1 00:00:00,890 --> 00:00:02,650 Welcome back. 2 00:00:02,660 --> 00:00:07,840 Today we'll look at hot brick points and memory patching. 3 00:00:08,120 --> 00:00:10,980 First some definitions. 4 00:00:11,110 --> 00:00:18,570 What is the difference between honeybee break points and soft fabric points high red brick points brick 5 00:00:18,610 --> 00:00:21,740 points on memory addresses. 6 00:00:21,840 --> 00:00:31,630 It means we set a breakpoint on a location which is in the RAM memory read so that we can keep track 7 00:00:31,630 --> 00:00:38,820 of which process or which instruction is assessing those the REM and the relocations. 8 00:00:38,890 --> 00:00:46,090 On the other hand some fabric points separate points on the instructions a cell so this the difference 9 00:00:46,090 --> 00:00:49,760 between the two so into this lesson. 10 00:00:49,880 --> 00:00:52,050 The objectives are as follows. 11 00:00:52,130 --> 00:01:01,490 First we are going to learn how to set red brick points on RAM memory and then the two we are going 12 00:01:01,490 --> 00:01:07,700 to learn how to modify data in RAM memory address directly. 13 00:01:07,700 --> 00:01:08,680 So let's get started 14 00:01:12,980 --> 00:01:26,990 open the creamy Heath existing for the G. 15 00:01:27,010 --> 00:01:32,790 Make sure your option preferences are set as follows. 16 00:01:33,100 --> 00:01:41,130 Check System break point and deal has callbacks and make sure that you are exceptions. 17 00:01:42,440 --> 00:01:42,680 Not 18 00:01:46,530 --> 00:01:48,640 note that you are now at the entry point. 19 00:01:50,800 --> 00:01:54,920 And that's run the program by clicking one button. 20 00:01:54,930 --> 00:01:57,120 O F nine on the keyboard. 21 00:02:00,280 --> 00:02:08,970 Immediately the program opens and it has already detected that it is unregistered so the objective is 22 00:02:08,970 --> 00:02:19,540 to fine the memory address location where this unregistered isn't being accessed to determine whether 23 00:02:19,540 --> 00:02:28,150 it's a registered and so you should find the correct address to patch to make this software become registered 24 00:02:29,870 --> 00:02:38,380 so we are going to use the first method to search which is a search for strings you'll be looking for 25 00:02:38,500 --> 00:02:47,350 this string to see Ray it this being a used in the instruction so it is rightfully 26 00:02:50,720 --> 00:02:57,720 search for carrying my new another beast an issue in Nairobi. 27 00:02:57,780 --> 00:03:05,210 You can also do this to make sure you're in the correct use a my view and not in the system. 28 00:03:05,220 --> 00:03:15,570 Mind you you can either make sure you are in the point the offset by comparing the detailed easy offset 29 00:03:15,580 --> 00:03:26,200 address which we did earlier or we can go to the symbols there and I really click on incredibly here 30 00:03:26,680 --> 00:03:32,740 and you can see here the base Rice Condi looking on the. 31 00:03:32,970 --> 00:03:38,240 So now you can be assured that you are in the user module space. 32 00:03:38,260 --> 00:03:46,380 You can start looking for strings so rightly search for current more you string references 33 00:03:50,710 --> 00:03:54,190 let it do a search. 34 00:03:54,330 --> 00:04:01,710 We are looking for this string here unregistered and now it has finished searching. 35 00:04:01,710 --> 00:04:06,030 If this is too long we can just search it in in the search box here. 36 00:04:07,260 --> 00:04:10,100 But it is in this case is quite not annoying. 37 00:04:10,110 --> 00:04:18,420 The idea saw the result here and registered and above it is registered. 38 00:04:18,420 --> 00:04:19,490 Interesting. 