So do I! Reverse Engineering is my heart-and-soul. But, alas, being a UA-camr is just a side hobby. I post when I can... like today. I just posted another video about Ghidra's new Emulator tool :)
I just sat down and used your approach to tackle a problem with Ghidra that I wasn't able to get through before. I renamed every variable to something I understood and I was able to figure out the logic of the program. Thanks!!!!
I'm currently trying to get into reverse engineering, watched other tutorials but it often feels people rush through those crackmes without realizing the people watching these videos have no clue what all this is. Watched both your videos on this now, still don't understand everything going on - but just wanted to say thank you since I think I might have an okayish point to start from now. And I subscribed, of course.
Reverse Engineering is quite a complicated thing to jump into, RubberDog. I spent years doing Software Development before I moved into Reverse Engineering and most RE UA-camrs expect you to have some Software Development experience before trying a CrackMe. Hopefully I went more in-depth than the others... but, I can see how it could still be difficult to understand it all. Would a super in-depth video on every line of code found in CrackMe_0x01 be helpful? It would be looooong and boring... but could very well help newbies get a more solid understanding of the Reverse Engineering concept.
Your videos are really helpful! Reversing is turning so much interesting! Understood everything except the reason behind heading over to the main function via mainCRTStartup in the exports dir.
Thanks Friedrich! We'll be moving into more advanced subjects soon! The video I posted today (aka - late last night) demonstrates how to Reverse a piece of software that reaches back to a remote server. It's not ground-breaking but it is moving my channel along to more advanced topics.
I'm a bit too late :D, just got this video in my recommendations, you are explaining things very great, thank you for your excellent work! I have some sort of reverse engineering skills and i still enjoy your content. in the beginning of the video you explained how to get rid of PDB and RTTI warnings in Ghidra, yes you can disable them particually if you know that you don't have the pdb of the executable, but i think that option related to RTTI should be left default. Why? Some of your new viewers who has the interest in learning reverse engineering can misunderstood you and disable it for every executable that they will try to reverse. Loosing RTTI is really bad, because you will lose some valuable information realated to classes and structure. For example in IDA after selecting the settings it will ask you: "Do you have PDB?" you will select yes or no and if executable has RTTI it will automatically find it and define it using metadata. Thank you for your great content, i wish you all the best! Take care.
Thanks rlee! I would love to do an RE CTF challenge series! Although, I haven't created any challenges myself... yet. Have you seen any RE CTF Challenges that you would like to see a series on?
@@stryker2k2 Thanks for the response. The ctfs that my team compete in, unfortunately, do not want their challenges to be reposted. Or that is my understanding. For the most part they are really similar to the type where one must find a stored password or key. You explain things in a way that would really help our students to get competitive on those challenge types.
@stryker2k2 PicoCTF is one of the most popular public CTFs around, so I would recommend going with some of their problems because many beginners would be familiar with those types of problems.
cool series, been spending some time looking at some commercial software and the existing cracks for old versions. You learn a lot analyzing existing cracks/keygens. I'm currently only doing static analysis and started with some runtime debugging with .... x64dbg, Ghidra didnt work I think, and realized it was a waste of time to step through what I dunno yet. After reviewing the 'historical cracks' and methods used to bypass the software, I hope I can successfully write my own for educational purposes. Currently I am de-obfuscating code, function by function, to get a good idea of what the code is doing in the code that has differences between its clean and its cracked/patched code.
That's amazing insight. I have also done something similar. I found an old malicious sample that Windows Defender detects easily and reversed it. Then, to understand it better, I recreated it from scratch using what I learned from disecting it in x64dbg and Ghidra. It's amazing how much work the original malicious software author did.
@@stryker2k2 I ended up trying to track them (original creator of crack) down.... found a way to them via some warez site but dont really care to interface with them that much anymore. Right now I am focused on figuring out the 'right way' to do some java deobfuscation. I got so many tools and yet it seems like decompiling java bytecode and using an ancient ide like Eclipse is the best way... #BoomerCodeLife Hugely time consuming shit right here.
For 0x07, I think the print_Incorrect() is meant to be patched with NOPs using something like OllyDbg. There's no if-else condtion within print_Incorrect(); It's simply going to be ran after the while-loop.
I'm running ghidra on linux and using .bin instead of .exe. What is the equivalent of _mainCRTStartup in exports file? I cannot find which arguments are passed into main?
@@stryker2k2 Looking side by side it is just called main still under exports. I am running the linux binaries under a docker but stepping through with videos on the win32 binaries, same concepts, passing a env variable for like x07 is a little different, I did get pwd incorrect with 333331. Been a long time for me but want to maybe get in stock firmware RE (evil eye at my closed source 3d printer).
