1
00:00:00,800 --> 00:00:02,060
Welcome back.

2
00:00:02,060 --> 00:00:09,480
That is that how we're tracking if a 60 40 Biggie we'll open it now.

3
00:00:09,720 --> 00:00:11,000
Thanks for the biggie

4
00:00:14,310 --> 00:00:20,690
and we're at the break point on run enter and key.

5
00:00:21,150 --> 00:00:24,200
Click on check and see.

6
00:00:24,420 --> 00:00:26,900
Sorry wrong key message.

7
00:00:27,450 --> 00:00:35,820
So we are going to search for this string and analyze the code around that area so rightly.

8
00:00:35,820 --> 00:00:37,840
Make sure you are in use or not.

9
00:00:38,070 --> 00:00:43,110
And then here go to search for current module string references

10
00:00:48,280 --> 00:00:53,240
and now Sweeney says search is complete and this is the string that we are looking for.

11
00:00:54,200 --> 00:00:57,980
Let's move to the address by double clicking here.

12
00:01:01,470 --> 00:01:11,010
So we have two strings the that string is here and a good string is here and jam here decides which

13
00:01:11,010 --> 00:01:12,780
string to show.

14
00:01:12,780 --> 00:01:17,540
So the jam will only happen if the zero flag is one.

15
00:01:17,910 --> 00:01:25,170
So we can put a big find here and we start run to our break point.

16
00:01:25,190 --> 00:01:28,010
Before that we have to enter something click check.

17
00:01:28,970 --> 00:01:37,280
And we are not at a break point and from here we see that it is not going to jam.

18
00:01:37,350 --> 00:01:38,750
So it is going to jump.

19
00:01:39,090 --> 00:01:50,630
He will show that that message it is not going to jump because you Zero flag is not set to 1.

20
00:01:50,730 --> 00:01:52,980
So just before the jump.

21
00:01:52,980 --> 00:02:00,450
There should be a test or I'll come back over here if a test to this test is the one which determines

22
00:02:00,450 --> 00:02:07,270
the zero flight so you know therefore Zero flag to be set to one.

23
00:02:07,370 --> 00:02:18,390
Yes I must be zero so that means testing whether the value in the register ESEA is zero.

24
00:02:18,420 --> 00:02:27,960
So either yes I value is not zero zero flag is not set then we need to analyze further what sets the

25
00:02:27,960 --> 00:02:36,530
value yes I can check up here and see that this line is a one this sets a value in here say over here

26
00:02:37,910 --> 00:02:43,280
so you can check here X now by putting a breakpoint remove this

27
00:02:47,360 --> 00:02:59,350
run and do anything check and we hit our numeric line and now we see the value is f f f f this is no

28
00:02:59,350 --> 00:03:02,930
good we wanted to be 0 not f f f f.

29
00:03:03,730 --> 00:03:09,580
So that means even before this ISIS already been set to f f event.

30
00:03:10,540 --> 00:03:14,710
So let us investigate the origin of the Russian here.

31
00:03:14,710 --> 00:03:18,800
Set it to MF So do investigate it.

32
00:03:18,890 --> 00:03:23,710
We can put a breakpoint even high up here.

33
00:03:24,750 --> 00:03:36,930
Here remove this we start run and do anything click check so we are now at our new break point a no

34
00:03:36,930 --> 00:03:39,030
D E X is not forever.

35
00:03:39,930 --> 00:03:42,640
And it is also not zero.

36
00:03:42,900 --> 00:03:45,670
What we want is zero.

37
00:03:45,720 --> 00:03:56,190
So let's analyze them by pressing F it and keeping a lookout to see when is he s set to F F F F Q on

38
00:03:56,190 --> 00:03:56,820
pricing f it

39
00:04:02,180 --> 00:04:04,700
OK immediately after this call.

40
00:04:05,010 --> 00:04:08,030
Yes became f f f.

41
00:04:08,030 --> 00:04:09,090
So that is about me.

42
00:04:09,110 --> 00:04:18,530
This call is the one which causes East to become f f f f so it is in this call it is away something

43
00:04:18,530 --> 00:04:23,270
is happening some kind of string comparison maybe it's been done.

44
00:04:23,510 --> 00:04:31,930
And if you look up here we can also see that in preparation for the string comparisons there is something

45
00:04:31,930 --> 00:04:36,560
being loaded and you can see here suing is being looted.

46
00:04:37,190 --> 00:04:38,030
Yes.