39 00:04:19,560 --> 00:04:21,600 So let's go through this address. 40 00:04:21,610 --> 00:04:27,420 I registered there clicking it to go through the assembler so here. 41 00:04:28,770 --> 00:04:35,720 We see the string I registered and just above it is registered. 42 00:04:35,720 --> 00:04:39,620 So this is a string of bad message. 43 00:04:39,620 --> 00:04:42,630 This is a stream for a good message. 44 00:04:42,630 --> 00:04:47,970 And how do we know which one to be shown. 45 00:04:47,960 --> 00:04:51,170 Sure you should look for Jan up here. 46 00:04:51,170 --> 00:04:58,660 There is a gem in gem is a one which decides whether he will show this or this message. 47 00:04:58,940 --> 00:05:00,510 So we should put a break point here. 48 00:05:02,280 --> 00:05:02,970 And then restart 49 00:05:08,060 --> 00:05:17,690 run to our fine and now you can see the other breakpoint and he is showing red meaning that gem is taken 50 00:05:18,850 --> 00:05:24,540 so he will jump over the good message and go into the back message. 51 00:05:24,550 --> 00:05:26,810 Sure this that is here. 52 00:05:27,820 --> 00:05:35,480 So now our objective is to analyze and try to make it not done so we don't want it to jump so issued 53 00:05:35,480 --> 00:05:45,660 in John previously what we did was we just modified this by putting not like this. 54 00:05:45,710 --> 00:05:48,380 Should anyone jump in into this lesson. 55 00:05:48,560 --> 00:05:52,860 I'm going to show you another way instead of doing this. 56 00:05:53,010 --> 00:06:03,520 We are going to modify the memory location where the comparison is being made some way up here no. 57 00:06:03,640 --> 00:06:10,110 Every time we see a jam session it is testing the Flex. 58 00:06:10,120 --> 00:06:11,640 In this case J. 59 00:06:11,700 --> 00:06:16,260 He means he will jam even the zero flight is one. 60 00:06:16,510 --> 00:06:17,780 So Jamie in jam. 61 00:06:17,800 --> 00:06:21,420 Equal means equal to one. 62 00:06:21,490 --> 00:06:23,590 So in this case is zero phrase one. 63 00:06:23,650 --> 00:06:29,740 That's why is jumping and earlier lessons have you learned how to toggle is fly by double clicking into 64 00:06:29,760 --> 00:06:34,000 it said it to the opposite and now you see it is not going to jump. 65 00:06:34,810 --> 00:06:43,130 But like I said we are not going to use this method now we are going to use the memory patching method. 66 00:06:43,780 --> 00:06:53,280 So in order to find out where the zero fly is being set we should look for either compare or a test. 67 00:06:53,630 --> 00:07:00,370 So let's look for this either a compare or a test. 68 00:07:00,380 --> 00:07:07,340 Whenever they say jump you can be sure that just before it's somewhere nearby there will be a compare 69 00:07:09,030 --> 00:07:09,950 or a test. 70 00:07:11,340 --> 00:07:13,890 So for example there's a test here. 71 00:07:14,150 --> 00:07:24,580 Then laser John so the tests here with set of Flight 0 like 2 1 0 0 and ending jump would be to and 72 00:07:24,590 --> 00:07:28,220 a zero fly to decide whether to Gemini. 73 00:07:28,220 --> 00:07:29,090 Same thing here. 74 00:07:29,690 --> 00:07:33,650 Whenever there's a jump just above it there'll be a test or a compare. 75 00:07:33,650 --> 00:07:35,950 So in this case it is a combat. 76 00:07:36,110 --> 00:07:41,920 So this comparison here says you're zero fly either 2 1 0. 77 00:07:41,990 --> 00:07:50,620 So in this case here the zero flight is set to 1 when you set C0 flight is set to 1. 78 00:07:50,620 --> 00:07:59,300 It means that whatever is being compared is seen this very dress is being compared to zero so if that 79 00:07:59,300 --> 00:08:02,990 is same then zero flight is set to 1. 