1
00:00:00,870 --> 00:00:03,000
Hello, and welcome back to a new lesson.

2
00:00:03,660 --> 00:00:09,340
You are going to do the practical work through everyone's functional kitchen by implementing our own

3
00:00:09,360 --> 00:00:11,310
custom Win32 API function.

4
00:00:12,350 --> 00:00:17,690
And we are going to do the eastern one here, but at the same time, we are going to revisit all the

5
00:00:17,690 --> 00:00:18,440
earlier methods.

6
00:00:19,160 --> 00:00:22,100
The first time, it's the second time obfuscation.

7
00:00:22,460 --> 00:00:24,470
And then we are going to do the advancement it here.

8
00:00:25,830 --> 00:00:26,760
So let's get started.

9
00:00:27,060 --> 00:00:33,540
So going down this project, you called zero for advance function obfuscation and zip it and put it

10
00:00:33,540 --> 00:00:38,790
in this directory, economy may have to open it and you will find three folders.

11
00:00:39,180 --> 00:00:46,380
And there's also an encryption script, which we use in the first course in order to create the the

12
00:00:46,380 --> 00:00:47,850
string name for which I look.

13
00:00:48,720 --> 00:00:51,840
So in version one, here you have two files.

14
00:00:52,290 --> 00:01:03,930
And if you open this now, if not that you will see that it is the original program which is not confiscated

15
00:01:04,200 --> 00:01:04,950
in any way.

16
00:01:05,640 --> 00:01:08,050
You have a plane, which I hear called.

17
00:01:08,550 --> 00:01:10,050
So let's try to build this now.

18
00:01:10,050 --> 00:01:11,100
I see what happens.

19
00:01:12,100 --> 00:01:13,920
You know, they'd be trying to look for it.

20
00:01:14,520 --> 00:01:16,800
I mean, in the studio.

21
00:01:17,370 --> 00:01:19,020
So let's copy this path now.

22
00:01:19,350 --> 00:01:20,580
Open your.

23
00:01:22,490 --> 00:01:30,920
Access your phone it tools and key to get directory and inequality, compile version one batch script

24
00:01:32,060 --> 00:01:35,480
and then now we can run it.

25
00:01:38,550 --> 00:01:46,050
And as you can see, even when you open up the issue as usual.

26
00:01:46,500 --> 00:01:54,450
OK, now let's try to look at it using peace to you and see whether we can detect the evil Sherlock.

27
00:01:55,140 --> 00:01:57,000
We are only thinking, which are a lot of things.

28
00:01:57,390 --> 00:01:59,280
You could do it for any of the functions.

29
00:02:00,660 --> 00:02:07,200
So let's put this into words into to do it, for it to analyze.

30
00:02:08,390 --> 00:02:10,220
He has completed his notice.

31
00:02:10,250 --> 00:02:15,050
Now you take a look at the inputs, and if you go on to memory, you can see what you look.

32
00:02:16,030 --> 00:02:18,820
And then here, if you go to extremes.

33
00:02:20,510 --> 00:02:23,450
And you click this is sort of Sandy.

34
00:02:24,110 --> 00:02:25,850
Can you pull this all the way down?

35
00:02:27,350 --> 00:02:32,720
You will find also there, which are a long civil here, is a string to the barometer for.

36
00:02:33,530 --> 00:02:42,240
And so that's why we want to hide this tree, which are low, as well as height, which are low here

37
00:02:42,260 --> 00:02:42,610
as well.

38
00:02:43,400 --> 00:02:46,820
So to do that, we come up with version to.

39
00:02:49,020 --> 00:02:52,020
So wrestling promotion to opening.

40
00:02:54,040 --> 00:03:00,250
And this version to be used on any API loading or here you use get biology.

41
00:03:00,700 --> 00:03:02,150
And then you just get a handle.

42
00:03:02,680 --> 00:03:10,660
And then we obfuscate the incredible string, the actual encryption and then put it here and encrypt

43
00:03:10,660 --> 00:03:12,220
history for each other.

44
00:03:13,210 --> 00:03:16,510
And then over here you have the decryption key as well.

45
00:03:17,410 --> 00:03:25,390
And during the runtime, you call Typekit XOR in order to decrypt decrypt history and in overwrite it

46
00:03:25,630 --> 00:03:27,580
back to its original string.

47
00:03:27,910 --> 00:03:29,270
And it passes through here.

48
00:03:29,520 --> 00:03:36,640
His second parameter to get my chance and get progressively dynamically, look for this virtual lock

49
00:03:36,760 --> 00:03:39,910
during runtime and return here and then record it here.

