1
00:00:01,210 --> 00:00:02,530
Let's get started.

2
00:00:03,350 --> 00:00:06,350
We'll open this chief Sixty for DBC

3
00:00:10,770 --> 00:00:19,240
and then press F nine to run it or just click on the wrong button.

4
00:00:19,290 --> 00:00:21,850
Here before that.

5
00:00:21,860 --> 00:00:29,920
Make sure your options are set as follows click options preferences unchecked system required unchecked

6
00:00:30,070 --> 00:00:42,470
yes callbacks and make sure your exceptions are not these exceptions let's click Run and the windows

7
00:00:42,480 --> 00:00:53,010
shows up is the main window and try to enter a name just that a hey and that any kind of

8
00:00:55,680 --> 00:01:09,410
input click on the check and it says wrong zero key try again OK to about about and just use the credit

9
00:01:09,950 --> 00:01:13,880
for the freighter which is my cell.

10
00:01:14,730 --> 00:01:16,820
And then here again.

11
00:01:17,070 --> 00:01:21,270
Now observe here the text has is being shown.

12
00:01:21,480 --> 00:01:23,730
So you have to caption sorry.

13
00:01:24,030 --> 00:01:30,680
And the text message we say it's wrong zero key try again as we have learned before.

14
00:01:31,230 --> 00:01:35,960
There are a few methods to approach this.

15
00:01:36,970 --> 00:01:44,030
Cracking the first one is to search for strengths for example in this case where you can search for

16
00:01:44,030 --> 00:01:51,050
this string the wrong zero key try again and then once we find a string we can put a breakpoint just

17
00:01:51,890 --> 00:02:03,110
some location before the string and then analyze the logic The second way is to use a search for into

18
00:02:03,200 --> 00:02:11,600
modulo calls and then find the put the break points in all the into modulo calls.

19
00:02:11,660 --> 00:02:20,780
In this case we will look for message box so then once you put the breakpoint one on the breakpoint

20
00:02:20,790 --> 00:02:21,780
will trigger.

21
00:02:21,780 --> 00:02:31,710
Once you click check and from there we can narrow down to the line in the memory address that call the

22
00:02:31,740 --> 00:02:41,260
message box and if the method is to use the call stack which is here that means when these measures.

23
00:02:41,470 --> 00:02:51,150
Error Message message box is being shown immediately put a box here and analyze the costing to look

24
00:02:51,150 --> 00:03:03,180
for the latest user my new car and then from there we can trace the address we call the message box.

25
00:03:03,410 --> 00:03:06,150
The bad message box to be shown.

26
00:03:06,290 --> 00:03:15,290
So in this lesson I will choose the first method of attacking this one way which is to put a breakpoint

27
00:03:15,350 --> 00:03:19,890
on the string which is the string in so to put it back find the string.

28
00:03:19,890 --> 00:03:27,020
First you make sure you are in the user space use them or use space which is normally the entry point

29
00:03:27,110 --> 00:03:29,040
address which is around here.

30
00:03:29,050 --> 00:03:30,170
0 0 4.

31
00:03:30,170 --> 00:03:38,230
In this case once you ensure that you are in the user's module space you search for strings.

32
00:03:38,480 --> 00:03:40,010
You can rightly anyway.

33
00:03:40,840 --> 00:03:54,910
And then search for current module string references and once is completed you will find your back nice

34
00:03:54,910 --> 00:03:56,720
ish here.

35
00:03:56,750 --> 00:03:57,710
Wrong zero key.

36
00:03:57,710 --> 00:03:59,280
Try again.

37
00:03:59,280 --> 00:04:08,450
And this is the address where this string is being used so we can just go there by double clicking and

38
00:04:08,450 --> 00:04:10,240
then here we are.

39
00:04:10,360 --> 00:04:12,890
The message is here.

40
00:04:12,950 --> 00:04:16,450
Sorry is the caption wrong zero key try again.

41
00:04:16,460 --> 00:04:20,430
Is your message and the pushers here.

42
00:04:20,660 --> 00:04:25,790
The push to the stack in preparation for this call.

43
00:04:26,150 --> 00:04:32,930
This column makes use of the parameters in the push and then on top here if you screw up you see the

44
00:04:32,930 --> 00:04:33,660
good message.

45
00:04:33,980 --> 00:04:34,810
Congrats.

46
00:04:34,820 --> 00:04:36,320
Well done.

47
00:04:36,320 --> 00:04:38,370
And then this is the good message.

