WEBVTT 00:01.280 --> 00:03.470 Hello and welcome back. 00:03.710 --> 00:11.210 In today's video, we are going to try another GUI crackme called Simple Serial. 00:13.240 --> 00:19.660 So go ahead and download this crackme and put it in this folder. 00:23.110 --> 00:25.180 See Ghidra projects. 00:25.210 --> 00:27.260 Crackme-dash-two. 00:28.690 --> 00:29.860 Let us first run it. 00:32.920 --> 00:37.720 Then enter any zero and hit the button. 00:37.720 --> 00:43.300 Check, and you get a bad message saying sorry, wrong key. 00:44.290 --> 00:48.310 So now I'm going to show you how to solve this crackme. 00:51.860 --> 00:53.120 Fire up Ghidra. 00:54.440 --> 00:56.510 Click on File, New Project. 00:58.850 --> 00:59.960 Click on Next. 01:03.540 --> 01:04.740 Click on the three dots. 01:05.900 --> 01:12.680 And go to your folder where you saved your... 01:15.480 --> 01:15.990 crackme. 01:22.130 --> 01:27.830 And click on it and click on Select Project Directory. 01:30.320 --> 01:31.730 For Project Name, 01:32.540 --> 01:33.620 call it GUI 01:35.090 --> 01:41.810 crackme-two, and then click on Finish. 01:45.970 --> 01:48.130 Now we import the crackme. 01:50.840 --> 01:53.180 Drag and drop it into the folder here. 01:57.210 --> 02:05.430 It has detected it to be a PE file format and it is a 32-bit program. 02:06.470 --> 02:06.770 Click 02:06.810 --> 02:07.380 OK. 02:12.980 --> 02:14.660 It is now importing it. 02:19.800 --> 02:23.130 Can resize this window, dragging down a bit. 02:25.980 --> 02:27.960 This is the import results 02:27.960 --> 02:28.650 summary. 02:28.680 --> 02:29.070 Click 02:29.070 --> 02:29.610 OK. 02:31.810 --> 02:35.560 Let's go and start analysis. 02:35.710 --> 02:38.530 Drag this and drop it on the dragon. 02:41.080 --> 02:42.880 Confirm to analyze. 02:42.930 --> 02:43.600 Yes. 02:45.490 --> 02:47.170 And analysis window, 02:48.310 --> 02:51.340 check on the Compiler Parameter ID. 02:53.400 --> 03:00.630 Uncheck PDB Universal. Check on Windows x86 Propagate. 03:01.980 --> 03:09.150 Analyze. It will take a few minutes to analyze this. 03:11.180 --> 03:13.370 So just analyze. 03:16.360 --> 03:21.910 Watch the bottom right corner and you will note that it is finished now. 03:22.630 --> 03:24.850 And now we can analyze. 03:25.990 --> 03:27.940 We can go to the 03:28.780 --> 03:29.890 Exports here. 03:30.790 --> 03:32.170 Look for the entry. 03:34.290 --> 03:36.570 And then this is the entry point. 03:38.580 --> 03:42.900 And if you scroll down, the WinMain should be 03:44.360 --> 03:45.500 probably this one, 03:46.160 --> 03:50.380 after getting all your, getting startup info and whatnot. 03:51.140 --> 03:55.490 But we are not going to use that method to solve this crackme. 03:56.570 --> 04:00.140 We are going to look for strings. 04:00.170 --> 04:03.050 Now we know that the string is "sorry, wrong key." 04:06.650 --> 04:13.430 So we can look for it by using the search, string, search for strings. 04:14.860 --> 04:16.300 And click on Search. 04:20.480 --> 04:21.800 And then filter out 04:22.370 --> 04:23.120 "sorry." 04:25.310 --> 04:26.360 And you have one hit. 04:26.810 --> 04:27.650 It's a Unicode. 04:28.950 --> 04:29.790 Double-click on it. 04:31.450 --> 04:33.850 And you will come to this location. 04:37.820 --> 04:39.710 S-O-R-R-Y. 04:40.880 --> 04:41.810 It is Unicode. 04:43.040 --> 04:46.250 A Unicode consists of two bytes for each character. 04:47.570 --> 04:50.120 The ASCII as well as the zero byte. 04:52.710 --> 04:53.610 So, 04:54.480 --> 04:58.080 every character has got an ASCII code followed by the zero byte. 04:58.950 --> 05:06.930 So for S, the bytes are 53 and 00. O is 6F and 00. 05:07.320 --> 05:11.580 The H at the back means is hexadecimal and so on. 05:12.180 --> 05:16.860 So now, since this is Unicode, if we scroll up, we can see other strings. 