WEBVTT

1
00:01.820 --> 00:02.330
Hello!

2
00:02.330 --> 00:03.320
Welcome back.

3
00:03.320 --> 00:10.490
In our next project, we are going to try this crackme by trope, and this is the credit I give to the

4
00:10.490 --> 00:10.940
author.

5
00:11.420 --> 00:20.420
We are going to learn a fast way to do fishing by toggling the zero flag, and I will explain to you

6
00:20.420 --> 00:21.530
as we go along.

7
00:21.530 --> 00:23.240
So please download this

8
00:23.240 --> 00:26.600
crackme from the resource section for this lecture.

9
00:27.050 --> 00:33.170
After unzipping it, the unzip password is crackinglessons.com.

10
00:33.440 --> 00:37.130
After unzipping it you will find two files in there.

11
00:37.430 --> 00:42.680
So first scan it with DetectItEasy and you will find that it is a 32-bit program.

12
00:42.680 --> 00:45.080
So you need to use x32dbg.

13
00:45.350 --> 00:47.780
Let us first run it and see what it does.

14
00:47.780 --> 00:49.940
So that's a Windows GUI.

15
00:50.660 --> 00:52.370
It asks you to enter your password.

16
00:52.370 --> 00:56.120
We enter 1234567, eight and nine.

17
00:56.120 --> 00:59.420
And we click check and it says incorrect password.

18
00:59.420 --> 01:06.890
So now we can use the string search method by looking for this string "incorrect password."

19
01:07.520 --> 01:10.820
So remember the string you are looking for: incorrect password.

20
01:10.820 --> 01:13.520
And now we are going to open the program.

21
01:19.150 --> 01:22.390
And right-click and go down.

22
01:23.230 --> 01:27.220
Search for current module's string references.

23
01:27.730 --> 01:30.670
And here you can see incorrect password is there.

24
01:31.000 --> 01:33.640
You can double-click and go to that address.

25
01:33.640 --> 01:34.750
Incorrect password.

26
01:35.140 --> 01:38.740
Now you can scroll up and scroll down.

27
01:38.740 --> 01:41.770
And you can see there is a good message down here.

28
01:41.770 --> 01:42.370
"You did it."

29
01:43.720 --> 01:45.490
And then scroll up further.

30
01:45.490 --> 01:51.610
You can see there is GetDlgItemText.

31
01:51.610 --> 01:57.610
GetDlgItemText is to read in the text box, the password that you type in into the text box.

32
01:59.110 --> 02:04.900
So immediately after that we can put our graph here. Right-click and graph.

33
02:05.680 --> 02:08.140
And if you scroll down you can see the logic.

34
02:08.890 --> 02:16.240
So after reading in the text it does all this, these instructions.

35
02:16.240 --> 02:23.020
And then it either goes to the left for the incorrect message, or go to the right, presumably

36
02:23.020 --> 02:27.010
for the correct message, the congratulatory message.

37
02:27.880 --> 02:34.180
And then down here you can see there are some strings being loaded and compared: R and then E and then

38
02:34.180 --> 02:38.170
D, so you can more or less guess that this is the correct password.

39
02:38.380 --> 02:41.440
But we don't want to do that way.

40
02:41.440 --> 02:46.780
We want to use the tracing method so that you can learn some new techniques.

41
02:47.770 --> 02:48.040
All right.

42
02:48.040 --> 02:50.860
So let's put a breakpoint here and get started.

43
02:53.160 --> 02:57.120
And then we turn the tracing highlighting on.

44
02:59.140 --> 03:04.570
And now we run and then we will enter our password.

45
03:04.570 --> 03:08.950
We will enter 123456789.

46
03:08.950 --> 03:11.410
Click on check and it hits our breakpoint.

47
03:11.950 --> 03:19.660
Now we start tracing by stepping over until we come to this compare here.

