1
00:00:01,330 --> 00:00:03,750
Hello and welcome.

2
00:00:03,760 --> 00:00:08,420
We are not going to use the term any way to solve crimes.

3
00:00:09,680 --> 00:00:21,690
And Judy two ways to do the Teddy One way is to unpack it first and then do the spear fishing on the

4
00:00:21,950 --> 00:00:27,510
backfire and the other way is without unpacking.

5
00:00:27,750 --> 00:00:36,980
Go and do a serial fishing so the difference between serial fishing and fire patching is five.

6
00:00:37,060 --> 00:00:44,620
You don't care about this zero key you passionate file to bypass this hero key.

7
00:00:44,810 --> 00:00:49,690
So in here you are actually trying to find out the actual security.

8
00:00:49,930 --> 00:00:55,170
So generally this is more difficult to do than the previous two methods.

9
00:00:55,270 --> 00:00:56,560
So let's try not

10
00:01:00,620 --> 00:01:02,260
less open the back file.

11
00:01:02,270 --> 00:01:07,850
I'm not going to unpack it just hoping that my file actually see for BBG

12
00:01:11,130 --> 00:01:16,170
and over here quick plug in scalar height options.

13
00:01:16,400 --> 00:01:26,860
Make sure that you alluded the basic fact so that you can hide in debugger from the program.

14
00:01:26,860 --> 00:01:36,700
So now let's run it and key any Hiroki Cleveland check.

15
00:01:37,110 --> 00:01:47,760
And now we're going to find out the memory address who a string is being compact so to do that we are

16
00:01:47,760 --> 00:01:50,120
going to use the call stay method.

17
00:01:50,790 --> 00:02:03,450
So parsing here and once the debugging is passed to on the contact and look for the WHO may address

18
00:02:03,480 --> 00:02:09,640
where they're using multiple makes a call to the system to show the telephone box.

19
00:02:09,990 --> 00:02:19,600
So this is the location rightly and click follow from and if it is corrupted no so this is a location

20
00:02:19,920 --> 00:02:28,200
that calls me to show that that unlocks and if you look out further you will find there is uh chum here

21
00:02:29,070 --> 00:02:36,540
and this is a gem which these sites rated show the good message or the message.

22
00:02:37,050 --> 00:02:44,390
So this is a comparison being made here just before the jump.

23
00:02:44,560 --> 00:02:49,640
Will always be a test or compare in this case it is a test.

24
00:02:49,900 --> 00:02:58,480
So the result this test determines whether or not to jump in here we can put a breakpoint to see the

25
00:02:58,510 --> 00:03:01,360
result results on the test.

26
00:03:01,360 --> 00:03:02,470
So now you can run

27
00:03:06,710 --> 00:03:10,790
over here OK.

28
00:03:11,910 --> 00:03:18,230
And now it has hit a brick point oh here and he can see the result.

29
00:03:18,290 --> 00:03:22,270
Yes is negative 1 remember.

30
00:03:22,760 --> 00:03:24,880
O f means negative 1.

31
00:03:25,700 --> 00:03:36,990
So we can put a remote here that yes I should be zero because that's ESEA.

32
00:03:37,010 --> 00:03:37,510
Yes I am.

33
00:03:37,510 --> 00:03:42,270
Means you are testing whether the value of hearsay is zero.

34
00:03:42,470 --> 00:03:48,310
If the value of hearsay is zero then he will jump off the radio.

35
00:03:48,490 --> 00:03:50,520
Hearsay is not zero.

36
00:03:50,520 --> 00:03:55,090
This was not done so and that is why.

37
00:03:55,380 --> 00:03:57,800
Here we can put him up.

38
00:03:58,260 --> 00:04:00,270
So here you can put remarks here.

39
00:04:00,300 --> 00:04:04,340
Yes I should be zero.

40
00:04:04,420 --> 00:04:07,500
K K so no.

41
00:04:07,740 --> 00:04:16,400
EDIT As it stands yes I is not zero since he's ninety one so our glue is CSI.

42
00:04:16,440 --> 00:04:26,380
We need to hunt down CSI to see which instruction sets it through a negative one so if you look up here

43
00:04:26,380 --> 00:04:27,210
you will find it.

44
00:04:27,610 --> 00:04:31,890
Yes I being set by this instruction.

45
00:04:32,180 --> 00:04:36,620
Yes so a here says he.

