1 00:00:00,840 --> 00:00:09,540 Hello and welcome to the lesson on exploration of the function and API used in line networking. 2 00:00:10,320 --> 00:00:18,450 So again, download this project number 14 Dash in nine special game and zip it and put it in this manner 3 00:00:18,450 --> 00:00:19,020 to hold it. 4 00:00:20,310 --> 00:00:29,430 Along with this file, you should also download another file, which contains some useful links as references 5 00:00:30,000 --> 00:00:31,950 that accompany this lesson. 6 00:00:36,340 --> 00:00:38,800 Inside this folder, you will find three files. 7 00:00:39,310 --> 00:00:47,430 The Compile script, which will be used to compile the batch --, as well as key target for Petracca. 8 00:00:48,430 --> 00:00:51,490 Let's first openly target for special care. 9 00:00:53,080 --> 00:00:58,270 Public trust us and it is the same file we used previously. 10 00:00:59,050 --> 00:01:06,190 All he does is bring a message to the console to inform the user and their target for the -- is 11 00:01:06,190 --> 00:01:12,550 starting, and he will then show three message box consecutively. 12 00:01:12,820 --> 00:01:20,890 If these messages and finally, he will show a console message targeted for who could be sitting at 13 00:01:20,890 --> 00:01:21,940 the end of the program. 14 00:01:22,990 --> 00:01:25,360 Now let us study the pressure cooker itself. 15 00:01:26,470 --> 00:01:28,660 Opening the Note 10 plus plus. 16 00:01:30,930 --> 00:01:36,240 And in here, you will find the the main starts here. 17 00:01:36,450 --> 00:01:43,620 This is the guy army and he has got the attach case. 18 00:01:44,220 --> 00:01:52,320 So once the guy is attached to the target, he will call this new function called hook and fetch. 19 00:01:53,360 --> 00:01:55,760 So who can patch is over here? 20 00:01:57,250 --> 00:02:07,420 So over here, when he accepts one parameter, the modified message box, in this case, you are also 21 00:02:07,480 --> 00:02:17,620 trying to modify trying to intercept the API call message box and try to set our own modified Mrs. Box. 22 00:02:18,400 --> 00:02:25,450 So over here, you need to pass the address of the function called modified message box. 23 00:02:26,590 --> 00:02:30,880 Modified message box is the same function we used previously over here. 24 00:02:32,240 --> 00:02:41,210 So inside you see the same court, be U.S. and then so once you've passed this modified message box 25 00:02:41,210 --> 00:02:43,190 addressed to the hugging patch function. 26 00:02:44,730 --> 00:02:47,050 He will he will call that function here. 27 00:02:47,070 --> 00:02:48,330 This is where being defined. 28 00:02:49,350 --> 00:02:57,840 So the first thing is you save the address of the original address of the message box API. 29 00:02:58,890 --> 00:03:07,530 So it is it is referring to this step here where you save the original address of the target function. 30 00:03:09,770 --> 00:03:19,010 The second thing is he will copy the he will copy the original instruction base to a safe and another 31 00:03:19,010 --> 00:03:27,110 location in memory so that he's referring to this third step, said Susan. 32 00:03:27,110 --> 00:03:28,610 Bites of original function. 33 00:03:29,720 --> 00:03:37,670 And the paparazzi that stay, the paparazzi does these two things so that later on, if you want to, 34 00:03:38,180 --> 00:03:45,500 you can optionally revert revert back to the original function so that you can continue resuming the 35 00:03:45,500 --> 00:03:49,910 function originally that you was originally intended to do. 36 00:03:50,810 --> 00:03:52,760 So that's why we're doing this to serve you. 37 00:03:54,050 --> 00:04:02,960 So in order to save the original instructions, we use a new API we have never seen before. 38 00:04:03,410 --> 00:04:07,220 It is called repossess memory and repossess memory. 39 00:04:08,210 --> 00:04:10,970 You can refer to the MSDN. 40 00:04:11,780 --> 00:04:14,350 It accepts all of these parameters. 41 00:04:15,670 --> 00:04:24,760 And the first barometer is to get the current process because it is trying to modify the address of 42 00:04:24,760 --> 00:04:30,160 the writing process and then the. 43 00:04:31,260 --> 00:04:37,320 Second parameter is the IP address, where the original message box API is found. 44 00:04:37,890 --> 00:04:38,730 Referring to this? 45 00:04:40,320 --> 00:04:50,040 And then the third one barometer is the buffer where you are going to install the instructions to again 46 00:04:50,040 --> 00:04:55,830 the last per hour, then an experiment after that he uses science, the science or the original instruction. 47 00:04:56,790 --> 00:04:59,700 So he says the instruction is a constant. 48 00:05:01,210 --> 00:05:02,500 Which is you up here? 49 00:05:03,610 --> 00:05:06,310 It is constantly floating by. 50 00:05:06,970 --> 00:05:10,510 So your administration will be 14 bytes? 51 00:05:13,360 --> 00:05:14,770 And then the last barometer. 52 00:05:16,620 --> 00:05:18,690 That US painter is the vice. 53 00:05:19,010 --> 00:05:21,360 So the last part is not important. 