48
00:04:38,480 --> 00:04:42,680
We want instead of this so.

49
00:04:43,380 --> 00:04:51,030
And if you you just above it he will see a jump not equal with jumps over the good message.

50
00:04:51,690 --> 00:04:57,480
So this is the place where the decision is being made based on this test.

51
00:04:57,480 --> 00:05:02,490
So you're testing here whether he x is zero the instruction test.

52
00:05:02,520 --> 00:05:07,420
Yes yes means he's x is 0.

53
00:05:07,650 --> 00:05:15,870
So in this case he he s 0 0 will be 1 he will not jump.

54
00:05:17,600 --> 00:05:21,200
So it will only jump if the zero flag is not equal to 1.

55
00:05:21,800 --> 00:05:25,060
So in this case the Zero flag is not equal to one.

56
00:05:25,060 --> 00:05:27,710
Therefore it is jumping.

57
00:05:27,710 --> 00:05:40,130
So now what we need to do is to look at the logic why and how this X is being set who sets the value

58
00:05:40,130 --> 00:05:49,800
of X so we can screw up further and try to look try to look for the part where the zero key is being

59
00:05:50,420 --> 00:05:57,760
is being input is being read and there seems to be something here and get that the item takes little

60
00:05:57,800 --> 00:06:02,500
item tax is the Windows API function.

61
00:06:02,670 --> 00:06:12,560
We share a strengths the string from the input dialog and you can look it up in MSD n m s The N stands

62
00:06:12,550 --> 00:06:18,930
for Microsoft develop but never get data item test

63
00:06:21,800 --> 00:06:27,000
you couldn't give us the result here and you can read about it here.

64
00:06:27,170 --> 00:06:37,130
So here that that item Texas gets the input from the dialog box and this is a dialog box idea and starts

65
00:06:37,130 --> 00:06:40,740
the input in this string.

66
00:06:41,020 --> 00:06:47,320
So this is how it works you can read these parameters on here which has got the details all right.

67
00:06:47,350 --> 00:06:48,720
We do need to go that deep into it.

68
00:06:49,470 --> 00:06:57,300
So we can put a breakpoint here and then restart the program because we want to his I mean this place

69
00:06:57,630 --> 00:06:59,330
before the decision is made.

70
00:07:00,450 --> 00:07:13,350
So let's restart the program and run again enter first name anything a enter anything in maybe an S

71
00:07:13,360 --> 00:07:16,820
S S S and click check.

72
00:07:16,830 --> 00:07:23,940
And now he has hit our break point in the program debugger has passed and now we can step through by

73
00:07:24,060 --> 00:07:25,230
typing F H

74
00:07:28,250 --> 00:07:36,350
So as you press F it always keeping higher on the on the string instead are all to detect it in this

75
00:07:36,350 --> 00:07:44,420
column as well as the registers to see if anything interesting appears anything any strings pops up.

76
00:07:44,420 --> 00:07:48,140
So just keep on pressing Effie and keep a lookout.

77
00:07:50,300 --> 00:07:53,460
And then here he says.

78
00:07:53,540 --> 00:07:54,320
Get that item.

79
00:07:54,320 --> 00:07:54,820
Thanks.

80
00:07:54,840 --> 00:07:57,300
And here we get right index.

81
00:07:57,440 --> 00:08:05,460
And then here get local time CCP trying to get a look at a time and look out get local time also gets

82
00:08:05,480 --> 00:08:13,790
the ditch the local date and you can also search em as the NSA showing earlier how to do this press

83
00:08:13,940 --> 00:08:16,100
effort to continue.

84
00:08:16,400 --> 00:08:27,850
And notice your he SB stack pointer has loaded the string as SSL switches what you entered through here.

85
00:08:27,870 --> 00:08:29,180
Now let's keep on pressing

86
00:08:34,140 --> 00:08:41,960
and pressing f eight to step over every line every instruction and now you see it has loaded your name

87
00:08:42,710 --> 00:08:46,980
in E X register which comes from here.

88
00:08:47,080 --> 00:08:48,100
So this is interesting.

89
00:08:48,520 --> 00:08:54,430
So he's going to perform some kind of manipulation with the strings you shall see.

90
00:08:54,430 --> 00:08:55,990
Let's press effort to continue

91
00:09:00,520 --> 00:09:01,230
ok.

92
00:09:01,600 --> 00:09:02,290
Now it is.