Wow, I'm doing the linux crackme files using Ghidra and for 0x06 I have no indication that it's an environment variable (even when changing parameter 3 aka Env to type char**). I thought it was a 3rd command line argument. Give it a shot and see if you find the same outcome :)
It has been over a year! But, yes... you are on the right track. Have you given it a shot? I am in the middle of making a "Buffer Overflow" series that demonstrates the solution to the challenge nearly perfectly.
Thank you for your informative videos. They are very helpful. I have one comment. When there is the sscanf function, you seem to consider the '%d' to be a cast to the value of the digit. So when there is a '1', you seem to consider it to convert to the value 1 (0x01). I believe that this is not what happens. It seems to me that the value would be whatever number represents the character '1'. In this case, if I have my numbers right, it would have the value of 49 (0x31).
Is there a way to have the rename of a variable pass the renaming to parameters in subsequent functions? Let's say I rename local_0 to myInput. Then pass that variable into myFuntion(myInput), but then you step into that function and the function signature still reads myFuntion(param1). I want the rename to pass along to function parameters so when you step into the function the parameter named was pass on also: myFuntion(myInput) {} That way you save yourself the rename step or if you go into that function from another location its already named giving you more idea as to what the parameter is. AND, bonus for vice versa. If you're in a function and rename a parameter, any where that function is called, the variable passed in should be renamed to what ever you renamed the parameter. So when you look at xrefs you can see clearly what the variable is already.
19:35 What you're describing is an XNOR AND means they both have to be 1, so "being the same" is insufficient (0 AND 0 = 0, but 0 XNOR 0 = 1) I'm sure you know that -- I'm just leaving this comment here for the benefit of any confused viewers
@@stryker2k2 I couldn't quickly figure out how to get to the "wtf"s, though. I'm wondering if it's some obvious trick or if it'll require some sort of arbitrary code execution vulnerability. I hope you cover it in a follow up, because otherwise I'll have to either find it myself or go insane trying (so far I'm just watching these without installing Ghidra myself).
I think so too! My guess is that it was developer debugging code that was meant to be deleted once the program was completed. But... I still want to find a way in! Haha!
That's the only thing I can think of. Just overflowing a buffer then putting the wtf address in there... but, that's cheating. I really think the developer of CrackMe just put it there for as a debug message.
Maijin replied. Unfortunately, it was not Maijin that developed those CrackMes. But he told me the name of the original creator. Let me try our luck with him:-)
Howdy Neil! A strong knowledge of C-programming and/or Assembly would be nice! If you aren't strong in either one of those... then you'll need the skills of patience and ability to Google :D
A junior level understanding of C is nice to have when beginning RE. That is probably the best language you could know to assist with RE. Having a good understanding of Object oriented programming would be good to have as well. The deeper understanding of ghidra and C programming come through practice and experience
You either need to fully understand C or Assembly. I am more comfortable with C/C++ myself, so I use the C-decompiler a lot! If you are weak at C and/or Assembly... you can still Reverse Engineer well... if you know how to Google :D
Hi, great tuto, i like ! So i subscribe but for the little challenge except to cheat in asm and put a jmp to print wtf? , i can't see so i hope you will continue the serie. For now i think Kevin Afton is in true ! The program can't go there. I'm a newbie with gihdra and your serie is great to learn it ! Thanks for all...
That is an excellent idea. I might try that! I have this feeling that "wtf" was original debugging code and was meant to be deleted... but, I sooo want to find a way to get there anyways!
I want your tutorials back and even advancer man, really appreciate!
So do I! Reverse Engineering is my heart-and-soul. But, alas, being a UA-camr is just a side hobby. I post when I can... like today. I just posted another video about Ghidra's new Emulator tool :)
@@stryker2k2 Thankyou Man, you are some of the guys who are contributing keep igniting the lost lamp, love you
I just sat down and used your approach to tackle a problem with Ghidra that I wasn't able to get through before. I renamed every variable to something I understood and I was able to figure out the logic of the program. Thanks!!!!
Two years later... and I still love this comment!
I'm currently trying to get into reverse engineering, watched other tutorials but it often feels people rush through those crackmes without realizing the people watching these videos have no clue what all this is.
Watched both your videos on this now, still don't understand everything going on - but just wanted to say thank you since I think I might have an okayish point to start from now.
And I subscribed, of course.
Reverse Engineering is quite a complicated thing to jump into, RubberDog. I spent years doing Software Development before I moved into Reverse Engineering and most RE UA-camrs expect you to have some Software Development experience before trying a CrackMe.
Hopefully I went more in-depth than the others... but, I can see how it could still be difficult to understand it all. Would a super in-depth video on every line of code found in CrackMe_0x01 be helpful? It would be looooong and boring... but could very well help newbies get a more solid understanding of the Reverse Engineering concept.