54 00:05:23,010 --> 00:05:29,190 So after you've copied this, he has said to use location, you have a copy of the Oregon instructions. 55 00:05:30,240 --> 00:05:33,930 The next step is to prepare the the back. 56 00:05:34,110 --> 00:05:41,220 You are going to fetch the device that you're going to use to patch the is running in memory. 57 00:05:42,180 --> 00:05:50,340 So you prepare a string of character 14 base long because the instruction that they're going to use 58 00:05:50,340 --> 00:05:52,260 is 14 bytes long. 59 00:05:53,670 --> 00:06:01,860 So we use memory copy and copy the first device F and you need five in Hex, which means jam instruction. 60 00:06:02,700 --> 00:06:09,480 So jam instruction is effective and you fight four by four for now. 61 00:06:09,900 --> 00:06:11,970 Now, now bytes, that follows it. 62 00:06:12,630 --> 00:06:14,460 So this is a demonstration. 63 00:06:15,480 --> 00:06:25,380 And then after that, from the 7th to the from the from the eight byte until the 16 byte, we are going 64 00:06:25,380 --> 00:06:32,910 to copy the address of our modified message box, which here is referred to as hooking function. 65 00:06:33,480 --> 00:06:40,440 So this function is what is being passed to this function over here, and that refers to our modified 66 00:06:40,440 --> 00:06:40,790 message. 67 00:06:40,800 --> 00:06:43,710 So modified message is going to replace the original function. 68 00:06:44,760 --> 00:06:53,070 So after you finish the instruction and you do, we have a string of byte ready to be to be used to 69 00:06:53,070 --> 00:06:55,710 replace the original instruction. 70 00:06:56,340 --> 00:07:00,060 And that is what you are doing in a next instruction online video right? 71 00:07:00,510 --> 00:07:03,120 By calling the right process memory. 72 00:07:04,110 --> 00:07:13,800 So the rewrite process memory, you can refer to it over here, you know, accepts five parameters. 73 00:07:19,690 --> 00:07:21,370 He sets five parameters. 74 00:07:22,210 --> 00:07:25,920 The first barometer is again to get the current process ID. 75 00:07:26,860 --> 00:07:33,730 And then the second priority is to address the base address where you are going to overwrite. 76 00:07:34,990 --> 00:07:40,410 And then the next one is his site is the patch itself, which you created up here. 77 00:07:40,420 --> 00:07:42,070 So this is a new function. 78 00:07:42,340 --> 00:07:48,400 The new instruction which you are injecting here there is going to jump to your cooking function. 79 00:07:49,900 --> 00:07:56,140 And so your function is actually consisting of the demonstration, followed by the address you are jumping 80 00:07:56,140 --> 00:07:56,440 to. 81 00:07:57,190 --> 00:07:58,870 So this is what you are injecting. 82 00:07:59,440 --> 00:08:05,400 This is what you're going to use here to patch this address and then the size. 83 00:08:05,410 --> 00:08:08,560 And finally, how many bikes have been there have been used. 84 00:08:10,120 --> 00:08:16,720 Finally, you print the message box has been hooked to the console and also the modified message box 85 00:08:17,050 --> 00:08:21,490 address, as well as the original base address over here. 86 00:08:22,060 --> 00:08:23,920 So this is how he works. 87 00:08:24,940 --> 00:08:33,790 So once he has done the patching, you have to accomplish this step in four. 88 00:08:34,510 --> 00:08:36,190 So now the function is ready. 89 00:08:36,730 --> 00:08:42,850 Whenever a target calls this function, you will use your function reshef for the used to replace the 90 00:08:42,850 --> 00:08:43,420 original one. 91 00:08:44,290 --> 00:08:48,910 So he's going to run your function instead of the original message box function. 92 00:08:50,110 --> 00:08:56,540 And then optionally, you can also replace back all these bytes you here copied here. 93 00:08:56,740 --> 00:08:57,370 Appear here. 94 00:08:57,790 --> 00:08:58,980 The original instruction. 95 00:09:00,310 --> 00:09:04,360 So you can do that by using these two instruction here. 96 00:09:06,430 --> 00:09:16,570 So insane, your wife, Mrs. Parks, you actually perform your modified function and then after you 97 00:09:16,900 --> 00:09:23,200 restore whatever was previously copied by using the right process memory. 98 00:09:29,060 --> 00:09:38,690 So represents memory here is used to to copy back the original advice into the address for the message 99 00:09:38,690 --> 00:09:38,990 box. 100 00:09:39,770 --> 00:09:43,760 Again, here is is used to show your return message box. 101 00:09:44,750 --> 00:09:50,690 And here he calls it who back again to reset your message box. 102 00:09:50,960 --> 00:09:54,890 Your modified message was okay, so this is how you can. 103 00:09:56,400 --> 00:10:02,660 You can use this great process memory to restore original function. 104 00:10:03,660 --> 00:10:07,850 So that's all for the examination on the court. 105 00:10:08,160 --> 00:10:12,990 Use of of the API and function used in this inline batch method. 106 00:10:13,650 --> 00:10:18,690 So in next lesson, you are going to need some practical walkthrough song for this lesson. 107 00:10:18,700 --> 00:10:19,920 Thank you for watching.