1
00:00:00,750 --> 00:00:09,210
Hello and welcome to a new section in this lesson, we are going to reverse engineer malware base64,

2
00:00:09,210 --> 00:00:15,150
including EIC and unpack the basis for encoding chocolate.

3
00:00:16,560 --> 00:00:27,300
And the objective is to unpack the chocolate into the original base64 and also later on to I'm begging

4
00:00:27,300 --> 00:00:33,540
for that to get back to original before you encoded into basically four.

5
00:00:34,800 --> 00:00:35,910
So let's get started.

6
00:00:37,050 --> 00:00:45,570
As you recall, base64 encoding EIC is the malware we created in the previous lesson, very encoded

7
00:00:46,530 --> 00:00:48,630
Chalco into Base64.

8
00:00:49,650 --> 00:00:55,680
So just to remind you what listing does, we will copy this part here and then open.

9
00:00:59,310 --> 00:01:10,410
A man from excessive force wanted to saw even a normal command prompt navigate to this folder here in

10
00:01:10,440 --> 00:01:12,060
Denver to run this program.

11
00:01:18,350 --> 00:01:24,530
So now we're here, you can see the prince of the base addressing yellow men.

12
00:01:25,220 --> 00:01:30,740
And I see the press enter to the basically for a copy to allocate that memory.

13
00:01:31,610 --> 00:01:39,430
See the president, he on a second problem as the press enter to career track and you tell again he

14
00:01:39,500 --> 00:01:41,880
will dictate the show.

15
00:01:43,460 --> 00:01:44,610
If I shall quote.

16
00:01:45,020 --> 00:01:49,390
And then there shall accordingly then run the whole bit.

17
00:01:50,330 --> 00:01:51,470
So this is what he does.

18
00:01:51,470 --> 00:01:52,760
Test you refresh your memory.

19
00:01:53,450 --> 00:01:57,070
So now to unpack this chuckled.

20
00:01:57,470 --> 00:02:01,970
You know, basically for Chergui, we need to use x dbg.

21
00:02:02,180 --> 00:02:03,770
Yeah, 64 bit version.

22
00:02:04,760 --> 00:02:07,490
So just fry up your electricity for the IBG.

23
00:02:11,440 --> 00:02:23,020
And options, preferences, he only entry point is checked and then click file open and go to the folder

24
00:02:23,350 --> 00:02:24,640
where you have your project.

25
00:02:25,930 --> 00:02:36,420
So before you can do this, going down this project, reversing base64 and zippi and put them out there

26
00:02:36,430 --> 00:02:36,880
for the.

27
00:02:41,260 --> 00:02:42,190
So let's open.

28
00:02:42,580 --> 00:02:42,830
Yeah.

29
00:02:42,850 --> 00:02:44,680
Now we basically find Guti

30
00:02:47,500 --> 00:02:49,930
and then we are going to put several big points.

31
00:02:51,340 --> 00:02:52,540
I've already done this.

32
00:02:53,170 --> 00:02:55,360
And these are two big points which you need to put.

33
00:02:57,790 --> 00:02:59,920
So the first one is what you protect.

34
00:03:00,010 --> 00:03:04,270
Second one is Koczela, and that one is good string to binary.

35
00:03:05,260 --> 00:03:16,420
And to put these great points, you just time BP followed by which you line up, hit, enter, and then.

36
00:03:18,510 --> 00:03:23,910
What you think he'd enter and then good.

37
00:03:25,110 --> 00:03:25,740
String.

38
00:03:27,590 --> 00:03:30,950
Do binary a hit enter.

39
00:03:31,730 --> 00:03:36,410
So it's how you sounded to make points, make sure they're all three or you send it.

40
00:03:37,640 --> 00:03:45,920
And now either run the program so many you run, you hit the first, which were luck, and then you

41
00:03:45,920 --> 00:03:52,670
step away and then you come to call this call.

42
00:03:53,360 --> 00:03:57,240
Then you look at the parameters for the call here in.

43
00:03:57,320 --> 00:04:07,420
And as you remember from the previous lesson, the second parameter, the second parameter is the long

44
00:04:07,550 --> 00:04:15,590
term memory contains the address of the memory, which starts to allocate the memory.

45
00:04:16,250 --> 00:04:17,830
So we need to follow this in.

46
00:04:18,950 --> 00:04:21,720
So replicates and follow in them.

47
00:04:23,780 --> 00:04:30,590
So now maybe several of these you will see that the value start C followed by four zeros.

48
00:04:32,900 --> 00:04:34,490
So you can actually go there now.

49
00:04:35,270 --> 00:04:40,640
So I can jump in here to expression.

50
00:04:42,590 --> 00:04:44,480
She followed by four zeros.

51
00:04:48,130 --> 00:04:52,360
So this is the witching hour long allocated memory.

52
00:04:53,680 --> 00:04:56,260
And then now we run again.

53
00:04:57,030 --> 00:04:59,080
And now is waiting for us to press enter.

54
00:04:59,770 --> 00:05:06,110
So we press into and he hits another break point, keeps trying to binary.

55
00:05:06,110 --> 00:05:08,480
He restrained in binary.