47
00:04:38,030 --> 00:04:46,110
So the point is the purpose of this string so it is comparing some it is loading something to this register.

48
00:04:47,460 --> 00:04:49,770
Yes you can see that over there.

49
00:04:49,770 --> 00:04:55,460
So anyway that is now moving our focus to this line.

50
00:04:55,830 --> 00:05:00,100
Put a breakpoint remove this and we are going to come over here and step into it.

51
00:05:01,470 --> 00:05:13,970
So we said run press are a check and now we are going to step into this by placing seven became more

52
00:05:14,180 --> 00:05:15,620
effort to analyze

53
00:05:20,650 --> 00:05:26,190
you can see it is performing some kind of comparison compare strings as you can see here

54
00:05:29,360 --> 00:05:30,350
yes.

55
00:05:30,410 --> 00:05:32,510
So it is already completed.

56
00:05:32,510 --> 00:05:34,970
This car has already loaded.

57
00:05:35,240 --> 00:05:36,310
He exited.

58
00:05:36,650 --> 00:05:37,970
F f f f.

59
00:05:37,970 --> 00:05:41,170
That means the string it is comparing it in these terms.

60
00:05:41,180 --> 00:05:46,610
This is a one resistor ne 03 and we are looking for.

61
00:05:47,440 --> 00:05:57,680
So this hero key is loaded from way this hero key is loaded from this memory address.

62
00:05:57,840 --> 00:06:04,190
He is the first place where he looked he looked in the zero key from here to the stack.

63
00:06:05,180 --> 00:06:15,540
So here is where we should look for this zero key the address 7 1 8 to do a survey and click on this

64
00:06:16,050 --> 00:06:28,150
and go to the address by clicking these rightly following them 7 1 8 2 2 a true enough you can see your

65
00:06:28,240 --> 00:06:30,850
zero key this memory location.

66
00:06:31,090 --> 00:06:40,100
So what we want to do now is to bash this hero key to our own security.

67
00:06:40,250 --> 00:06:45,020
So to do that we can select you can select all this

68
00:06:47,860 --> 00:06:56,320
time this and exactly binary Eddie and over here.

69
00:06:56,320 --> 00:07:04,150
Make sure you check them give size and then down here you change to any zero key one we can make it

70
00:07:04,540 --> 00:07:12,440
reverse he said on ABC 1 2 3 4 5 6 we can reverse it for example CBA

71
00:07:17,360 --> 00:07:22,430
CB that 6 four three two one 1.

72
00:07:22,470 --> 00:07:29,480
OK so now you can see it especially if our own zero G.

73
00:07:29,700 --> 00:07:30,960
Yes.

74
00:07:30,960 --> 00:07:31,230
All right.

75
00:07:31,230 --> 00:07:37,750
So now he can King run and show us the real hero key is fine.

76
00:07:37,860 --> 00:07:49,800
Now we enter our own Cherokee issue best we should be setting the memory CVA six five four three two

77
00:07:49,790 --> 00:07:51,170
one.

78
00:07:51,460 --> 00:07:52,000
Check

79
00:07:54,830 --> 00:07:55,280
right.

80
00:07:57,550 --> 00:07:59,580
And we can correct key.

81
00:08:00,000 --> 00:08:07,600
So we have already had this by modifying the memory location directly and changing it through our own

82
00:08:07,600 --> 00:08:08,910
silky.

83
00:08:09,130 --> 00:08:12,340
So to make this permanent we need to patch it.

84
00:08:12,400 --> 00:08:18,980
So we click file patch file and a patch file again a year.

85
00:08:19,120 --> 00:08:20,080
Let's give a new name

86
00:08:22,810 --> 00:08:25,130
dash patch.

87
00:08:25,580 --> 00:08:25,940
Say

88
00:08:28,930 --> 00:08:39,070
OK now we can open the patch file and run it into our

89
00:08:42,070 --> 00:08:44,650
own zero key pages.

90
00:08:44,650 --> 00:08:50,160
This can check yes she corrects Hiroki.

91
00:08:50,230 --> 00:08:51,040
Yes.

92
00:08:51,040 --> 00:08:51,710
So that's it.

93
00:08:52,480 --> 00:08:54,560
We have solved this challenge.

94
00:08:54,610 --> 00:08:58,950
We found the criteria key and we changed it to a different key of our choice.

95
00:08:59,470 --> 00:09:01,740
So this is how we do a memory patching.

96
00:09:01,810 --> 00:09:02,230
Thank you.

97
00:09:02,240 --> 00:09:02,650
Holiday.