1
00:00:00,680 --> 00:00:03,490
Welcome to reverse engineering, best-looking.

2
00:00:04,070 --> 00:00:15,080
So now we are going to run our our target and inject the diam and then analyze it.

3
00:00:15,620 --> 00:00:19,880
Reverse engineering, we actually begin and see how it works internally.

4
00:00:20,420 --> 00:00:23,190
So let us first start our target for Petrushka.

5
00:00:24,560 --> 00:00:27,020
So this is what we see now.

6
00:00:27,020 --> 00:00:30,040
We are going to inject our name.

7
00:00:31,070 --> 00:00:35,870
So we use Process Hacker Select the target for who correctly.

8
00:00:36,830 --> 00:00:45,560
And then before we inject these differing ideas, let's first attach our excuse for the big three.

9
00:00:46,160 --> 00:00:49,280
So open your 64 bit version of actually big.

10
00:00:50,530 --> 00:00:54,980
And then testing by clicking Fire Attach.

11
00:00:56,300 --> 00:00:58,300
Select your target for pressure cooker.

12
00:00:59,750 --> 00:01:00,860
And then click on Run.

13
00:01:02,480 --> 00:01:09,920
Now, let's go to the scene, both Ted and I previously put two break points, they may remove those

14
00:01:09,920 --> 00:01:10,250
first.

15
00:01:11,390 --> 00:01:21,980
So let's go to the scene both TED and look for the message box API from the user 32 deal so you can

16
00:01:21,980 --> 00:01:29,810
hear this typing message box and you will find if you hit your first one is the one we want.

17
00:01:30,080 --> 00:01:34,190
So double click on this and you will see this the message box API.

18
00:01:34,970 --> 00:01:36,560
Notice the instruction here.

19
00:01:37,220 --> 00:01:41,900
Now we are going to attach our inject now.

20
00:01:42,390 --> 00:01:42,910
Yeah.

21
00:01:42,950 --> 00:01:44,990
So let's go to process hacker.

22
00:01:45,590 --> 00:01:47,630
Right click on Target for picture.

23
00:01:48,080 --> 00:01:51,230
Click on Miscellaneous and then get yellow.

24
00:01:51,680 --> 00:01:58,070
And select our special car and then see what happens to our instruction in the debug.

25
00:02:00,910 --> 00:02:08,560
You come back here now directly on this to refresh, so go through this, analyze and then analyze for

26
00:02:08,560 --> 00:02:10,600
you and you see the instructions you change.

27
00:02:12,430 --> 00:02:15,130
So this is the patch, the memory patch.

28
00:02:15,610 --> 00:02:24,880
So this memory patch you can't use coming from your pressure cooker, which is down here when you write

29
00:02:25,630 --> 00:02:26,530
processor memory.

30
00:02:27,880 --> 00:02:34,720
So what you're doing here is copy your patch over to the original address for the message box.

31
00:02:35,590 --> 00:02:36,940
So the best, actually?

32
00:02:37,940 --> 00:02:49,340
The tax base at Greenify, as you can see here, the demonstration is unify and then followed by foreign

33
00:02:49,340 --> 00:02:54,200
allies over here one two three four four base one two three four.

34
00:02:55,160 --> 00:03:02,840
After that, you follow it and buy a device of the -- address, which is three zero one one three

35
00:03:02,840 --> 00:03:06,070
two zero zero zero zero zero zero zero zero zero.

36
00:03:06,230 --> 00:03:08,120
So these are a base of addresses.

37
00:03:08,870 --> 00:03:10,670
Just ignore the instructions here.

38
00:03:11,240 --> 00:03:16,270
This is the biggest attempt to interpret this and nonwhites.

39
00:03:16,760 --> 00:03:22,340
So these are not actually striking this i the address of the modify function.

40
00:03:23,300 --> 00:03:23,630
OK.