93
00:09:02,290 --> 00:09:08,930
Has loaded some kind of format string format specifies there's a golf string format specifies.

94
00:09:09,210 --> 00:09:12,040
Let's see continue to press every

95
00:09:15,060 --> 00:09:19,100
and Diego he has called this function.

96
00:09:19,140 --> 00:09:27,570
This is a C C++ function that we as printer v show format strings which combines different parts of

97
00:09:27,570 --> 00:09:29,760
strings to create new strings.

98
00:09:29,760 --> 00:09:40,440
So as you can see he has created a new string r of the name a and put a dash and then put some numbers

99
00:09:40,470 --> 00:09:41,740
behind it.

100
00:09:41,820 --> 00:09:45,840
So if I had to guess I would say this 4 0 0 0 key.

101
00:09:46,110 --> 00:09:47,910
So let's continue to press F it

102
00:09:51,280 --> 00:09:51,960
and there you go.

103
00:09:51,960 --> 00:09:52,840
Now he has slowed it.

104
00:09:52,840 --> 00:09:58,660
He s in here and this is a good time to copy this string.

105
00:09:58,960 --> 00:10:05,170
So just frankly any of the lines which contains the Sierra key can take this one on this one on this

106
00:10:05,170 --> 00:10:11,550
one but I'll figure this one and then go down here right click this and click.

107
00:10:11,550 --> 00:10:15,190
Copy line and then open up your back

108
00:10:21,100 --> 00:10:29,370
and paste into your note that so this is the zero key

109
00:10:32,380 --> 00:10:34,690
so you actually solve it to be equal to zero key.

110
00:10:34,690 --> 00:10:38,800
Based on our input the name so let's step through

111
00:10:44,560 --> 00:10:47,560
and you can see now it is comparing over here.

112
00:10:47,560 --> 00:10:51,170
It is a loaded two strings.

113
00:10:51,200 --> 00:10:52,180
Yes.

114
00:10:52,310 --> 00:10:55,710
The DEA has loaded your input.

115
00:10:55,820 --> 00:11:02,500
You'll see your key as you entered which is all s and then easy X has been loaded.

116
00:11:02,520 --> 00:11:09,000
We've the January to 0 key and now over here it is.

117
00:11:09,050 --> 00:11:12,010
He has compared it to CMB.

118
00:11:12,030 --> 00:11:14,690
So a comparison string comparison.

119
00:11:15,500 --> 00:11:21,550
And then after that to here is going to the next line and then we he's going to jump

120
00:11:24,450 --> 00:11:27,730
so it is jump and now we're here.

121
00:11:27,840 --> 00:11:29,360
Let's continue.

122
00:11:29,520 --> 00:11:30,870
Press F it

123
00:11:33,860 --> 00:11:42,510
and now it is testing so it is testing and he's found that he sees uh not zero.

124
00:11:43,300 --> 00:11:44,530
So it is it's not zero.

125
00:11:44,530 --> 00:11:50,880
That means the test feels it is going to jump because the Zero flag is not set.

126
00:11:50,920 --> 00:11:56,060
So he is going to jungle with a good message and come to the very message down here.

127
00:11:56,170 --> 00:11:58,600
This is going to show you sorry wrong zero key.

128
00:11:58,600 --> 00:11:59,160
Try again.

129
00:11:59,680 --> 00:12:05,010
So let's press effort and you will see me.

130
00:12:05,440 --> 00:12:08,810
That message has been shown.

131
00:12:09,010 --> 00:12:13,060
So now let's restart the program and try to put in the right zero key.

132
00:12:14,440 --> 00:12:21,980
So we have to use back the same name here because the CRT has been generated from this name.

133
00:12:22,230 --> 00:12:26,290
Now let's just copy this and be sitting here.

134
00:12:26,920 --> 00:12:30,040
A quick check now.

135
00:12:30,060 --> 00:12:32,100
Yes boss at the break point.

136
00:12:32,180 --> 00:12:32,940
Is clean fun

137
00:12:35,530 --> 00:12:37,890
and your message.

138
00:12:37,890 --> 00:12:39,120
Congratulations.

139
00:12:39,720 --> 00:12:40,770
Well done.

140
00:12:40,770 --> 00:12:43,500
So that's all for this video.

141
00:12:43,800 --> 00:12:45,570
I hope you learned something from it.

142
00:12:46,080 --> 00:12:46,890
Thank you for watching.

143
00:12:46,890 --> 00:12:48,390
I'll see you in the next challenge.