46
00:04:36,630 --> 00:04:42,060
So now we put a brick blindfold up and then we run.

47
00:04:42,660 --> 00:04:43,420
And I now.

48
00:04:44,070 --> 00:04:45,350
Okay.

49
00:04:45,420 --> 00:04:46,410
And click check again.

50
00:04:48,010 --> 00:04:53,470
Be sure not to reset if you reset you will lose all your break points because this fire is a backfire.

51
00:04:54,640 --> 00:05:02,200
So now we are hitting a new brick point and we examine each scene we find that he is negative one or

52
00:05:02,200 --> 00:05:03,460
so.

53
00:05:03,460 --> 00:05:06,920
So now our new target should be X.

54
00:05:06,970 --> 00:05:12,370
So put a commander and see it should be zero.

55
00:05:16,780 --> 00:05:20,470
So now we managed to trace the radio.

56
00:05:20,470 --> 00:05:22,490
Yes I do.

57
00:05:22,510 --> 00:05:23,570
Yes it is.

58
00:05:23,590 --> 00:05:27,730
E exhibition ultimately decide the value of CSI.

59
00:05:27,820 --> 00:05:29,560
So now we're here.

60
00:05:29,680 --> 00:05:31,590
We can trace what says.

61
00:05:31,600 --> 00:05:32,380
Yes.

62
00:05:33,130 --> 00:05:40,300
So you see stay so calm call just before this and normally the result of a is time Heene.

63
00:05:40,360 --> 00:05:41,400
Yes.

64
00:05:41,480 --> 00:05:48,820
So there is a good place to raise I mean so we can put the big point here.

65
00:05:48,940 --> 00:05:59,510
And now we run again and then we are going to enter this call to see what happens inside here to send

66
00:05:59,710 --> 00:06:05,840
the ACLU sort of running in and then come here.

67
00:06:05,890 --> 00:06:06,730
OK.

68
00:06:06,730 --> 00:06:09,310
Quickly changing.

69
00:06:09,460 --> 00:06:15,360
So now he has hit our new break point and we can press F seven to step into this car.

70
00:06:15,460 --> 00:06:23,320
Do is I mean what sets the value of x to negative 1.

71
00:06:23,500 --> 00:06:27,980
So let's press F seven now and we are inside the car.

72
00:06:28,480 --> 00:06:35,100
And now you guys I mean the value of the ice and keep pressing it to see when it becomes negative.

73
00:06:35,110 --> 00:06:37,910
One keep pressing f it

74
00:06:47,180 --> 00:06:50,390
now is one f it again.

75
00:06:50,390 --> 00:06:51,590
Now he's negative.

76
00:06:51,590 --> 00:06:52,630
Negative one.

77
00:06:52,910 --> 00:07:01,020
See this whole f Miss negative one so it is had this line that he becomes negative one and just before

78
00:07:01,020 --> 00:07:03,100
it there is a cartoon comparing.

79
00:07:04,070 --> 00:07:04,830
Yes.

80
00:07:04,910 --> 00:07:09,840
So this is a good place to be is I mean what happens.

81
00:07:09,980 --> 00:07:18,710
And this obviously is API so we can select on this part here correctly and then select s analyzer and

82
00:07:18,750 --> 00:07:22,250
in isolation is easy.

83
00:07:22,280 --> 00:07:29,240
This is API call and the API accepts all these parameters any notice and there are two strings shall

84
00:07:29,240 --> 00:07:39,030
be used to convey to each other and you can look up and this thing is in Google Chrome browser.

85
00:07:39,740 --> 00:07:40,730
Compare strings

86
00:07:43,550 --> 00:07:53,170
so negative as a result and you see compare strings compares two strings the string the district and

87
00:07:53,170 --> 00:07:54,730
then returns the result here.

88
00:07:55,780 --> 00:08:01,840
So the result is normally he acts as you recall from previous lesson.

89
00:08:02,500 --> 00:08:12,690
So comparing will compare this string and in this string and then return the result in e x.

90
00:08:12,980 --> 00:08:17,860
And so this is a good place to put our new breakpoint here.

91
00:08:17,960 --> 00:08:18,800
And we're running in

92
00:08:23,190 --> 00:08:24,440
here OK.

93
00:08:24,530 --> 00:08:26,530
Check in.

94
00:08:27,320 --> 00:08:28,820
Now we hit our first break point.

95
00:08:29,670 --> 00:08:38,090
So if you enter this car run you know we hit how can you break point.