56
00:05:08,560 --> 00:05:10,510
He's got all these parameters.

57
00:05:11,620 --> 00:05:17,380
The first parameter is he pointed to the string that contains the formatted string.

58
00:05:17,500 --> 00:05:18,190
We call it that.

59
00:05:19,510 --> 00:05:20,560
So you can look here.

60
00:05:20,890 --> 00:05:22,000
The first parameter.

61
00:05:24,540 --> 00:05:35,650
You see this location so you can go there in them and the tree and this followed them.

62
00:05:37,860 --> 00:05:42,120
And this is the and could at this point could a shock.

63
00:05:43,710 --> 00:05:51,420
And then the second parameter, you see all the number of characters of the format history to be caught

64
00:05:51,430 --> 00:05:51,750
with it.

65
00:05:53,880 --> 00:05:56,400
So you can see is one seven five hex.

66
00:05:57,630 --> 00:06:00,990
So one seven five if you move your mouse over.

67
00:06:02,310 --> 00:06:09,440
You can see the popup dress, one seven five zero zero zero zero zero.

68
00:06:09,450 --> 00:06:11,400
So one seven five should be here somewhere.

69
00:06:11,610 --> 00:06:12,990
One seven always here.

70
00:06:13,860 --> 00:06:17,840
Can you move across to here is one seven three.

71
00:06:18,720 --> 00:06:23,370
As you can see the popup show you one seven.

72
00:06:24,690 --> 00:06:24,840
OK.

73
00:06:25,770 --> 00:06:27,600
So all this you can highlight.

74
00:06:30,040 --> 00:06:41,680
So directly in binary select shift file, you're going to go to our contact folder.

75
00:06:44,080 --> 00:06:46,360
In this for reversing base64.

76
00:06:47,170 --> 00:06:48,340
Yeah, I'm going to call it dumb.

77
00:06:49,840 --> 00:06:51,340
Don't be 64.

78
00:06:51,880 --> 00:06:55,290
To remind ourselves and this base64 included Chako.

79
00:06:57,250 --> 00:07:01,570
Now we showed you Codi so we can open a new terminal.

80
00:07:03,160 --> 00:07:06,130
Go down to here in California, keys tooth.

81
00:07:08,760 --> 00:07:09,750
Copy that path.

82
00:07:11,790 --> 00:07:24,800
And if we get there, we used to kill combine to decode it with a dash decode barometer, provide the

83
00:07:24,860 --> 00:07:25,440
profile.

84
00:07:29,560 --> 00:07:37,990
And providing De'Monte help with far reaching according damnably, now you enter.

85
00:07:42,200 --> 00:07:49,580
And he says, combine competing successfully and you will see a new fire here, -- on being, which

86
00:07:49,580 --> 00:07:52,250
is to decode it from basic.

87
00:07:53,720 --> 00:07:55,040
So now you can compare it.

88
00:07:55,550 --> 00:07:58,220
You can go and use it.

89
00:08:00,440 --> 00:08:03,230
You can use Hex editor to look at them.

90
00:08:04,910 --> 00:08:17,020
Open Hex editor, hasty drawing, you know, been into here and you will see, I'll bet on Etsy and

91
00:08:17,030 --> 00:08:17,960
eBay and about them.

92
00:08:19,430 --> 00:08:23,570
And you can compare this with the original Sherkat, not Benjamín.

93
00:08:26,720 --> 00:08:28,310
And then I've seen both of them.

94
00:08:29,150 --> 00:08:29,780
I see.

95
00:08:34,190 --> 00:08:41,450
So we're successfully and back the basis for collection mainly by using the.

96
00:08:41,600 --> 00:08:43,550
So you to combine to do it.

97
00:08:44,540 --> 00:08:54,230
Another way to unpack it is to area and base into memory, because we know that he has allocated this

98
00:08:54,230 --> 00:08:58,190
region of memory from the abushahla earlier.

99
00:08:59,300 --> 00:09:02,210
So we can continue this now by running.

100
00:09:04,880 --> 00:09:06,950
And so now he's what's important.

101
00:09:07,460 --> 00:09:14,870
And we see here he has an Bazo from the circle, which is encoded base64.

102
00:09:15,620 --> 00:09:19,700
He hasn't banked decoded into this region in memory.

103
00:09:20,780 --> 00:09:22,370
And you've also done this now.

104
00:09:23,990 --> 00:09:27,440
So the solar is up to here.

105
00:09:31,050 --> 00:09:34,950
And it's frankly binary safety or fire.

106
00:09:38,570 --> 00:09:41,410
Mr. Nalgae.

107
00:09:43,430 --> 00:09:51,050
And then you can call this done to them, do not mean

108
00:09:54,410 --> 00:10:00,350
and then now you can open them to inside your case editor

109
00:10:03,200 --> 00:10:06,970
and you see the same here.

110
00:10:08,480 --> 00:10:15,040
So these are two ways of how to and pay basically for and a chocolate.

111
00:10:16,280 --> 00:10:18,380
So that's all for this video.

112
00:10:19,070 --> 00:10:20,660
Thank you for watching.