Your video series really helped me get the hang of using Ghidra. I would love to see more similar videos! Thank you for all the help!
Thanks, Vlad!
Your videos are really helpful! Reversing is turning so much interesting!
Understood everything except the reason behind heading over to the main function via mainCRTStartup in the exports dir.
Very good series, thank you. I hope you continue with more advanced subjects.
Thanks Friedrich! We'll be moving into more advanced subjects soon! The video I posted today (aka - late last night) demonstrates how to Reverse a piece of software that reaches back to a remote server. It's not ground-breaking but it is moving my channel along to more advanced topics.
I'm a bit too late :D, just got this video in my recommendations, you are explaining things very great, thank you for your excellent work! I have some sort of reverse engineering skills and i still enjoy your content. in the beginning of the video you explained how to get rid of PDB and RTTI warnings in Ghidra, yes you can disable them particually if you know that you don't have the pdb of the executable, but i think that option related to RTTI should be left default. Why? Some of your new viewers who has the interest in learning reverse engineering can misunderstood you and disable it for every executable that they will try to reverse. Loosing RTTI is really bad, because you will lose some valuable information realated to classes and structure. For example in IDA after selecting the settings it will ask you: "Do you have PDB?" you will select yes or no and if executable has RTTI it will automatically find it and define it using metadata. Thank you for your great content, i wish you all the best! Take care.
This is a great tutorial series. Could you do more ctf style reverse engineering challenges.
Thanks rlee! I would love to do an RE CTF challenge series!
Although, I haven't created any challenges myself... yet. Have you seen any RE CTF Challenges that you would like to see a series on?
@@stryker2k2 Thanks for the response. The ctfs that my team compete in, unfortunately, do not want their challenges to be reposted. Or that is my understanding. For the most part they are really similar to the type where one must find a stored password or key.
You explain things in a way that would really help our students to get competitive on those challenge types.
Very cool! I'll look into some public CTFs to find similar challenges and make videos on them 😊
@stryker2k2 PicoCTF is one of the most popular public CTFs around, so I would recommend going with some of their problems because many beginners would be familiar with those types of problems.
cool series, been spending some time looking at some commercial software and the existing cracks for old versions. You learn a lot analyzing existing cracks/keygens. I'm currently only doing static analysis and started with some runtime debugging with .... x64dbg, Ghidra didnt work I think, and realized it was a waste of time to step through what I dunno yet. After reviewing the 'historical cracks' and methods used to bypass the software, I hope I can successfully write my own for educational purposes. Currently I am de-obfuscating code, function by function, to get a good idea of what the code is doing in the code that has differences between its clean and its cracked/patched code.
That's amazing insight. I have also done something similar. I found an old malicious sample that Windows Defender detects easily and reversed it. Then, to understand it better, I recreated it from scratch using what I learned from disecting it in x64dbg and Ghidra. It's amazing how much work the original malicious software author did.
@@stryker2k2 I ended up trying to track them (original creator of crack) down.... found a way to them via some warez site but dont really care to interface with them that much anymore. Right now I am focused on figuring out the 'right way' to do some java deobfuscation. I got so many tools and yet it seems like decompiling java bytecode and using an ancient ide like Eclipse is the best way... #BoomerCodeLife
Hugely time consuming shit right here.
This has helped a lot, thank you!
My pleasure!
For 0x07, I think the print_Incorrect() is meant to be patched with NOPs using something like OllyDbg.
There's no if-else condtion within print_Incorrect(); It's simply going to be ran after the while-loop.
I think you hit the nail on the head! I'll NOP it here soon to see what happens but it makes perfect sense.
Please Continue with reverse Engineering series
Will do!
I'm running ghidra on linux and using .bin instead of .exe. What is the equivalent of _mainCRTStartup in exports file? I cannot find which arguments are passed into main?
Good question! Lemme do some research and get back to you. Maybe that'll be my next video.
@@stryker2k2 Looking side by side it is just called main still under exports. I am running the linux binaries under a docker but stepping through with videos on the win32 binaries, same concepts, passing a env variable for like x07 is a little different, I did get pwd incorrect with 333331. Been a long time for me but want to maybe get in stock firmware RE (evil eye at my closed source 3d printer).
Wow, I'm doing the linux crackme files using Ghidra and for 0x06 I have no indication that it's an environment variable (even when changing parameter 3 aka Env to type char**). I thought it was a 3rd command line argument. Give it a shot and see if you find the same outcome :)
For the suggested challenge, would a buffer overflow work?
It has been over a year! But, yes... you are on the right track. Have you given it a shot? I am in the middle of making a "Buffer Overflow" series that demonstrates the solution to the challenge nearly perfectly.
please,continue to part 3 ,please!!!