96
00:08:38,150 --> 00:08:38,840
So we're here.

97
00:08:38,840 --> 00:08:45,250
Now we can examine the state as it is being pushed for us f here.

98
00:08:45,370 --> 00:08:46,440
Now here.

99
00:08:46,550 --> 00:08:53,930
Press heavy she has pushed the fostering into this day and you can see the string is ABC the one two

100
00:08:53,930 --> 00:08:55,610
three four five six.

101
00:08:55,650 --> 00:09:03,200
Now if I had to guess I would say that this is the zero key then now is here he is going to push a come

102
00:09:04,410 --> 00:09:05,550
which is he.

103
00:09:05,620 --> 00:09:07,640
There's a method and you have to worry about that.

104
00:09:08,270 --> 00:09:10,050
Now he's going to push another string.

105
00:09:10,160 --> 00:09:17,610
Press F it and you see then a string is pushed so it is going to compare this string industry but keep

106
00:09:17,610 --> 00:09:25,170
on pressing every And now if you press again f it he will start the result of the comparison in here

107
00:09:25,420 --> 00:09:30,150
he s so presenter and the result is one.

108
00:09:30,180 --> 00:09:32,250
So what is the meaning on one.

109
00:09:32,250 --> 00:09:39,840
So let's go and examine the MSE in the return value of the dysfunction you scroll down to see.

110
00:09:39,890 --> 00:09:44,020
He returns a value describe for this sort of thing on it.

111
00:09:44,770 --> 00:09:50,840
And then here hold onto to the return and look for the return value.

112
00:09:51,190 --> 00:09:58,300
So he returns one of the following various successful either this value is value or this value.

113
00:09:58,570 --> 00:09:59,890
So these are constants.

114
00:10:00,310 --> 00:10:02,970
So it seems that it is returning one.

115
00:10:03,020 --> 00:10:06,940
One could be this or this all this.

116
00:10:07,140 --> 00:10:10,760
But I didn't think this is because this is this means equal.

117
00:10:11,040 --> 00:10:17,610
And if you recall you say to maintain the C 110 convention no comparing three very two can be subtracted

118
00:10:17,670 --> 00:10:20,030
from the non-zero return value.

119
00:10:20,130 --> 00:10:28,610
So if you subtract two and you will get the same result as the standard C program.

120
00:10:28,670 --> 00:10:34,950
Now this is Microsoft comparing Microsoft comparing there's no return zero.

121
00:10:35,020 --> 00:10:37,840
If the string is equal here returns to.

122
00:10:38,040 --> 00:10:38,750
How do I know that.

123
00:10:38,760 --> 00:10:44,580
Because you're supposed to deduct two from the nuns none none zero return value.

124
00:10:44,580 --> 00:10:49,340
So if the string is the same it will return to.

125
00:10:49,450 --> 00:10:50,860
So let's at I.

126
00:10:51,740 --> 00:10:56,470
No matter how good it is retaining one there I the string is not the same.

127
00:10:56,520 --> 00:10:57,190
It is a sin.

128
00:10:57,210 --> 00:10:59,270
It is a positive return too.

129
00:10:59,340 --> 00:11:03,910
So now if you go down here let's see what happens.

130
00:11:03,910 --> 00:11:10,580
You press hate effort and you see the it is going to minus negative 2.

131
00:11:10,770 --> 00:11:15,660
It is going to minus two from X had a negative to do here.

132
00:11:15,760 --> 00:11:19,120
It is the same as minus two from here.

133
00:11:19,590 --> 00:11:21,270
So this f f f ending.

134
00:11:21,300 --> 00:11:24,180
He means negative too.

135
00:11:24,210 --> 00:11:34,660
So this is consistent with the amnesty in any CIC the very two can be subtracted from a non-zero return

136
00:11:34,660 --> 00:11:35,020
value

137
00:11:38,040 --> 00:11:46,320
so industry was equal after you minus negative two you should get zero so you press added he will see

138
00:11:46,320 --> 00:11:54,570
that he will not be zero he'll be negative when he goes to negative two plus of one will give you negative

139
00:11:54,570 --> 00:11:59,370
1 right is a simply one minus he negative too.

