WEBVTT 1 00:00.800 --> 00:02.780 Welcome back to a new lesson. 2 00:03.020 --> 00:09.260 In this project we are going to try this crackme by this author. 3 00:09.590 --> 00:13.460 So go and download this from the resource section for this lecture. 4 00:14.090 --> 00:16.850 Unzip it. Zero keygenThis. 5 00:17.150 --> 00:27.740 The unzip password is crackinglessons.com, and then make a copy of the crackme as a backup in case 6 00:27.740 --> 00:28.970 you make a mistake. 7 00:29.450 --> 00:32.480 And now we shall run it and see what it does. 8 00:34.070 --> 00:38.420 Just double-click on it and it asks you to enter the name and the serial. 9 00:39.020 --> 00:41.450 So I'm going to use "cracker" as the name. 10 00:42.860 --> 00:47.360 I suggest you follow the same so that you can follow along with this lesson. 11 00:48.200 --> 00:56.300 And the serial I'm going to assume is 1, 2, 3, 4, 5, 6, 7, 8, and (912) 345-6789. 12 00:56.570 --> 01:01.460 When I click on check, it gives the error message "Sorry, don't give up." 13 01:02.120 --> 01:03.980 So remember this string. 14 01:03.980 --> 01:09.380 We are going to search for this string inside the string search later. 15 01:10.250 --> 01:17.000 You should also scan this with DIE to check if it is a 32-bit or 64-bit program. 16 01:17.660 --> 01:23.900 I've already done that, and I found that this is a 32-bit program, so I need to open this with 17 01:24.500 --> 01:26.630 x32dbg. 18 01:28.460 --> 01:29.600 So I just click on this. 19 01:29.600 --> 01:31.730 Now remember the string "don't give up." 20 01:33.410 --> 01:36.080 To close this you need to press Alt+F4. 21 01:39.610 --> 01:46.660 So let's fire up x32dbg and then open the crackme. 22 01:47.680 --> 01:50.590 So I've already done it before, so I just need to refresh. 23 01:51.550 --> 01:53.140 So let's search for the string. 24 01:53.170 --> 01:54.010 Don't give up. 25 01:54.130 --> 01:55.420 Right-click here. 26 01:56.260 --> 01:59.920 Search for current module string references. 27 02:01.530 --> 02:03.690 And then just look for "give up." 28 02:05.100 --> 02:06.870 So there you find it. 29 02:06.870 --> 02:07.650 You found it. 30 02:07.650 --> 02:08.010 Sorry. 31 02:08.010 --> 02:08.850 Don't give up. 32 02:08.850 --> 02:15.540 So click on here to go to the address, and you will find that this is the bad string. 33 02:16.230 --> 02:18.840 And then also a good string for that. 34 02:18.840 --> 02:19.500 Great job. 35 02:20.580 --> 02:28.170 And then we are now going to scroll up to look for the start of the function which contains these strings. 36 02:28.860 --> 02:38.610 So continue to scroll up, and you should come to the main function which I've labeled here. 37 02:38.910 --> 02:42.540 This is a push, indicating the start of the function. 38 02:42.660 --> 02:46.230 So I put a comment "main" there, and I also put a breakpoint. 39 02:47.970 --> 02:51.120 So let me remove my other breakpoint. 40 02:51.840 --> 02:52.770 Start afresh. 41 02:54.880 --> 02:56.590 So now we can graph this. 42 02:56.590 --> 02:59.320 Just right-click on it and click on graph. 43 03:00.670 --> 03:03.010 And now we shall turn on trace. 44 03:05.060 --> 03:05.300 Trace. 45 03:05.300 --> 03:07.190 Highlighting mode. 46 03:09.290 --> 03:10.550 So you're ready to start. 47 03:10.550 --> 03:14.000 So let's click on run until it hits the breakpoint. 48 03:14.630 --> 03:19.370 So now the window shows them the dialog. 49 03:19.370 --> 03:21.860 So now we enter our username. 50 03:23.940 --> 03:26.130 Cracker. And I will assume 51 03:26.160 --> 03:30.300 password 123456789. 52 03:33.030 --> 03:40.230 So remember this is our assumed username and this is our assumed password. 53 03:43.360 --> 03:47.770 So now we click check and it hits our breakpoint, and we start tracing. 54 03:53.570 --> 03:54.590 So we hit. 55 03:54.800 --> 04:03.140 We come to this call. Notice - and now we step over and - becomes seven. 