48
03:19.870 --> 03:25.150
So at this point it is comparing 52 in hex with your byte,

49
03:26.050 --> 03:30.580
the first byte of -, the first byte of - is one.

50
03:31.000 --> 03:32.470
Because you can see byte here.

51
03:32.470 --> 03:34.540
That's how I know it is the first byte.

52
03:35.590 --> 03:39.220
So we can click on this and you can see the parameters here.

53
03:39.790 --> 03:48.160
So it's comparing one with R. One is your first character of your serial key, the password that you entered.

54
03:48.730 --> 03:52.210
That means it is expecting R as the first character.

55
03:52.210 --> 03:53.320
But you entered one.

56
03:53.410 --> 03:57.820
So that suggests that the first character of the password is R.

57
03:59.430 --> 04:05.160
Now because we did not enter R, when you go to the next line, it's going to jump. Jump's taken.

58
04:05.160 --> 04:10.050
So the jump will cause it to come over here and show the bad message.

59
04:10.140 --> 04:11.400
So

60
04:13.840 --> 04:21.550
we can now let it jump here, restart the program and enter the correct password R as the first character.

61
04:21.730 --> 04:28.930
But in order to make it faster, we can do something else instead of letting it jump here and

62
04:28.930 --> 04:35.050
then restart it and re-entering the first character as R, as a correct password, we can prevent

63
04:35.050 --> 04:38.950
the jump and let it go straight and see what is the next thing it is doing.

64
04:39.130 --> 04:43.270
So in order to prevent this jump from taking, we can toggle the flag.

65
04:43.270 --> 04:44.740
This is called the zero flag.

66
04:45.070 --> 04:48.340
So the zero flag controls whether the jump will happen or not.

67
04:48.340 --> 04:50.080
So currently it is going to jump.

68
04:50.080 --> 04:53.470
If we don't want to jump, all we need to do is come here and double-click.

69
04:54.130 --> 04:55.090
Double-click on this.

70
04:55.090 --> 04:56.230
And now it is red.

71
04:56.230 --> 04:59.290
And now if we click on this you will see jump is not taken.

72
04:59.290 --> 05:00.970
So we can now go straight.

73
05:01.150 --> 05:06.490
That means we have assumed that this comparison succeeds, that we have correctly entered

74
05:06.490 --> 05:06.850
R.

75
05:07.210 --> 05:13.900
So now we want to go to the next instruction where it is now going to compare two with E.

76
05:14.230 --> 05:23.830
So in this case it is comparing 45 hex. 45 hex is the character E, and it is comparing that with the

77
05:23.830 --> 05:25.030
- plus one.

78
05:25.030 --> 05:30.580
- plus one is the second character of our password, which is two.

79
05:30.640 --> 05:37.240
The first character is -, - plus zero, second character is - plus one, third character is -

80
05:37.240 --> 05:38.500
plus two, and so on.

81
05:38.500 --> 05:40.960
So this is an offset into the array.

82
05:40.960 --> 05:42.250
This is actually an array.

83
05:42.820 --> 05:51.250
So now since we entered the two, it is the wrong character.

84
05:51.250 --> 05:52.660
It is expecting E.

85
05:52.690 --> 05:57.220
So that suggests that our second character should be E.

86
05:59.490 --> 06:04.920
And then step over, but you will see that it is going to jump because click on this, you will see

87
06:04.920 --> 06:09.090
that it's going to jump to the bad message because we did not enter E.

88
06:09.270 --> 06:15.090
So again, we don't want to let it jump and restart the program and enter the first two characters as

89
06:15.090 --> 06:15.630
R and E.

90
06:15.780 --> 06:19.740
We want to save some time so we can use this trick.

91
06:20.040 --> 06:23.220
Toggle the zero flag again so we toggle the zero flag.

92
06:23.370 --> 06:25.650
Now you will see that we click on

93
06:25.650 --> 06:28.980
this, jump is not taken.

94
06:28.980 --> 06:29.490
See that.

