WEBVTT 00:01.330 --> 00:13.570 Now we can use our Ghidra to decompile those addresses where we found with x64dbg and Cheat Engine. 00:14.080 --> 00:25.480 So we look for this first address, right-click, copy, and then in Ghidra hit G on the keyboard to open 00:25.480 --> 00:26.440 the Go To. 00:26.860 --> 00:34.990 And inside here, paste the first address and this address, and then hit on 00:34.990 --> 00:35.590 OK. 00:36.640 --> 00:38.890 And it will go to that address. 00:39.400 --> 00:44.590 But you will notice that this location has not been disassembled yet. 00:45.810 --> 00:48.120 So let's right-click and disassemble it. 00:50.310 --> 00:51.540 Hit on Disassemble. 00:52.230 --> 00:53.820 And now it has disassembled. 00:54.990 --> 00:59.580 And you will see it also has the push - over here. 01:01.060 --> 01:07.540 And if you scroll down to the second address, this one, there should also be a return. 01:08.650 --> 01:14.260 So if you scroll down low enough, you should be able to see a return at this address, 01:14.260 --> 01:16.630 40013A2E. 01:21.400 --> 01:26.110 40013A2E, that's your return. 01:26.670 --> 01:35.410 Okay, so those are the start and end of the function, so we can go back to the top here and then just 01:35.410 --> 01:37.810 right-click and create a function here. 01:39.940 --> 01:42.220 So now Ghidra has created a function, 01:42.580 --> 01:50.280 call it FUN_0040393C, and then automatically it will have been decompiled for us. 01:50.290 --> 01:54.070 So click on the Decompile tab here and you can see our function. 01:56.010 --> 01:59.940 And now we can analyze using the decompiled window. 02:01.930 --> 02:09.130 So we can scroll down and we can see there is an if statement and there is a good message showing here, 02:09.130 --> 02:09.750 "Correct. 02:09.760 --> 02:10.450 Thank you." 02:10.840 --> 02:12.670 And there's a bad message showing here, 02:12.670 --> 02:13.600 "Sorry, wrong key." 02:15.850 --> 02:22.540 So we know that whether to show a good message or a bad message will depend on 02:22.630 --> 02:26.920 uVar1. So we can relabel this. 02:28.180 --> 02:33.640 Just press L on the keyboard, call it result. 02:37.200 --> 02:40.230 Click on it and you will see that this is where the result is being set. 02:41.220 --> 02:47.460 So this is probably a compare string function and it's probably comparing two strings. 02:48.660 --> 02:50.220 Let's click on local_14. 02:51.840 --> 02:55.140 local_14 seems to be reading a string. 02:56.030 --> 02:56.860 In this one, 02:56.860 --> 02:58.120 it looks like a password. 03:02.350 --> 03:05.690 Double-click on this and inspect the window. 03:05.710 --> 03:06.460 You can see 03:07.060 --> 03:08.560 so it looks like a password. 03:09.510 --> 03:13.590 So assume that it is a password, so we can 03:14.850 --> 03:16.200 relabel this one. 03:19.200 --> 03:26.400 Press L and rename it. So we can say this is a copy string, 03:28.380 --> 03:29.460 copy 03:30.240 --> 03:34.200 actual key string. 03:38.060 --> 03:51.710 So you copy this password to local variable 14, local_14, so we can relabel local_14 as an actual key. 03:56.500 --> 03:57.940 So click Actual Key. 03:59.590 --> 04:00.100 All right. 04:01.490 --> 04:02.390 And then 04:03.810 --> 04:08.730 click on the other one here, and local_18 is over here. 04:09.540 --> 04:12.930 So local_18 is 04:14.900 --> 04:15.890 probably the 04:18.500 --> 04:22.400 key that you enter. You see that param_1. 04:23.060 --> 04:28.040 So, okay, we can rename it, label it as My Input. 04:31.010 --> 04:34.880 So now we click on this and you can see... 04:38.130 --> 04:40.530 Now we come back to our function here. 04:40.530 --> 04:45.660 You can see it seems to be comparing My Input with the Actual Key. 04:47.950 --> 04:53.260 We can confirm it by double-clicking this to enter the function. 04:53.860 --> 04:56.620 And you can see there's compare strings functions. 04:56.620 --> 05:00.100 Here is comparing string one, string two. 05:01.830 --> 05:04.200 Param_2 is this. 05:04.200 --> 05:05.940 Param_1 is this. 05:06.540 --> 05:07.920 Click on the Back button. 05:09.620 --> 05:13.100 One more time and you can see param_1 is My Input, 05:13.130 --> 05:14.750 param_2 is Actual Key. 05:16.630 --> 05:22.270 So go back inside, so we can relabel this as My Input. 05:23.860 --> 05:28.060 And we can relabel this as Actual Key. 05:35.810 --> 05:44.360 And then just click on this and see what's happening. Over here is assigning Actual Key to another string, 05:44.720 --> 05:50.300 so we can relabel this as Actual Key 05:52.760 --> 05:53.390 String. 