80 00:08:03,160 --> 00:08:07,480 If they are not the same then zero fly set is zero. 81 00:08:07,490 --> 00:08:17,390 So in this case zero fly set one we can confirm it by putting a breakpoint here or maybe just before 82 00:08:17,390 --> 00:08:24,960 it and remove this breakpoint then reset. 83 00:08:25,130 --> 00:08:33,100 Now we jump to a break point and the next instruction to compare this to so let's press F it. 84 00:08:33,170 --> 00:08:40,650 So now it is about to compare these two and what will happen to the zoo reflect when a press F it. 85 00:08:40,820 --> 00:08:41,510 It is one. 86 00:08:41,510 --> 00:08:41,900 Yes. 87 00:08:41,960 --> 00:08:49,090 So that means that the whatever is in this memory location is also zero. 88 00:08:49,250 --> 00:08:53,480 That is why this zero is said to 1. 89 00:08:53,660 --> 00:09:01,490 So 2 This is the memory location that we need to put a brake point on if you want to observe it. 90 00:09:01,940 --> 00:09:10,540 So just click on this memory location and then you will come here select this memory location rightly 91 00:09:11,290 --> 00:09:15,020 follow in them and they select your address. 92 00:09:15,370 --> 00:09:22,270 So your address may be different from mine but whatever it is the address here should be this address 93 00:09:23,230 --> 00:09:25,450 listed here which is this. 94 00:09:25,450 --> 00:09:31,820 So this right click on this follow in them address and then you will jump here. 95 00:09:32,800 --> 00:09:40,820 So you can see the address here for my guess now is 7 2 6 0 0 is referring to this address. 96 00:09:40,830 --> 00:09:50,550 So in this address they start data some value by which is at the moment zero. 97 00:09:50,590 --> 00:09:55,500 So you see it is comparing this zero with this zero. 98 00:09:56,320 --> 00:09:59,410 So in this case zero complexity zero is true. 99 00:09:59,830 --> 00:10:08,310 So when it is true is the same in this is the same then it will set a zero effective one if this was 100 00:10:08,310 --> 00:10:09,350 one. 101 00:10:09,570 --> 00:10:16,440 Let's say you are comparing one with zero then the comparison would be false and the zero flag is zero. 102 00:10:16,440 --> 00:10:26,430 He will not be one does it reflect will only be one if this is one and it is one this is zero this is 103 00:10:26,430 --> 00:10:26,900 zero. 104 00:10:26,910 --> 00:10:28,940 In other words both must be the same. 105 00:10:28,960 --> 00:10:39,760 He can be 10 and 10 20 in 20 or 30 and 30 whatever as long as they the same zero effect in the one so 106 00:10:39,760 --> 00:10:42,270 in this case it is the same zero. 107 00:10:42,490 --> 00:10:46,250 That is why zero is set to 1. 108 00:10:46,440 --> 00:10:52,930 So because this reflects at the one when it comes to this line the jump would take place. 109 00:10:53,000 --> 00:10:55,780 See is going to jump because as you reflect said 2 1. 110 00:10:56,770 --> 00:11:05,440 So what we need to do now is to put a brake point here just to demonstrate to you that indeed we can 111 00:11:05,440 --> 00:11:07,120 set breakpoint. 112 00:11:07,600 --> 00:11:10,090 Actually we do set the breakpoint. 113 00:11:10,180 --> 00:11:21,030 We just frankly here and then go up to that point had event says by what. 114 00:11:21,100 --> 00:11:30,380 I'll do what I do and so right means you understand breakpoint point on only 1 by what is 2 bytes diva 115 00:11:30,400 --> 00:11:40,200 is 4 bytes so this is 1 by and then this is what and this is deal with. 116 00:11:40,840 --> 00:11:49,730 So it's either 1 2 1 2 how for this. 117 00:11:49,860 --> 00:11:50,130 Okay. 118 00:11:50,200 --> 00:11:59,470 So at the moment you can choose anyone to decide a D would be fine and you would you just click like 119 00:11:59,470 --> 00:12:12,200 this rightly break point how they assess new so do you work is for bites were these two bites. 