95
06:29.490 --> 06:31.170
So it's going to go straight.

96
06:31.620 --> 06:32.730
So let it go straight.

97
06:32.730 --> 06:39.300
And this time it's going to compare the hex 44 with the - plus two.

98
06:39.330 --> 06:43.830
- plus two is the third character of our password.

99
06:43.920 --> 06:49.470
So if you click on this you can see here it is comparing our third character which is three

100
06:49.590 --> 06:50.790
with the character D.

101
06:50.970 --> 06:53.640
That means our third character should be D.

102
06:54.420 --> 06:56.010
So we have fished out D.

103
06:57.330 --> 07:02.460
So this is what I mean by let's step over by toggling the zero flag.

104
07:02.460 --> 07:02.790
You see.

105
07:02.790 --> 07:08.940
So now because we did not enter the correct password D, it's going to jump. Can see jump is taken.

106
07:08.940 --> 07:12.630
But again toggle the zero flag so that it doesn't have to jump.

107
07:12.630 --> 07:17.400
We assume that all the other three earlier ones were correct: R, E, D.

108
07:17.730 --> 07:22.410
So this prevents us from jumping and we can now go straight.

109
07:22.410 --> 07:24.900
Step over to go straight and we can now check.

110
07:24.900 --> 07:29.280
Now it is comparing for the character four with S.

111
07:29.460 --> 07:33.210
So the fourth character is supposed to be S.

112
07:33.420 --> 07:36.150
So we now fished out the fourth character S.

113
07:37.380 --> 07:41.730
And again we step over and we can see that it's going to jump again.

114
07:41.730 --> 07:42.900
We toggle the zero flag.

115
07:42.900 --> 07:44.340
Don't allow it to jump.

116
07:44.340 --> 07:48.060
Let it go straight because we want to save some time.

117
07:48.060 --> 07:49.890
We can now check what is

118
07:49.890 --> 07:51.000
the next thing is comparing.

119
07:51.000 --> 07:59.250
It's comparing the fifth character with 4F. 4F is our fifth character of a password and it is expecting,

120
07:59.250 --> 08:06.630
O, that suggests that O capital O is the fifth character of our password.

121
08:07.080 --> 08:09.780
Then we step over, click on this.

122
08:09.780 --> 08:10.800
It's going to jump again.

123
08:10.800 --> 08:11.790
Do the same trick.

124
08:12.330 --> 08:14.670
Toggle the flag, let it go straight.

125
08:14.910 --> 08:18.900
And now it's going to compare six character with X.

126
08:18.900 --> 08:22.530
That means the sixth character is X.

127
08:23.370 --> 08:25.230
And then go here.

128
08:25.230 --> 08:27.330
And then again we click on this.

129
08:27.570 --> 08:28.710
It's going to jump.

130
08:29.100 --> 08:30.990
It's going to jump to the bad message.

131
08:30.990 --> 08:35.490
So by now we know that he has finished comparing and is about to show the bad message.

132
08:35.490 --> 08:40.500
So we have managed to fish out the correct serial key: REDSOX.

133
08:40.950 --> 08:41.280
All right.

134
08:41.280 --> 08:44.280
So let us now stop this program and test it out.

135
08:45.450 --> 08:49.320
Just click on this directly and key in REDSOX in caps.

136
08:52.010 --> 08:55.010
Click check and see "You did it."

137
08:55.100 --> 08:56.270
So we have solved it.

138
08:56.270 --> 09:02.450
So we have managed to fish it out using the fast fishing method by toggling zero flags.

139
09:02.810 --> 09:04.670
Okay, so that's all for this video.

140
09:04.850 --> 09:08.840
So next one we are going to see how to patch the thing to always show the good message.

141
09:08.840 --> 09:11.810
So try that before you watch the next video.

142
09:11.810 --> 09:12.500
See you then.

143
09:12.500 --> 09:14.120
Thank you for watching.