140
00:11:59,440 --> 00:12:09,550
So now you know that he is said over here definitely this is to pacify the zero G all right we can test

141
00:12:09,550 --> 00:12:15,570
our theory we can run the program again and try to enter this hierarchy and come back here and see what

142
00:12:15,570 --> 00:12:25,290
happens so this hero keys ABC dash one two three four five six so we can compare copy this up by selecting

143
00:12:25,320 --> 00:12:34,150
any in the previous line this continuous string and this compute is like copy line and paste it in your

144
00:12:35,050 --> 00:12:35,500
note that

145
00:12:40,840 --> 00:12:44,220
and get over here is DV

146
00:12:47,350 --> 00:12:57,090
and this one is he uh zero g g run again.

147
00:12:57,220 --> 00:13:07,740
Okay now we entered the zero key getting one and then you check in over here.

148
00:13:07,930 --> 00:13:18,400
Now we are here to enter the clock and over here and now you press F it here we see now he is pushing

149
00:13:18,400 --> 00:13:20,300
the string.

150
00:13:20,570 --> 00:13:27,540
This is a C string the that is to be compact and you push not a string.

151
00:13:27,590 --> 00:13:30,130
So now both stories are the same.

152
00:13:30,130 --> 00:13:37,780
And then keep on pressing effort and after the call to the contesting you will find the Yankees too.

153
00:13:37,910 --> 00:13:45,170
So that confirms I some I missed the n he says that he has this crazy quilt issue written to

154
00:13:47,950 --> 00:13:48,650
right.

155
00:13:48,680 --> 00:13:55,680
So now we keep on pressing he is going to minus two from two and that should give us zero.

156
00:13:55,990 --> 00:13:56,380
Right.

157
00:13:56,570 --> 00:14:01,930
So press heavy tuna has minus two from two and you give us zero now.

158
00:14:02,030 --> 00:14:11,610
So now he's giving pressing have it remember that when you're heading you take the source at the destination

159
00:14:11,640 --> 00:14:14,460
and start it is result in the destination.

160
00:14:14,460 --> 00:14:22,290
So that is the reason why and you take negative two and you've to UK zero you start zero back in the

161
00:14:22,290 --> 00:14:23,610
destination.

162
00:14:23,820 --> 00:14:26,820
So now you press F it continue to press it.

163
00:14:27,120 --> 00:14:27,790
Come back here.

164
00:14:28,340 --> 00:14:30,190
Yes yes no zero.

165
00:14:30,390 --> 00:14:40,170
And that confirms our common wifi reason we wrote earlier Q1 pressing effort and now yes I should be

166
00:14:40,170 --> 00:14:42,120
zero and through inaccuracy.

167
00:14:42,150 --> 00:14:42,870
Yes I.

168
00:14:42,930 --> 00:14:43,980
It is zero.

169
00:14:44,040 --> 00:14:49,440
It's not if you keep pressing f it he will jump to the good position.

170
00:14:49,440 --> 00:14:52,700
Now you can just click Run and you will see.

171
00:14:52,820 --> 00:14:53,270
Yeah.

172
00:14:53,300 --> 00:14:54,480
Shown a message.

173
00:14:54,480 --> 00:14:55,700
Correct.

174
00:14:56,130 --> 00:15:01,590
So this is how we do zero fishing to fish out his hero key.

175
00:15:01,590 --> 00:15:04,270
Now in this example the.

176
00:15:04,280 --> 00:15:10,280
It so happened that when you're running the 0 keys only being detected.

177
00:15:11,340 --> 00:15:13,190
So far moving.

178
00:15:13,260 --> 00:15:19,530
And then I run you again if I put in a wrong zero key

179
00:15:25,670 --> 00:15:28,630
If I were to put in a wrong zero key I say

180
00:15:32,320 --> 00:15:39,010
and then come here should you notice that it's Iraqis ultimately do take that and shown here.

181
00:15:39,010 --> 00:15:46,210
So in this example we are so lucky that we hardly can see this Iraqi being detected by excessive force.

182
00:15:46,810 --> 00:15:51,590
Sometimes you insert in the software you might not get so lucky.

183
00:15:51,700 --> 00:15:55,190
This Iraqi may not be so easily detected over here.

184
00:15:55,270 --> 00:16:03,470
So that is why I went through the trouble explained to you in great detail how to hunt down the 0 key

185
00:16:03,880 --> 00:16:04,640
and a strength.

186
00:16:05,060 --> 00:16:07,770
So that's all for this lesson.

187
00:16:07,780 --> 00:16:09,040
Thank you for watching.

188
00:16:09,040 --> 00:16:10,190
See you in the next on.