50
00:03:40,450 --> 00:03:41,440
So let's build it now.

51
00:03:42,580 --> 00:03:47,740
We change directory first to the version to.

52
00:03:50,390 --> 00:03:52,910
In a corgi compound wishing to bet.

53
00:03:55,490 --> 00:03:58,940
All right, so it's compact and now the rainy.

54
00:04:04,980 --> 00:04:08,270
Switching to press and taking a.

55
00:04:08,870 --> 00:04:11,260
So he looks OK, this is not an alliance.

56
00:04:11,280 --> 00:04:12,990
This will be to you.

57
00:04:13,590 --> 00:04:14,370
So will.

58
00:04:16,160 --> 00:04:21,980
You courses in Rawalpindi studio and you're the to.

59
00:04:23,780 --> 00:04:25,000
Which is this one?

60
00:04:29,550 --> 00:04:32,020
And analyze the inputs in the strings and get.

61
00:04:33,840 --> 00:04:40,830
Now that he has finished analyzing click on imports and go for the memory group and you will find what

62
00:04:40,830 --> 00:04:41,580
you are like is gone.

63
00:04:41,920 --> 00:04:43,350
It is being obfuscated.

64
00:04:44,190 --> 00:04:48,090
Go to strings and scroll down to the VIP section.

65
00:04:49,410 --> 00:04:54,510
Click on Saw this ending first and then scroll to the VIP section.

66
00:04:56,430 --> 00:04:59,830
And you find it which I like, it's also one you only have waited for.

67
00:05:00,720 --> 00:05:07,920
So we have managed to obfuscate it, you know, saying crypto three parameter keys or less regulation

68
00:05:07,920 --> 00:05:08,340
three.

69
00:05:09,540 --> 00:05:14,190
So if you open to use machinery, you find some additional folders here.

70
00:05:14,760 --> 00:05:19,380
You have to my angel hedge here for the header file.

71
00:05:19,830 --> 00:05:25,470
This contains the function function for the time and then the.

72
00:05:26,680 --> 00:05:35,290
My API, CBB contains the function definition for our dual customized function, which I already explained

73
00:05:35,290 --> 00:05:42,430
to you in a high level view, if you understood the halo explanation which I giving to you in the previous

74
00:05:42,430 --> 00:05:45,070
lesson, that should be good enough to get you going.

75
00:05:46,240 --> 00:05:52,750
So now important is how do we use this to user defined, proper dressing user defined?

76
00:05:53,530 --> 00:05:54,370
Get more you handle.

77
00:05:55,450 --> 00:05:56,980
So let's take a look at.

78
00:05:59,710 --> 00:06:00,910
Wishing Tree were here.

79
00:06:03,250 --> 00:06:10,690
So if you open version three, you will find now that we are using our own, might we get progress and

80
00:06:10,960 --> 00:06:11,920
get more you handle?

81
00:06:12,130 --> 00:06:18,310
Now you can see you are using customized get projects you have in mind frame.

82
00:06:18,850 --> 00:06:21,430
And also get customized, get more.

83
00:06:21,430 --> 00:06:27,880
You handle the wine front, which is defined in my API gossip.

84
00:06:28,270 --> 00:06:31,200
Who here he was.

85
00:06:31,200 --> 00:06:34,960
As I could assume, the easiest thing now is these two functions are customized.

86
00:06:36,220 --> 00:06:44,020
OK, so let's try to build it now and go to choose directory to version three.

87
00:06:45,450 --> 00:06:49,750
That's clear the screen and call the compounded.

88
00:06:54,160 --> 00:06:54,520
All right.

89
00:06:54,610 --> 00:06:55,270
Yes, Bill.

90
00:06:55,630 --> 00:07:04,480
So now let's try to honey his rush injury, and he looks OK, so now let's try to examine these together

91
00:07:04,480 --> 00:07:07,030
again as he open these to do.

92
00:07:11,070 --> 00:07:14,880
And you examine which country types do you analyze?

93
00:07:17,190 --> 00:07:22,900
Anything on the impos and then you go down to memory, which is also not there.

94
00:07:23,440 --> 00:07:28,000
And if you go to extremes and you click on value.

95
00:07:29,340 --> 00:07:34,620
Click on this to sort of sending a score down to V, which are locked us in on day.

96
00:07:35,400 --> 00:07:43,300
OK, so this to have understanding of trying to offer to obfuscate your function calls as well using

97
00:07:43,590 --> 00:07:48,960
more of our standing by creating your own, get pictures, get more you handle.

98
00:07:49,530 --> 00:07:51,070
So that's all for this video.

99
00:07:51,090 --> 00:07:52,440
Thank you for watching.