1 00:00:00,780 --> 00:00:01,230 Hello. 2 00:00:01,530 --> 00:00:07,710 In this video, we are going to use A.J. to study the good at a low level. 3 00:00:08,640 --> 00:00:11,160 So let's is sexy to you to reverse engineer. 4 00:00:12,080 --> 00:00:16,140 So, OK, let's close this previous one. 5 00:00:17,250 --> 00:00:19,500 And we're going to rerun again, Target. 6 00:00:21,910 --> 00:00:22,270 All right. 7 00:00:22,420 --> 00:00:29,890 So now it's raining that is attached to a big city for the big, this is before we version to it. 8 00:00:32,960 --> 00:00:36,620 And then over here, my option preferences as follows. 9 00:00:37,940 --> 00:00:45,420 So I just click on file, click on Attach and then select the target for -- attached to. 10 00:00:47,560 --> 00:00:48,640 And then click right. 11 00:00:51,530 --> 00:01:00,710 And then here, playing symbols, you are going to look at the message box API, so message box API 12 00:01:00,710 --> 00:01:01,970 comes from user data too. 13 00:01:02,660 --> 00:01:04,130 And here you can search for it. 14 00:01:05,720 --> 00:01:09,410 His message box and the first one is the one we want. 15 00:01:09,950 --> 00:01:13,580 So double click on it and I put breakpoint here. 16 00:01:13,610 --> 00:01:18,050 You can put a breakpoint by going to right clicking and selecting Breakpoint toggle. 17 00:01:19,500 --> 00:01:22,260 Or you can use used to shortcut key, which is have to. 18 00:01:22,770 --> 00:01:25,430 So now I've got a break point on the message box here. 19 00:01:25,470 --> 00:01:27,090 Take a look at the instruction. 20 00:01:27,090 --> 00:01:29,910 It's some respiratory and so on. 21 00:01:31,080 --> 00:01:31,410 All right. 22 00:01:31,590 --> 00:01:36,390 So now let us inject our the air and see what happens to this instruction. 23 00:01:37,260 --> 00:01:41,220 So to inject, we're going to use process Hecker again. 24 00:01:42,430 --> 00:01:49,990 So we have our process hacker here, select your target for who could replicate and click on miscellaneous 25 00:01:49,990 --> 00:01:51,030 and inject. 26 00:01:51,040 --> 00:01:51,460 Yeah. 27 00:01:52,600 --> 00:01:57,160 And so like Yahoo, could you open so it is already injected? 28 00:01:57,670 --> 00:02:06,190 So now that is reanalyzed, this region, the code correctly and over here, go through analysis. 29 00:02:06,880 --> 00:02:07,900 Analyze more you. 30 00:02:08,980 --> 00:02:12,360 And now you can see the instruction has changed to a gym. 31 00:02:13,320 --> 00:02:21,030 That means Detour has inserted the hook and costs you to jump in one city, jump to the trampoline. 32 00:02:21,630 --> 00:02:23,780 It has replaced the original going to the gym. 33 00:02:25,350 --> 00:02:35,120 And if you come back to our original point diagram, you can see here the target function has been replaced 34 00:02:35,130 --> 00:02:35,700 with a gym. 35 00:02:36,720 --> 00:02:38,970 That's why you are seeing this charm here. 36 00:02:40,110 --> 00:02:47,010 And then whatever was previously day is has been copied to the trampoline, which is another memory. 37 00:02:47,940 --> 00:02:49,590 So this is handy too as well. 38 00:02:49,920 --> 00:02:51,330 And if you continue now. 39 00:02:53,040 --> 00:02:54,540 The press presenter. 40 00:02:57,880 --> 00:03:04,160 You can put a breakpoint here if you have not done so previously, OK? 41 00:03:04,740 --> 00:03:06,090 And so he's a break point. 42 00:03:06,840 --> 00:03:08,430 And now he's stepped over. 43 00:03:08,760 --> 00:03:10,110 He jumps to your trampoline. 44 00:03:11,210 --> 00:03:11,930 Chance again. 45 00:03:12,950 --> 00:03:14,600 And this is your example in. 46 00:03:16,500 --> 00:03:16,830 Right. 47 00:03:18,370 --> 00:03:21,730 So now less clear on this one from two years ago. 48 00:03:23,540 --> 00:03:24,440 Just click on. 49 00:03:28,010 --> 00:03:29,420 Click on Security Return. 50 00:03:33,090 --> 00:03:34,540 Again, this is. 51 00:03:35,670 --> 00:03:38,940 I mean, modify, so now you have in sight. 52 00:03:38,970 --> 00:03:40,290 Your original court. 53 00:03:42,950 --> 00:03:53,240 All right, so this is how the whole thing works in the low level using a DVD to view the reverse engineer. 54 00:03:53,590 --> 00:03:55,340 Good, thank you for watching.