05:54.530 --> 05:56.540 And this one is assigned to another string, 05:56.540 --> 06:02.780 so we can relabel this as My Input String. 06:05.810 --> 06:11.120 And when you click on this now, you can see clearly it is comparing whether your input is an actual 06:11.120 --> 06:11.570 key. 06:12.290 --> 06:16.280 If your input is actual key, you return zero. 06:16.970 --> 06:19.790 So let's see when it returns zero, what happens? 06:19.790 --> 06:21.200 Let's click on the Back button. 06:23.870 --> 06:26.240 When it returns zero, it will store in the result. 06:26.660 --> 06:30.320 And if the result is zero, it will show you the good message. 06:30.320 --> 06:39.230 So this confirms that this function is a check, check string function, so we can rename it, relabel as 06:39.230 --> 06:39.590 Check, 06:42.590 --> 06:49.250 or we can, better, better still call it Compare, Compare String. 06:52.450 --> 06:58.180 Now we know for sure that this function is comparing two strings, 06:58.210 --> 06:59.350 the input and actual key. 06:59.980 --> 07:07.510 And that confirms that this Actual Key here, which is coming from this string here, 07:09.070 --> 07:10.300 is the actual password. 07:11.220 --> 07:16.350 So this is how we can use Ghidra and debuggers together. 07:16.830 --> 07:26.760 Debugger does not decompile code, although x64dbg can do it, but the decompiler is not as good as 07:26.760 --> 07:27.150 Ghidra. 07:28.080 --> 07:31.770 So Ghidra is good at decompiling code. 07:31.950 --> 07:41.130 And if you want to decompile code first, you can use debuggers to locate regions of interest, 07:42.070 --> 07:44.440 locate addresses of interest. 07:44.650 --> 07:47.650 And once you got those addresses, you can come to Ghidra. 07:48.650 --> 07:58.640 And then convert the data to strings and create functions, and then you can decompile it and view the, 07:58.850 --> 08:04.160 study the algorithm to derive the serial key. 08:04.280 --> 08:09.170 That's another thing I want to share with you is a Windows graph, 08:09.530 --> 08:10.750 Function Graph tool. 08:10.760 --> 08:14.470 So you can click on, on the function here. 08:14.480 --> 08:17.750 Let's rename this function as... 08:21.320 --> 08:23.240 We'll call it Check_Serial. 08:30.420 --> 08:32.520 Now you can use a window. 08:32.820 --> 08:34.830 Click on Window, Function Graph. 08:38.430 --> 08:41.280 And you will generate the graph view. 08:46.500 --> 08:49.860 You can zoom in and zoom out with the scroll wheel of your mouse. 08:49.890 --> 08:55.470 The center wheel scroll wheel, and you can drag to look around. 08:59.130 --> 09:01.830 And bottom right is another way to view. 09:01.920 --> 09:05.880 You can drag the square box here to move around. 09:08.490 --> 09:16.980 In the yellow circle here denotes the function that you are analyzing, here, 09:16.980 --> 09:21.230 looking at. Can scroll and scroll. 09:21.960 --> 09:25.140 If you can't read the dotted lines, you can go here. 09:26.950 --> 09:32.110 And then drag this thing out so that you can view the rest of the dotted lines. 09:33.940 --> 09:37.000 If it's not enough, go back and do again. 09:38.890 --> 09:41.800 Select the box that you want to expand on. 09:42.100 --> 09:43.540 Go back up here and drag. 09:47.750 --> 09:49.550 Now you can see the rest of the string, 09:49.550 --> 09:49.850 "Sorry, 09:49.850 --> 09:50.270 wrong key." 09:50.540 --> 09:51.560 "Correct key." 09:52.640 --> 09:55.070 If you pull this to the right, it'll be clearer. 09:56.480 --> 10:05.480 The red line denotes what happens when the jump zero test is not true, and the green line denotes the 10:05.480 --> 10:08.210 jump that happens when the jump zero is true. 10:08.390 --> 10:10.520 So this is an if-else statement. 10:12.590 --> 10:16.910 The gray-blue line is the unconditional jump. 10:19.150 --> 10:23.050 And you can see from here that over here there is a compare string. 10:24.690 --> 10:30.160 It is loading your password here, serial key, and then here, copy, copy. 10:30.160 --> 10:31.240 And then here, compare. 10:31.990 --> 10:33.100 There's a test. 10:33.850 --> 10:44.110 And based on this jump, it will then jump either to show the bad message or jump to show the good message 10:44.110 --> 10:44.650 over here. 10:47.110 --> 10:52.630 So this is also a useful tool for visualizing and analyzing the code. 10:53.890 --> 10:56.650 So that's all for this session. 10:56.650 --> 10:58.480 Thank you for watching.