1
00:00:00,870 --> 00:00:07,740
Lukken, in the previous lesson, you gave her the encrypted below and also put it in.

2
00:00:08,010 --> 00:00:10,380
Yes, he inside here and he built it.

3
00:00:11,070 --> 00:00:16,290
So in this lesson, we are going to run examinee CBG.

4
00:00:17,490 --> 00:00:24,930
So do we just take the name of the father and ABC here, Peter, in your memory?

5
00:00:25,950 --> 00:00:30,090
So now we can find IBG and 64 being Wishon.

6
00:00:32,860 --> 00:00:41,060
As you should open the options, preferences and make sure the only entry break point is to nameable

7
00:00:41,080 --> 00:00:50,650
now open and attach to the running process, go to Symbol's select, he so could double click and run

8
00:00:50,650 --> 00:00:51,550
to synchronize.

9
00:00:54,680 --> 00:01:00,890
Scenario here, let's go and examine this location, the progress.

10
00:01:03,230 --> 00:01:14,690
So we copy this and come down to here down the one Reichling and go to expression, click and paste

11
00:01:15,560 --> 00:01:16,520
and you click, OK.

12
00:01:17,990 --> 00:01:20,450
So this is the encrypted bill.

13
00:01:22,550 --> 00:01:25,730
You can examine it in memory to see race located.

14
00:01:26,210 --> 00:01:27,800
Right click follow in memory.

15
00:01:30,410 --> 00:01:35,390
You see here in the state 644 ceasefire's in hexadecimal.

16
00:01:36,080 --> 00:01:42,260
So you can compare it to the Soviet access for falling here.

17
00:01:42,980 --> 00:01:46,880
So ethical coalition is process one six zero four.

18
00:01:47,660 --> 00:01:49,970
We go to ABC one six zero four.

19
00:01:51,050 --> 00:01:57,200
So this is on the stack, because here the bureau is declining inside their function.

20
00:01:58,820 --> 00:02:01,250
Every function is carried out on the state.

21
00:02:01,580 --> 00:02:04,400
That is why we also find this bill on the state.

22
00:02:07,710 --> 00:02:10,830
Let's examine the output here again.

23
00:02:11,040 --> 00:02:13,560
So noisy waiting for you to hear it.

24
00:02:14,040 --> 00:02:17,010
Let's go and take a look at the allocated memi region.

25
00:02:17,790 --> 00:02:29,240
So let's call Petey's and go to allocate a new region in them to rankly and then go to expression.

26
00:02:30,510 --> 00:02:34,230
And then here Rackley piece and enter.

27
00:02:34,960 --> 00:02:40,170
OK, so this at the moment is empty and you waiting for us to unpack it here.

28
00:02:41,070 --> 00:02:42,510
So now if you enter.

29
00:02:45,570 --> 00:02:47,050
Come back here in.

30
00:02:47,700 --> 00:02:51,210
You had decrypted and populate his memory.

31
00:02:51,990 --> 00:02:59,730
So this original memory directly and following memory meant he Hedy's who are here and he's nice private.

32
00:03:00,750 --> 00:03:03,510
And it is also executable and readable.

33
00:03:05,070 --> 00:03:06,330
So now it's ready to run.

34
00:03:09,310 --> 00:03:16,080
So he has already done it by day and in decrypted as well in those ready to run.

35
00:03:16,980 --> 00:03:19,200
So he's waiting for us to press enter.

36
00:03:20,010 --> 00:03:21,060
So he presidenta.

37
00:03:23,160 --> 00:03:28,170
And now our Schuckert launches and then we call them exits.

38
00:03:29,100 --> 00:03:31,350
So this is the analysis, the next TVG.

39
00:03:32,430 --> 00:03:40,230
In the next video, I will show you how to reverse engineer this malware in a string and the criminals

40
00:03:40,230 --> 00:03:41,430
track the bill.

41
00:03:41,790 --> 00:03:42,750
Thank you for watching.