05:17.310 --> 05:18.030 Correct? 05:18.060 --> 05:19.320 Correct. 05:20.040 --> 05:20.530 Correct. 05:20.550 --> 05:20.850 Key. 05:20.880 --> 05:21.570 Thank you. 05:21.810 --> 05:25.710 And this probably is the serial key. 05:27.660 --> 05:29.640 ABC-123456. 05:29.640 --> 05:34.260 So just by searching for strings, we probably have solved it. 05:34.950 --> 05:39.210 So if we try this key now, see what happens. 05:40.740 --> 05:43.660 A-B-C-dash- 05:43.710 --> 05:45.870 one-two-three-four-five-six. 05:46.170 --> 05:48.510 Click on Check, and it's correct. 05:49.260 --> 05:51.300 So this is how easy you solve it. 05:52.230 --> 05:54.370 Now I'll show you a different way to solve it. 05:55.210 --> 05:57.790 I also want to teach you how to convert 05:59.540 --> 06:03.890 one particular representation into another data type. 06:04.490 --> 06:07.610 So this is all in Unicode. 06:08.990 --> 06:13.010 You can convert it into data. 06:15.110 --> 06:16.820 So we select the first one. 06:17.750 --> 06:23.120 C or Z and go down all the way to 06:23.630 --> 06:24.860 "Thank you. 06:25.130 --> 06:29.450 Sorry, wrong key" errors. 06:29.630 --> 06:31.460 And somewhere around here. 06:31.760 --> 06:34.610 Press down the Shift, hold it down, and click here. 06:35.540 --> 06:38.570 So you have selected all the green parts. 06:39.950 --> 06:47.900 Then you right-click on it and then select Data and select Terminated Unicode. 06:49.100 --> 06:52.160 The word "terminated" means it ends with the null character. 06:53.450 --> 06:56.110 Enter the null terminator. 06:56.120 --> 07:03.230 So click on this one and it will convert all that, group it together into, into strings, 07:03.230 --> 07:04.400 Unicode strings. 07:05.880 --> 07:08.940 So now you can see "Correct key" is a string. 07:08.970 --> 07:09.390 "Thank you," 07:09.390 --> 07:10.110 string. 07:10.140 --> 07:10.710 "Sorry, 07:10.710 --> 07:11.100 wrong key," 07:11.100 --> 07:11.420 string. 07:11.790 --> 07:12.320 String. 07:13.170 --> 07:16.770 If you want to undo this, you can just click on the Back button to undo. 07:17.280 --> 07:22.230 Or another way is you can select all of this and then right-click. 07:22.920 --> 07:24.150 And then select 07:25.090 --> 07:25.450 Clear. 07:26.860 --> 07:32.020 Clear Code Bytes, and then it will go back to its raw format. 07:36.840 --> 07:38.310 Okay, now let's redo it again. 07:38.320 --> 07:39.670 You can right-click 07:39.670 --> 07:40.870 and then 07:42.100 --> 07:44.680 Data, Terminated Unicode. 07:45.820 --> 07:47.380 Okay, so now you have the strings. 07:47.410 --> 07:50.860 We can see clearly where all these are. 07:51.490 --> 07:51.790 Okay. 07:51.790 --> 07:56.080 So if you, these are the cross-references to the strings. 07:56.260 --> 07:59.260 So we can try this and see where it leads us. 08:02.450 --> 08:04.650 Notice if you hover your mouse over this, 08:06.550 --> 08:10.900 you pop up this additional display and you can scroll. 08:11.920 --> 08:18.460 If you want to disable this feature, just click on this one time and click another time and you can 08:18.460 --> 08:20.260 see it has been disabled. 08:20.920 --> 08:28.870 So now we can follow the cross-references and double-clicking this, and we can see that it is being referenced 08:28.870 --> 08:29.500 here. 08:33.810 --> 08:40.650 Now, I have tried this method by cross-referencing and didn't have much luck with it, so I'll show 08:40.650 --> 08:42.060 you another way to solve this. 08:42.540 --> 08:53.670 So the way to solve this is to use the help of a debugger to locate the address for the code which uses 08:53.670 --> 08:55.200 these strings. 08:55.920 --> 08:58.470 So I'll show you that in the next video. 08:59.190 --> 09:00.360 Thank you for watching.