until it comes to the next call.

38
02:52.590 --> 02:58.020
It is now in a pause state, but when I step over this call, it goes into the running state.

39
02:58.470 --> 03:01.980
That means it is waiting for me to enter a username.

40
03:02.790 --> 03:06.570
So I type my username which is just a random name.

41
03:07.500 --> 03:14.760
Hit enter and now it comes back to a pause state and I can now continue stepping over it.

42
03:15.390 --> 03:22.140
I continue stepping over it and when I step over this call, it prints out another message.

43
03:22.770 --> 03:24.450
It prints out another message,

44
03:24.900 --> 03:26.340
"Now enter your password."

45
03:27.330 --> 03:32.370
And then I continue stepping until it comes to the next call.

46
03:33.780 --> 03:36.930
So at this next call it is in a pause state.

47
03:37.050 --> 03:43.350
But when I step over it, it goes into the running state, which means it is waiting for me to input.

48
03:43.890 --> 03:49.470
So I just type any, any password, 123456 for example.

49
03:49.560 --> 03:50.820
And I hit enter.

50
03:51.300 --> 03:55.050
And now it comes back to the pause state and I'm able to debug.

51
03:55.110 --> 03:56.910
Now I continue stepping over.

52
03:58.650 --> 04:01.230
Now it is continuing after this call.

53
04:02.640 --> 04:07.680
After this call we get some non-zero value and non-negative value.

54
04:08.580 --> 04:11.760
So just ignore it for now and see what it does.

55
04:12.360 --> 04:17.010
Continue to step over, continue stepping over.

56
04:18.030 --> 04:20.130
And now it's going to return.

57
04:20.400 --> 04:22.590
It's going to return to the main function.

58
04:23.070 --> 04:25.440
It hasn't shown me any bad messages so far.

59
04:25.650 --> 04:29.940
So let's step over to return to the parent function.

60
04:30.480 --> 04:31.230
Step over.

61
04:31.500 --> 04:33.720
And now I should be in the parent function.

62
04:34.260 --> 04:41.370
So I can now right-click and follow in this assembler.

63
04:41.370 --> 04:42.720
And I'm back here.

64
04:43.830 --> 04:44.880
I'm back here.

65
04:51.330 --> 04:54.930
I am back here and this is where we just came from.

66
04:55.260 --> 04:57.180
So I label it "GetInput."

67
04:57.480 --> 05:00.330
So "GetInput" was what we came from just now.

68
05:01.020 --> 05:09.090
So this is a function to prompt the user to enter username, read the username, prompt to enter password

69
05:09.090 --> 05:10.740
and read the password.

70
05:10.740 --> 05:12.390
That's all this function does.

71
05:12.870 --> 05:16.890
And then after that we are now in another bigger function.

72
05:17.370 --> 05:21.150
So we look up and this is the start of this function.

73
05:21.150 --> 05:23.430
So I will label it "main function."

74
05:23.910 --> 05:26.700
And then now I can graph this to analyze it.

75
05:30.030 --> 05:31.950
And so I see that you are now here.

76
05:31.950 --> 05:33.780
We just came back from this function.

77
05:34.740 --> 05:36.690
So I continue to step over it.

78
05:38.130 --> 05:43.620
I can now actually put the breakpoint here to enable the function.

79
05:45.210 --> 05:47.730
So now let's continue to step over.

80
05:48.660 --> 05:51.120
So we are now at this new function.

81
05:51.450 --> 05:56.190
And before we call this function we have this non-zero value.

82
05:57.810 --> 06:00.510
After we step away we get the zero value.

83
06:01.140 --> 06:07.560
So this is a function which affects the result of the -.

84
06:08.370 --> 06:09.720
If we continue to step away,

85
06:09.870 --> 06:10.740
it continues.

86
06:10.770 --> 06:14.010
It tries to check whether the - is one.

87
06:14.100 --> 06:21.810
But because - is not one, jump not equal will jump to 401FB1, which is here.

88
06:22.050 --> 06:24.900
And that is like it's a bad message.

89
06:26.190 --> 06:31.410
So we continue to step over this and we see a bad message is showing "Wrong password."

90
06:31.920 --> 06:35.730
This suggests that this is the function which checks for password.

91
06:35.820 --> 06:37.380
So I put a comment there.

92
06:37.380 --> 06:46.110
And now I'm going to enable the breakpoint so that we can come back and analyze what sets the - to zero.

93
06:46.620 --> 06:50.790
So now I restart the program and I run.

94
06:51.270 --> 06:53.070
I'm now at the main function.

95
06:53.700 --> 06:55.170
I continue to run.

96
06:55.200 --> 06:56.670
Let me put this on the right.

97
06:59.280 --> 07:00.030
Run.

98
07:01.730 --> 07:02.510
Run.

99
07:02.750 --> 07:06.350
It asked me to enter the username, so I enter "cracker."

100
07:07.980 --> 07:08.850
Hit enter.

101
07:09.150 --> 07:14.070
It asked to enter the password, so I enter 123456 and I hit enter.

102
07:14.340 --> 07:19.230
And now we are at the, at the, at the function that checks for password.

103
07:19.230 --> 07:22.470
So I'm going to graph this main function.

104
07:23.250 --> 07:26.160
So now it has input everything.

105
07:27.690 --> 07:30.180
So now you can see the main function here.

106
07:30.180 --> 07:33.510
And we have just called this function to get the inputs.

107
07:33.510 --> 07:39.150
And now we are here, we are going to call this function, uh, to check the password.

108
07:39.150 --> 07:40.830
So you need to step into this now.

109
07:41.100 --> 07:47.610
So let's step into it and then right-click and sync with CPU.