41
00:03:23,660 --> 00:03:28,910
You can also analyze this correctly in following done the senator address.

42
00:03:28,910 --> 00:03:36,230
And you can see down here the instruction jam is I and you fire so you can go back and come back here

43
00:03:37,760 --> 00:03:40,990
after you have the effect unified her final base.

44
00:03:41,670 --> 00:03:48,740
Then you have your address, this address of your modified message box, so you can see here is the

45
00:03:48,740 --> 00:03:56,990
same as this on modified message boxes at three two one one three zero three two one one three zero.

46
00:03:57,530 --> 00:03:58,940
So this is a base here.

47
00:04:00,150 --> 00:04:03,300
One, two, three, four, five, six seven in base.

48
00:04:04,330 --> 00:04:06,460
This one is six by the Germans, Russians.

49
00:04:07,150 --> 00:04:12,370
This is aided by the hulking address for our modified message box.

50
00:04:13,300 --> 00:04:16,580
So this whole line here is 14 by.

51
00:04:16,990 --> 00:04:22,060
From here to here is actually why we created using a memory copy.

52
00:04:22,870 --> 00:04:26,800
We have copy to buy here and then followed by for no advice.

53
00:04:27,170 --> 00:04:28,330
Then it seeks advice.

54
00:04:28,360 --> 00:04:28,630
Yes.

55
00:04:28,630 --> 00:04:30,390
Well, we put plastics has offset.

56
00:04:31,360 --> 00:04:35,020
So by six here we take you to the East Bank.

57
00:04:35,680 --> 00:04:42,720
So for the remaining advice we put in the address and the cooking function which you receive recall

58
00:04:42,730 --> 00:04:45,730
who in batch silver we call who invest.

59
00:04:45,760 --> 00:04:50,230
We remember we passed the modified message box address, which is this one.

60
00:04:50,830 --> 00:04:53,440
So that is what this is pointing to.

61
00:04:54,640 --> 00:04:54,970
All right.

62
00:04:55,360 --> 00:04:57,520
So now you can put a breakpoint here.

63
00:04:59,380 --> 00:05:01,600
Double Breakpoint and then run.

64
00:05:02,650 --> 00:05:06,550
So now we come back here and you click, OK, here, hit our breakpoint.

65
00:05:07,870 --> 00:05:11,540
And then now he is going to jump to our modified message box.

66
00:05:11,560 --> 00:05:14,380
So let's follow it by clicking.

67
00:05:14,680 --> 00:05:15,430
Step over.

68
00:05:16,630 --> 00:05:22,420
So now let's jump to our modified modified message possible inside our modified message box functioning

69
00:05:22,420 --> 00:05:22,810
over here.

70
00:05:23,710 --> 00:05:32,230
So if you can run, run, run, give, you can put a breakpoint here actually help make it easier.

71
00:05:32,680 --> 00:05:36,340
So now he's hit our breakpoint and game, right?

72
00:05:36,340 --> 00:05:44,560
Establish he will modify a message box and then that's going to show a message here.

73
00:05:45,070 --> 00:05:46,030
So let's step over.

74
00:05:49,130 --> 00:05:54,290
And come back here, you see a new message has been showing on message box pop up on screen.

75
00:05:54,740 --> 00:05:59,810
And that is because in our modified message box function, you are printing this line.

76
00:06:00,360 --> 00:06:07,550
And that's why you're hearing this and is coming from this court and the parametres just now.

77
00:06:09,750 --> 00:06:11,430
Here second message was.

78
00:06:13,020 --> 00:06:14,850
Modified message box, this is a barometer.

79
00:06:15,900 --> 00:06:16,260
All right.

80
00:06:16,380 --> 00:06:21,690
So now if we run again, you hit our message box.

81
00:06:22,810 --> 00:06:31,630
Bitcoin the second time, it means he's going to call our injected quote second time, our second time

82
00:06:32,350 --> 00:06:36,490
because it is going trying to show the message box.