120 00:12:12,380 --> 00:12:13,030 This is one bite. 121 00:12:13,040 --> 00:12:14,930 So we are going to set a break point on view. 122 00:12:16,250 --> 00:12:19,490 So you're watching this for bites here. 123 00:12:19,550 --> 00:12:21,920 You. 124 00:12:22,030 --> 00:12:30,370 So now we are going to remove both big this break breakpoint and desperate point need to remove if you 125 00:12:30,370 --> 00:12:36,980 don't remove the bait points you will interfere if he'll leave your heart to everyone. 126 00:12:37,000 --> 00:12:47,460 So let's reset and run and now you see the heat and I have a big fine at this address so we can just 127 00:12:47,460 --> 00:12:57,610 go directly to this address this address here my clicking this one rightly and you can go to follow 128 00:12:57,610 --> 00:13:01,840 in follow done follow in done this address. 129 00:13:02,860 --> 00:13:04,110 So there we go. 130 00:13:04,370 --> 00:13:07,380 And other ways you can click on this line. 131 00:13:07,630 --> 00:13:13,050 And then from here rightly following them address. 132 00:13:13,330 --> 00:13:19,310 And there you go see so the break point has been hit all right. 133 00:13:19,310 --> 00:13:26,200 So now we can press heavy this devil we like this. 134 00:13:27,400 --> 00:13:28,460 OK. 135 00:13:28,610 --> 00:13:28,820 All right. 136 00:13:28,850 --> 00:13:37,190 So now we know that this is the location where the memory is being read to compare whatever is store 137 00:13:37,190 --> 00:13:38,800 in this location. 138 00:13:38,880 --> 00:13:41,050 This zero. 139 00:13:41,190 --> 00:13:51,920 So if we want to modify the code modify the memory so that it changes to any number of other than zero. 140 00:13:52,080 --> 00:13:53,640 We can do it here. 141 00:13:53,640 --> 00:14:00,960 Another fun way in which you can do it is now before that why would you want to modify this to any number 142 00:14:00,960 --> 00:14:02,340 other than zero. 143 00:14:02,340 --> 00:14:05,030 For example we can put this as one. 144 00:14:05,040 --> 00:14:06,170 Why do you do that. 145 00:14:06,210 --> 00:14:09,280 We do that so that this comparison will fail. 146 00:14:09,660 --> 00:14:15,150 So when you feels the Zero flag will be zero when he's in a phrase zero. 147 00:14:15,150 --> 00:14:18,580 This junk will not be taken as a high year. 148 00:14:18,720 --> 00:14:19,020 All right. 149 00:14:19,020 --> 00:14:25,440 So now let's put a breakpoint before this thing and solve every point just for testing. 150 00:14:26,220 --> 00:14:34,790 So we put a solvable fine before this and now we restart and run to our solve every point. 151 00:14:34,990 --> 00:14:39,140 And now the next step here his it is going to read this memory address. 152 00:14:39,360 --> 00:14:43,850 But before he does that there is modify the data are stored here. 153 00:14:44,070 --> 00:14:46,750 So the modified I click on this. 154 00:14:46,920 --> 00:14:48,180 Come here. 155 00:14:48,200 --> 00:14:50,110 Directly following them. 156 00:14:50,310 --> 00:14:51,820 This address. 157 00:14:51,900 --> 00:14:59,040 So let's change this to one so we can regulate how do we modify a memory directly. 158 00:14:59,040 --> 00:15:05,100 We can modify the memory daily by selecting the part of the memory we want to modify. 