1
00:00:01,170 --> 00:00:11,460
Hello and welcome in this lecture, I'm going to analyze the wishing tree obfuscated function in peace

2
00:00:11,460 --> 00:00:17,400
to you, so I drank the wishing tree to be still you.

3
00:00:18,630 --> 00:00:28,200
If you head over to the imports group now and screw all the way down to Dynamic Link Library.

4
00:00:28,680 --> 00:00:32,090
You can still see that get progress here and get more new handle.

5
00:00:32,250 --> 00:00:37,500
He still visible, however, these to not include it by our program.

6
00:00:38,460 --> 00:00:44,910
It is loaded by the loader operating system for Windows, so it is quite safe.

7
00:00:45,730 --> 00:00:50,910
Now you can confirm that by opening Hasti Big 64bit.

8
00:00:55,960 --> 00:01:02,980
Make sure your option preferences, high schools and then open our tree.

9
00:01:07,300 --> 00:01:09,010
And then we will put a break point.

10
00:01:10,840 --> 00:01:16,750
Go to Planetary two and look for progress

11
00:01:23,680 --> 00:01:25,720
and put points on both of these.

12
00:01:30,180 --> 00:01:39,300
Check to make sure check to make sure that your for any set and then right now he's on Cape Progress.

13
00:01:39,870 --> 00:01:49,230
But if you take a look at the X in the second parameter for get from, if it's not being called or used

14
00:01:49,230 --> 00:01:58,530
in by our movie, it is used by the operating system loader, which many loads you will use to get progress.

15
00:01:59,370 --> 00:02:00,900
So this is nothing suspicious.

16
00:02:00,900 --> 00:02:03,060
It'll run again.

17
00:02:03,630 --> 00:02:06,000
It from addresses hit again the same empty.

18
00:02:08,370 --> 00:02:14,760
No, it is capable address dress is using address as a lock.

19
00:02:15,360 --> 00:02:22,350
Again, it is not something that is used by our military, our members using which you are a lock and

20
00:02:22,350 --> 00:02:26,550
you will never you will never find what you are being used by a proper address.

21
00:02:26,820 --> 00:02:37,950
Because if you quiz Katie, using our own customize can progress building right now is ever have a set

22
00:02:37,950 --> 00:02:38,370
value.

23
00:02:42,190 --> 00:02:45,190
Same now is initialized critical sections.

24
00:02:47,680 --> 00:02:54,670
And again, at least a look at as good value.

25
00:02:57,460 --> 00:03:00,460
Set value, not strings

26
00:03:04,420 --> 00:03:07,500
for ABC, right?

27
00:03:08,520 --> 00:03:12,670
Sunken handle, Santa Close handle.

28
00:03:16,670 --> 00:03:19,730
And debugging stuff, because the program actually did.

29
00:03:20,210 --> 00:03:26,330
So you see that progress was never used to call to look forward to a lock.

30
00:03:26,900 --> 00:03:35,090
So even though it shows up in here, but there is no connection whatsoever with our program, we'll

31
00:03:35,150 --> 00:03:35,600
know there.

32
00:03:36,140 --> 00:03:40,740
So there's a distinct appearing here is quite say it is not our program.

33
00:03:40,800 --> 00:03:44,990
She looks the gate progress or get them on your hanger.

34
00:03:46,040 --> 00:03:49,850
So that's all I wanted to point out to explain.

35
00:03:50,120 --> 00:03:57,470
Why is this issue showing here, even though we have already managed to create our own customized,

36
00:03:57,810 --> 00:04:01,280
capable and modular API functions?

37
00:04:01,670 --> 00:04:02,990
So that's all for this video.

38
00:04:03,260 --> 00:04:04,310
Thank you for watching.