83
00:06:37,270 --> 00:06:43,120
So if you know we jump by stepping away, you jump again to our modified version.

84
00:06:44,200 --> 00:06:51,460
And if you hit your right, you have a call here, which is going to show our message again.

85
00:06:52,680 --> 00:06:55,320
This message is going to show this again.

86
00:06:55,950 --> 00:06:57,900
And you can see the perimeter here is where.

87
00:07:00,140 --> 00:07:06,560
Well, if I misspoke, archnemesis supposed pop up on screen, so we steroids, he's going to show this

88
00:07:06,560 --> 00:07:07,010
message.

89
00:07:09,400 --> 00:07:13,050
And then you see in the console the true enough, his day.

90
00:07:14,020 --> 00:07:15,550
OK, so you can run all the way.

91
00:07:17,400 --> 00:07:20,580
We can also do some additional experiments from over here.

92
00:07:21,480 --> 00:07:24,600
One, if you want to restore the original base.

93
00:07:25,080 --> 00:07:27,360
So we just have an uncommon design.

94
00:07:28,390 --> 00:07:37,410
Once you restore the advice, we can now call the original message box by using the the function point

95
00:07:37,410 --> 00:07:39,690
there, which we say earlier over here.

96
00:07:40,500 --> 00:07:45,510
So this is a fashion point containing the address of the original message box, so you can actually

97
00:07:45,510 --> 00:07:50,970
call it here after you restore the base that we copy from here.

98
00:07:52,970 --> 00:07:58,610
Oh, here we actually copy some of the original advice to this location in a buffer.

99
00:07:59,030 --> 00:08:03,110
So now we can restore it by writing they go with him.

100
00:08:03,400 --> 00:08:05,870
He buy two here and here.

101
00:08:05,900 --> 00:08:10,460
He can then call the original function going to follow message box.

102
00:08:10,910 --> 00:08:13,190
So let's compile this and see what happens.

103
00:08:14,340 --> 00:08:18,720
So this company can run it on by first.

104
00:08:24,130 --> 00:08:24,580
All right.

105
00:08:24,760 --> 00:08:34,870
So now you can run it, we run our target first and then you attach our inject our DNA.

106
00:08:35,140 --> 00:08:39,160
Right click on this miscellaneous inject our game.

107
00:08:40,780 --> 00:08:41,170
All right.

108
00:08:41,380 --> 00:08:43,270
So not in the air has to be injected.

109
00:08:44,530 --> 00:08:45,790
Maybe, maybe.

110
00:08:45,790 --> 00:08:48,850
Click on this.

111
00:08:50,020 --> 00:08:50,610
OK.

112
00:08:51,400 --> 00:08:53,690
He's going to show our message box.

113
00:08:53,710 --> 00:08:54,160
Why?

114
00:08:54,610 --> 00:09:03,730
Because this year thought the original instructions by copying back the device, which we copy here

115
00:09:03,760 --> 00:09:10,030
earlier, we say here now we are copying back to the original address, and then we are calling the

116
00:09:10,030 --> 00:09:15,070
audio function point to the original function point of the message box.

117
00:09:16,030 --> 00:09:17,230
That's why you're seeing this.

118
00:09:17,830 --> 00:09:19,840
After that, you can hook you back.

119
00:09:19,840 --> 00:09:24,880
If you want to get a case showing it, it takes a message.

120
00:09:24,880 --> 00:09:25,510
You click, OK.

121
00:09:26,290 --> 00:09:37,150
So this is how we can restore that whenever we have copied and allows us to recall the original function.

122
00:09:38,530 --> 00:09:43,150
And then if you want to recall, you just have too many slang and you re hoping in.

123
00:09:44,290 --> 00:09:48,700
OK, so that's all for the reverse engineering of inline patching.

124
00:09:49,240 --> 00:09:51,370
Thank you for watching.