WEBVTT

00:00.650 --> 00:02.810
So we first run the debugger.

00:03.750 --> 00:08.040
To check where is the location of the address we are interested in.

00:08.610 --> 00:10.260
We could use x64dbg

00:13.770 --> 00:16.500
and then attach to the running program.

00:17.910 --> 00:18.900
Simple Serial.

00:20.310 --> 00:22.350
Go to Symbols.

00:22.920 --> 00:27.090
Select the Simple Serial, double-click and run.

00:29.300 --> 00:32.610
Then right-click here and search for strings.

00:32.620 --> 00:35.560
Current Module String References.

00:40.370 --> 00:47.540
And then filter out the "sorry key," sorry, string, and you will find it here.

00:48.320 --> 00:54.110
Just double-click to go to that location and we want to select all the functions.

00:54.200 --> 00:55.440
Look for the -,

00:57.130 --> 01:00.990
so the "sorry, wrong key" is shown here and "correct key" is shown here.

01:01.060 --> 01:03.550
So just, grab, look for the key,

01:04.780 --> 01:08.860
which will denote the start of the function.

01:09.850 --> 01:11.040
Here is the push -.

01:11.740 --> 01:16.230
So the function starts at this address, 004013933.

01:16.990 --> 01:20.500
So right-click and copy this.

01:23.790 --> 01:28.680
Copy the entries and put it in a

01:32.490 --> 01:33.060
Notepad.

01:40.720 --> 01:41.170
All right.

01:41.470 --> 01:45.590
And then the end of the function should be the ret.

01:47.960 --> 01:49.010
Which is at this address.

01:49.010 --> 01:53.900
So right-click on this and copy the address.

02:01.100 --> 02:11.600
Okay, so now I'll show you another way to get these interesting addresses using Cheat Engine.

02:14.120 --> 02:19.040
So let's fire everything again and then run Cheat Engine.

02:26.640 --> 02:31.830
By the way, I will give you the links where you can download x64dbg and Cheat Engine.

02:33.420 --> 02:37.890
So click on this and attach to Simple Serial, open.

02:39.590 --> 02:44.600
Then Memory View, and go to View.

02:44.870 --> 02:54.950
Look for referenced strings, and click Yes, and it will search for all the strings.

03:04.900 --> 03:06.430
Now look for,

03:06.700 --> 03:08.470
click on Search, look for "sorry."

03:12.640 --> 03:14.440
And then hit on the button

03:14.440 --> 03:14.920
Find.

03:16.630 --> 03:18.430
And that's a hit.

03:18.730 --> 03:19.330
"Sorry,

03:19.330 --> 03:19.750
wrong key."

03:19.960 --> 03:21.280
And this is the address.

03:21.280 --> 03:22.630
So double-click on this.

03:23.800 --> 03:24.880
And there you are.

03:26.580 --> 03:29.460
And you want to go to the start of this function.

03:29.880 --> 03:34.350
You can just right-click and hit on "Select Current Function."

03:35.430 --> 03:39.800
And now you can see the start of the function is also push -.

03:40.350 --> 03:41.550
And this is the address.

03:41.550 --> 03:44.100
And just compare it with what we found with...

03:45.870 --> 03:49.380
It's the same, 004013933.

03:49.950 --> 03:53.310
And the return should be this one.

03:53.730 --> 04:03.510
So then, look for the, scroll down and there's your ret, and there's your another function.

04:03.990 --> 04:05.730
Compare that with the...

04:07.020 --> 04:07.860
It's the same.

04:08.070 --> 04:16.470
Okay, so these are two ways you can use debuggers to find interesting addresses to decompile.

04:17.220 --> 04:18.510
So now you have these two.

04:18.540 --> 04:22.800
We are ready to decompile the code, to decompile the function.

04:23.430 --> 04:25.420
So we head back to Ghidra.

04:28.520 --> 04:33.560
We can detach Cheat Engine from this by closing, closing this directly.

04:34.220 --> 04:35.300
Now we are in Ghidra.

04:36.110 --> 04:41.240
So we are ready to decompile the interesting addresses.

04:41.450 --> 04:45.080
And for that, I will show you in the next video.

04:46.550 --> 04:47.930
Thank you for watching.