1
00:00:00,460 --> 00:00:05,170
Hello and welcome to the lesson on reverse engineering IED hooking.

2
00:00:06,220 --> 00:00:08,830
So let us now run the target again.

3
00:00:08,920 --> 00:00:09,760
IED target.

4
00:00:13,560 --> 00:00:18,900
The first message box has popped up, there is a test show for the big three.

5
00:00:19,440 --> 00:00:24,330
So click on this easy for we were showing a big opening.

6
00:00:26,320 --> 00:00:31,390
And then attach to the first target, to the IED target.

7
00:00:36,320 --> 00:00:40,220
And then click run over here next.

8
00:00:40,430 --> 00:00:42,770
We are going to go to the.

9
00:00:44,180 --> 00:00:47,990
Memory map and look for the.

10
00:00:49,300 --> 00:00:52,390
Text region of the memory, which is here.

11
00:00:54,030 --> 00:01:01,260
I'd target double click on that and you will see it through message boxes in the text region.

12
00:01:02,970 --> 00:01:04,200
And this is the one.

13
00:01:06,340 --> 00:01:08,430
That is the second message box.

14
00:01:10,030 --> 00:01:10,360
All right.

15
00:01:11,560 --> 00:01:20,470
So according to our court, it is supposed to intercept and stop the second and third message box from

16
00:01:20,470 --> 00:01:20,860
showing.

17
00:01:22,540 --> 00:01:28,180
So let's see, let's see this function in the memories.

18
00:01:29,260 --> 00:01:31,240
Yeah, the table.

19
00:01:32,260 --> 00:01:41,290
So right click on this and then click on Follow in Dumb and select constant IED target message box.

20
00:01:41,920 --> 00:01:44,410
Click on this and you will find here.

21
00:01:45,070 --> 00:01:52,110
This is the address that contains the address of the function for Message Oxy.

22
00:01:54,250 --> 00:01:56,620
And you can see the pattern of the here.

23
00:01:58,030 --> 00:02:11,090
Now we are going to attach our our DNA, so click on the target and then Sally Miscellaneous and in.

24
00:02:11,550 --> 00:02:11,980
Yeah.

25
00:02:13,450 --> 00:02:19,380
Selectivity -- playing open a watch what happens to this address here?

26
00:02:19,960 --> 00:02:22,240
Cali's v Chelsea nine.

27
00:02:23,660 --> 00:02:26,210
So you can open.

28
00:02:29,490 --> 00:02:32,280
And you see the address immediately changes to 10, 10 to three.

29
00:02:33,240 --> 00:02:40,410
That means you have successfully injected our own function into this address to replace the original

30
00:02:40,410 --> 00:02:40,620
one.

31
00:02:42,030 --> 00:02:48,660
So this is a low level look when we do reverse engineering for the IED.

32
00:02:49,590 --> 00:02:55,020
OK, so now if you continue to run the OK?

33
00:02:56,310 --> 00:02:59,060
You see that the message box isn't pop up.

34
00:02:59,340 --> 00:03:06,930
I suspect it because we intercepted the second and third message or here.

35
00:03:08,460 --> 00:03:10,560
We do not allow the in a separate issue.

36
00:03:11,250 --> 00:03:18,570
If you wanted to, you could try this second experiment by and commenting this in forwarding everything

37
00:03:18,570 --> 00:03:19,860
to the origin message box.

38
00:03:20,130 --> 00:03:21,000
And he should pop up.

39
00:03:21,750 --> 00:03:33,840
And you can even continue then for the experiment by doing this saw and uncommon these two to only target

40
00:03:33,840 --> 00:03:35,220
the second message box issue.

41
00:03:36,750 --> 00:03:40,770
So that's all for the reverse engineering of IED hooking.

42
00:03:41,190 --> 00:03:42,420
Thank you for watching.