56 04:03.740 --> 04:08.390 So seven is probably the number of characters in our username. 57 04:08.420 --> 04:10.880 1, 2, 3, 4, 5, 6, 7. 58 04:11.780 --> 04:13.250 So I put a comment there. 59 04:16.210 --> 04:17.710 Continue stepping over. 60 04:19.480 --> 04:24.250 Now we are comparing - with the stack -. 61 04:24.970 --> 04:28.450 So - is zero and the stack is seven. 62 04:28.510 --> 04:31.030 So it's comparing zero with seven. 63 04:31.180 --> 04:33.820 And click on the step over now. 64 04:35.710 --> 04:39.400 JGE stands for jump if greater or equal to. 65 04:39.970 --> 04:48.130 So if - is bigger or equal to the stack, then it will jump to 41401879. 66 04:48.640 --> 04:52.960 So in this case it's not taken because - is zero. 67 04:53.680 --> 04:54.550 Click on this. 68 04:54.910 --> 04:56.650 - is zero which is less than seven. 69 04:56.650 --> 04:58.720 So it's not going to jump to here. 70 04:58.990 --> 05:00.730 So continue to step over. 71 05:00.820 --> 05:08.050 Now note that I made a comment like this: - equals to zero, one, two, three. 72 05:08.590 --> 05:09.610 - is seven. 73 05:09.610 --> 05:11.110 So - is a stack here. 74 05:11.110 --> 05:12.070 This is -. 75 05:13.150 --> 05:19.480 So when you first run this program, you will enter the loop one time. 76 05:19.480 --> 05:20.770 This is a loop by the way. 77 05:20.770 --> 05:23.350 You can see it coming here and there's a loop coming back here. 78 05:23.740 --> 05:25.870 So this will keep on looping a few times. 79 05:25.870 --> 05:27.700 The first time we loop - is zero. 80 05:28.180 --> 05:30.160 So I put zero here. 81 05:31.480 --> 05:33.190 The rest I still don't know. 82 05:33.280 --> 05:37.240 I don't know that the next loop is going to be one or two or three. 83 05:37.240 --> 05:39.190 So the first loop is zero. 84 05:39.730 --> 05:40.930 So I just put zero. 85 05:40.930 --> 05:43.660 But I've already done this before. 86 05:43.660 --> 05:45.790 That's why you see 1, 2, 3 and so on. 87 05:46.000 --> 05:51.640 But for your case you just put zero first and then - 7, - 0. 88 05:51.640 --> 05:52.360 - seven. 89 05:52.360 --> 05:54.670 That's how you start your first comment. 90 05:55.360 --> 05:59.110 And then now you continue to trace by stepping over. 91 06:04.070 --> 06:04.820 Step again. 92 06:05.150 --> 06:07.940 Notice now it comes back to the loop. 93 06:08.570 --> 06:10.880 It came down here and then loop up. 94 06:11.810 --> 06:13.400 And now it came back here. 95 06:13.610 --> 06:15.230 And now we step over again. 96 06:15.230 --> 06:16.250 And this time click on. 97 06:16.250 --> 06:18.500 This is comparing one with seven. 98 06:18.500 --> 06:20.390 So now - will become one. 99 06:20.840 --> 06:24.230 So you update your comment to put zero, one. 100 06:24.590 --> 06:27.380 And then the back is still the same - equals seven. 101 06:28.310 --> 06:35.060 So again the test here will fail because - is less than -. 102 06:35.600 --> 06:36.680 It is not larger than. 103 06:36.710 --> 06:38.810 So this jump will not happen. 104 06:39.290 --> 06:46.820 So it's going to go to the right and then next loop again come back here. Click on this. 105 06:46.820 --> 06:49.010 And now you see - has become two. 106 06:50.030 --> 06:51.920 And it's comparing two with seven. 107 06:52.100 --> 06:53.780 So update the comment. 108 06:53.810 --> 06:55.910 Now put two here, comma. 109 06:56.120 --> 06:58.700 And then here at the back seven, same. 110 06:59.330 --> 07:04.490 So continue to step over here again and again. 111 07:06.170 --> 07:06.980 Click on this. 112 07:06.980 --> 07:08.570 Now click on this. 113 07:08.570 --> 07:10.040 Now you see - is three. 114 07:10.040 --> 07:13.790 So it's comparing three with seven. Okay, continue. 115 07:16.700 --> 07:17.690 Continue stepping over. 116 07:17.990 --> 07:18.830 Click on this. 117 07:18.830 --> 07:20.780 Now is comparing four with seven. 