110
07:48.420 --> 07:52.860
So now we are in the function that checks for the password itself.

111
07:53.040 --> 07:54.960
We can continue to step over.

112
07:55.200 --> 07:58.830
We want to see what sets the value of - to zero.

113
07:59.700 --> 08:00.990
So let's continue.

114
08:03.370 --> 08:07.180
It's going to the left and now it's going to call this function.

115
08:08.590 --> 08:09.760
- is not zero.

116
08:09.940 --> 08:11.350
So continue to step over.

117
08:13.510 --> 08:14.950
Continue stepping over.

118
08:21.430 --> 08:23.140
And now over here,

119
08:25.180 --> 08:32.050
we can see that - is going to come down here, jump is not taken.

120
08:32.050 --> 08:34.180
So it's going to go to the right.

121
08:35.080 --> 08:39.100
So when it goes to the right it says zero to -.

122
08:39.100 --> 08:42.250
That means this is the part that sets the - to zero.

123
08:42.490 --> 08:44.620
That means this is a bad path.

124
08:45.010 --> 08:49.510
If you want - to become one, you go to the left and it becomes one.

125
08:49.690 --> 08:54.580
So in order to go to the left, the value of - and - must be the same.

126
08:55.000 --> 09:01.600
So - is the first part of the - register, which is now 31.

127
09:02.140 --> 09:08.800
31 is the ASCII code for the character one, and character one is our first character of our password,

128
09:08.800 --> 09:09.490
"1."

129
09:10.360 --> 09:13.090
And then for -.

130
09:13.120 --> 09:19.780
- is the first byte of the - register, which is 77, and 77 is a hex value.

131
09:19.900 --> 09:28.630
The ASCII code is "w," so it is comparing whether the password we enter is "w."

132
09:28.990 --> 09:30.580
So in this case it is "1."

133
09:30.580 --> 09:31.600
It is not "w."

134
09:31.900 --> 09:35.830
So because it is not "w" it will move to the right.

135
09:36.340 --> 09:42.970
So this suggests that the password is just a single character "w" like that, just "w."

136
09:43.090 --> 09:45.370
So we can test our hypothesis.

137
09:45.370 --> 09:48.130
We can go and rerun this.

138
09:48.130 --> 09:51.190
And this time when it comes here we will enter "w."

139
09:51.190 --> 09:56.020
But for now just continue this and see that it will now move zero to -.

140
09:56.410 --> 10:01.870
And when it returns to the main function it is going to test whether - is one.

141
10:01.870 --> 10:02.680
It is not.

142
10:02.860 --> 10:09.310
So it's going to go to the left and show the message which you see here.

143
10:09.580 --> 10:13.270
So we're going to restart now and then run.

144
10:13.270 --> 10:15.700
And this time we're going to enter the correct password.

145
10:16.030 --> 10:17.170
Let's run again.

146
10:17.830 --> 10:19.300
Move this to the right.

147
10:22.590 --> 10:25.080
Run, run again.

148
10:25.530 --> 10:27.930
Click here and enter your username.

149
10:31.010 --> 10:33.470
And now enter "w" as the password.

150
10:33.710 --> 10:35.000
Just one character.

151
10:35.240 --> 10:40.940
Hit enter and now it comes to our function to check the password.

152
10:40.940 --> 10:42.380
So let's graph this.

153
10:44.300 --> 10:45.320
So now is here.

154
10:45.320 --> 10:49.430
We need to step into this and now we sync it.

155
10:49.610 --> 10:50.240
Yep.

156
10:50.420 --> 10:51.650
And we are here.

157
10:52.190 --> 10:57.500
So let's continue to step over and see what happens when it comes to this line.

158
10:58.700 --> 11:00.440
So continue to step over.

159
11:08.030 --> 11:12.560
So you can see now the value in - and - is the same.

160
11:13.100 --> 11:17.510
- is a "w" and - is also "w."

161
11:17.810 --> 11:19.820
So that means comparison is true.

162
11:19.820 --> 11:21.920
So it will jump because it is equal.

163
11:22.550 --> 11:24.620
So now come over here, click on this.

164
11:24.650 --> 11:25.910
You will see jump is taken.

165
11:25.910 --> 11:27.110
It will go to the left.

166
11:28.160 --> 11:29.990
So it moves one to -.

167
11:29.990 --> 11:31.250
That is what we want.

168
11:32.030 --> 11:37.100
So now we continue stepping over and it's going to return to the caller, the main function.

169
11:37.490 --> 11:39.320
And we are now in the main function.

170
11:39.590 --> 11:42.680
It compares - to one and - is one.

171
11:42.680 --> 11:44.450
So it's true.

172
11:44.450 --> 11:47.720
So because it's true it will not jump to the left.

173
11:47.720 --> 11:49.670
It is going to jump to the right.

174
11:50.420 --> 11:52.760
Click on this and you will see jump is not taken.

175
11:52.850 --> 11:54.680
So it's going to go to the right.

176
11:55.400 --> 11:59.510
And it's going to print this message by using the print function.

177
12:01.460 --> 12:03.890
And you can see "Congrats, you are logged in."

178
12:04.340 --> 12:09.830
So this is how we can fish out the password which is just one single character "w."

179
12:10.880 --> 12:14.030
So, uh, that's all for this video.

180
12:14.030 --> 12:21.200
Next video we are going to see how to patch this to, to show the "congrats" message irrespective of whether

181
12:21.200 --> 12:23.240
or not the password is correct.

182
12:23.270 --> 12:26.990
So give that a try now before you watch the next video.

183
12:27.440 --> 12:28.370
See you then.