I just posted another one for you to follow along with! It's called "Reversing maldev.exe"
Thank you for your informative videos. They are very helpful.
I have one comment. When there is the sscanf function, you seem to consider the '%d' to be a cast to the value of the digit. So when there is a '1', you seem to consider it to convert to the value 1 (0x01). I believe that this is not what happens. It seems to me that the value would be whatever number represents the character '1'. In this case, if I have my numbers right, it would have the value of 49 (0x31).
Is there a way to have the rename of a variable pass the renaming to parameters in subsequent functions? Let's say I rename local_0 to myInput. Then pass that variable into myFuntion(myInput), but then you step into that function and the function signature still reads myFuntion(param1). I want the rename to pass along to function parameters so when you step into the function the parameter named was pass on also: myFuntion(myInput) {} That way you save yourself the rename step or if you go into that function from another location its already named giving you more idea as to what the parameter is.
AND, bonus for vice versa. If you're in a function and rename a parameter, any where that function is called, the variable passed in should be renamed to what ever you renamed the parameter. So when you look at xrefs you can see clearly what the variable is already.
19:35 What you're describing is an XNOR
AND means they both have to be 1, so "being the same" is insufficient (0 AND 0 = 0, but 0 XNOR 0 = 1)
I'm sure you know that -- I'm just leaving this comment here for the benefit of any confused viewers
Excellent catch! Thank you for highlighting that and you're 100% right!
@@stryker2k2 I couldn't quickly figure out how to get to the "wtf"s, though. I'm wondering if it's some obvious trick or if it'll require some sort of arbitrary code execution vulnerability.
I hope you cover it in a follow up, because otherwise I'll have to either find it myself or go insane trying (so far I'm just watching these without installing Ghidra myself).
You just get 1 more subscriber!
I think the "wtf" code in 0x07, 0x08 are rabit holes. The execution never gets there. It serves to lead you awry.
I think so too! My guess is that it was developer debugging code that was meant to be deleted once the program was completed. But... I still want to find a way in! Haha!
@@stryker2k2 you could of course change the code (for example NOP the exit call) but just typing in another password won't work I think
Did you find out a way to reach the "wtf" code? I can't see any way to reach there apart from 'nop'ing exit calls or some other parts.
That's the only thing I can think of. Just overflowing a buffer then putting the wtf address in there... but, that's cheating. I really think the developer of CrackMe just put it there for as a debug message.
@@stryker2k2 I have sent a message to the person who made these CrackMes. Let's wait for his response:-)
Maijin replied. Unfortunately, it was not Maijin that developed those CrackMes. But he told me the name of the original creator. Let me try our luck with him:-)
@@nirmalmanoj Ooooo, you have peaked my interest! Please let me know what they say!
@@nirmalmanoj
Did u get any thing?
What skills are required? Thank you for the video!
Howdy Neil! A strong knowledge of C-programming and/or Assembly would be nice!
If you aren't strong in either one of those... then you'll need the skills of patience and ability to Google :D
@@stryker2k2 indeed
How much knowledge in C require to be good Reverse Engineer any other languages you recommend to study. Thanks for this awesome series
A junior level understanding of C is nice to have when beginning RE. That is probably the best language you could know to assist with RE. Having a good understanding of Object oriented programming would be good to have as well. The deeper understanding of ghidra and C programming come through practice and experience
Assembly does not hurt as well.
@@macaulayakin2154 Well C++ is C AND its object oriented so I'm learning C++ :)
You either need to fully understand C or Assembly. I am more comfortable with C/C++ myself, so I use the C-decompiler a lot!
If you are weak at C and/or Assembly... you can still Reverse Engineer well... if you know how to Google :D
Hi, great tuto, i like ! So i subscribe but for the little challenge except to cheat in asm and put a jmp to print wtf?
, i can't see so i hope you will continue the serie.
For now i think Kevin Afton is in true ! The program can't go there.
I'm a newbie with gihdra and your serie is great to learn it !
Thanks for all...
Howdy Claude! I'm glad you're enjoying the content! I just posted another one for you to follow along with!
I subscribed.
Awesome!
Can you get "wtf" using some fuzzing technique?
That is an excellent idea. I might try that! I have this feeling that "wtf" was original debugging code and was meant to be deleted... but, I sooo want to find a way to get there anyways!
@@stryker2k2 did you find out how to do it?
That's crazy, i would like to understand why the code 5656488412321564 work fine with crackme0x07 if you have set the env var of course !
I guess it is 'cause of integer overflow: ua-cam.com/video/HXXCdVuGm70/v-deo.html
It also works with a number of 8s greater than 8
Maybe the code i rwote is the product key windows 10
Anything is possible
36:17 that wasn't FUN :(
It's the best kind of 'FUN'