118 07:26.800 --> 07:27.100 Okay. 119 07:27.100 --> 07:28.420 Now it's comparing. 120 07:28.420 --> 07:29.080 Click on this. 121 07:29.080 --> 07:30.550 You see it's comparing five to seven. 122 07:30.550 --> 07:32.050 Again, five is less than seven. 123 07:32.050 --> 07:33.190 So it will not jump. 124 07:33.700 --> 07:35.140 It will go to the right. 125 07:40.000 --> 07:42.220 Now it's comparing six to seven. 126 07:42.520 --> 07:43.900 Again, you go to the right. 127 07:47.740 --> 07:49.900 Click on this. Now is comparing seven, seven. 128 07:49.900 --> 07:50.170 Yes. 129 07:50.170 --> 07:51.280 So this is true. 130 07:51.280 --> 08:01.450 So because seven is—- in - is also same, same as the value in - which is seven. 131 08:01.990 --> 08:08.110 Remember you need to update this every time it loops so that by the time it comes to this, 132 08:08.110 --> 08:14.260 seventh iteration, you should have 0, 1, 2, 3, 4, 5, 6, 7 commented here. 133 08:14.260 --> 08:17.230 So this is called the comment tracking method. 134 08:17.770 --> 08:22.690 It allows you to keep track of the behavior of the program each time it loops. 135 08:22.690 --> 08:25.180 That way you can understand what is happening. 136 08:25.690 --> 08:33.820 So you can see here from the history - was previously originally zero, - was seven, then the second 137 08:33.820 --> 08:39.940 loop - became one, - is still seven, third loop - became two, - seven and so on. 138 08:40.090 --> 08:47.590 So this history of the commenting here helps you understand the code, the method. Right now, 139 08:47.590 --> 08:47.740 this 140 08:47.740 --> 08:54.040 method is useful in future because it will help you understand how the serial key or password is 141 08:54.040 --> 08:54.850 being created. 142 08:55.660 --> 09:04.150 So now because - is equal to seven, so jump will take place. You click on this. Now because 143 09:04.150 --> 09:07.300 JGE means jump if greater than or equal to. 144 09:07.300 --> 09:08.500 In this case it's equal to. 145 09:08.530 --> 09:11.980 So it's going to jump to 401879. 146 09:11.980 --> 09:13.810 So we click on this, we see jump is taken. 147 09:13.810 --> 09:15.400 So now it's going to go to the left. 148 09:17.390 --> 09:17.750 Okay. 149 09:17.750 --> 09:21.830 So now again here is going to call this. Notice -. 150 09:22.070 --> 09:24.740 After you call this - became seven. 151 09:24.740 --> 09:29.120 So you write a comment here - equals seven. Right. 152 09:29.120 --> 09:32.630 This is also part of your comment tracking method. 153 09:33.050 --> 09:38.090 Continue to step over until you come to another call which is here. 154 09:39.140 --> 09:44.300 Now notice - after you step over it became nine. 155 09:44.300 --> 09:51.740 So you comment again nine, so you get seven, nine here, and then come to the next call. 156 09:53.880 --> 09:54.660 You stepped over. 157 09:54.900 --> 09:55.890 It became seven. 158 09:55.890 --> 09:56.910 So put your comment there. 159 09:56.940 --> 09:58.170 - equals seven. 160 09:58.830 --> 10:00.210 Continue to step over. 161 10:03.590 --> 10:07.610 Now we're going to jump. Move this, step over this and become eight. 162 10:07.640 --> 10:08.330 - became eight. 163 10:08.330 --> 10:09.800 So put the comment that - eight. 164 10:11.580 --> 10:16.680 Now we come to this, you will notice - when you step over it became seven. 165 10:17.850 --> 10:19.230 Continue stepping over. 166 10:22.050 --> 10:23.310 Now over here. 167 10:24.600 --> 10:25.770 After you step over. 168 10:25.800 --> 10:26.880 See what happens. 169 10:26.910 --> 10:27.900 - became eight. 170 10:29.370 --> 10:30.660 Continue stepping over. 171 10:31.440 --> 10:32.130 All right. 172 10:32.250 --> 10:34.050 So now we come to this part. 173 10:34.230 --> 10:37.110 So at this point I'm going to stop this lesson. 174 10:37.110 --> 10:38.850 And we'll continue in the next one. 175 10:38.880 --> 10:39.870 See you then.