159 00:15:05,100 --> 00:15:10,790 In this case you want to modify only this one by here so that we can change it to one. 160 00:15:10,790 --> 00:15:15,740 You can put frankly this go to binary had it. 161 00:15:17,160 --> 00:15:25,270 And then here click check on it give size because we do want to override the next device. 162 00:15:25,360 --> 00:15:33,420 So we just click here and change this to 0 1 0 1 9 0 1. 163 00:15:33,430 --> 00:15:33,850 Thank you. 164 00:15:33,850 --> 00:15:34,540 Okay. 165 00:15:34,650 --> 00:15:37,460 And now watch what happens here. 166 00:15:37,630 --> 00:15:43,610 So we are modifying this data in memory itself directly. 167 00:15:43,750 --> 00:15:46,210 So now it is going to let me press F it. 168 00:15:46,220 --> 00:15:50,930 It is going to go there and compare 0 1 0. 169 00:15:50,950 --> 00:15:52,800 And guess what happened. 170 00:15:52,870 --> 00:15:55,590 What do you think will happen with the zero flame. 171 00:15:55,690 --> 00:15:56,260 That's right. 172 00:15:57,600 --> 00:16:04,450 So we're going to press f it now we are going to press it again so that you execute it and wash it off 173 00:16:04,450 --> 00:16:09,150 like zero flat zero early on it was one. 174 00:16:09,800 --> 00:16:20,990 So you see compare takes whatever is stored in this memory which is 0 1 and compare 0 and then because 175 00:16:20,990 --> 00:16:22,940 0 1 and 0 is not the same. 176 00:16:22,970 --> 00:16:26,030 Therefore the comparison fails. 177 00:16:26,060 --> 00:16:28,570 So the zero flame is not set to 1. 178 00:16:29,420 --> 00:16:31,180 So this is how it works. 179 00:16:31,190 --> 00:16:31,550 All right. 180 00:16:31,850 --> 00:16:38,110 So now if you just press f it to keep on going it is not going to jam. 181 00:16:38,130 --> 00:16:42,340 See this is a very gray arrow means I'm going to jump. 182 00:16:42,440 --> 00:16:50,460 So you press I have it again and you just go right ahead to show you the good message. 183 00:16:50,540 --> 00:16:58,760 So what we have just done is to create the software to make it become registered by modifying the memory 184 00:16:59,090 --> 00:17:01,870 directly or here. 185 00:17:01,880 --> 00:17:06,360 This is called memory tracking the memory directly. 186 00:17:06,380 --> 00:17:06,720 All right. 187 00:17:07,010 --> 00:17:08,150 So what do you mean. 188 00:17:08,280 --> 00:17:08,510 OK. 189 00:17:08,510 --> 00:17:19,190 Now if you would continue to press have it in sign or not eventually you would just pop up the window 190 00:17:19,820 --> 00:17:21,410 to ensure that it is registered 191 00:17:25,990 --> 00:17:28,820 PAYGO register. 192 00:17:29,020 --> 00:17:29,260 Right. 193 00:17:29,860 --> 00:17:36,280 So now we need to bash these to make it permanent because if you restart again this memory reset to 194 00:17:36,280 --> 00:17:38,200 it is zero value. 195 00:17:38,200 --> 00:17:49,240 So to make it permanent we patchy file batch file and is wanting to be back so quick batch file and 196 00:17:49,240 --> 00:17:51,040 give it a new name 197 00:17:54,870 --> 00:17:57,900 patch click save. 198 00:17:59,270 --> 00:18:01,190 OK. 199 00:18:01,330 --> 00:18:01,810 All right. 200 00:18:02,280 --> 00:18:04,290 So now we open the batch file 201 00:18:07,680 --> 00:18:10,860 and run it and is registered. 202 00:18:12,090 --> 00:18:15,240 So this is how we do memory patching. 203 00:18:15,400 --> 00:18:22,440 We analyze the memory first by putting high rhetoric points maybe test our theory whether it is correct 204 00:18:22,830 --> 00:18:27,860 to test that memory address and it is correct. 205 00:18:27,890 --> 00:18:30,180 Go ahead and patch MVC works. 206 00:18:30,240 --> 00:18:31,720 So thank you for watching. 207 00:18:31,720 --> 00:18:33,090 I will see you in the next one.