1
00:00:00,670 --> 00:00:08,580
I come back in this video, I'm going to show you how to take this memory and Becky, using a Ostberg.

2
00:00:09,150 --> 00:00:17,730
Means we are going to reverse engineer and decrypt Batel and C to a separate dummy, not to a separate

3
00:00:17,730 --> 00:00:18,000
file.

4
00:00:18,780 --> 00:00:23,420
So now let us open this easy inside AKB.

5
00:00:23,700 --> 00:00:34,050
If you before we show options, preferences set to entry point, you need to open open your encrypted

6
00:00:35,040 --> 00:00:35,730
Palitha.

7
00:00:37,260 --> 00:00:42,810
And now we are going to set some brief points, hitting a breakpoint stack.

8
00:00:43,500 --> 00:00:52,440
And then down here, time breakpoint on which you haven't hit, enter an arbitrary point on what you

9
00:00:52,620 --> 00:00:53,160
protect.

10
00:00:54,930 --> 00:01:00,930
And he had to confirm them both day and then now go back to the CPU.

11
00:01:01,590 --> 00:01:02,670
And now you can run.

12
00:01:05,280 --> 00:01:07,410
So now he's going to call Machala.

13
00:01:08,310 --> 00:01:09,390
So that's temporary.

14
00:01:10,770 --> 00:01:13,740
And then he come to the call here by stepping away.

15
00:01:17,780 --> 00:01:20,450
Look at a second parameter, how the X.

16
00:01:21,140 --> 00:01:27,280
The second parameter to watch out to these empty allocated for your memory is the address is tossed.

17
00:01:27,950 --> 00:01:32,210
The value of the address where you allocate memory.

18
00:01:32,720 --> 00:01:35,660
So you need to follow in Gangwon in order to see.

19
00:01:36,590 --> 00:01:41,330
So you set it down one a rankling s and follow in then.

20
00:01:42,470 --> 00:01:46,640
So now he's going to store the memory address here.

21
00:01:46,910 --> 00:01:47,150
Right.

22
00:01:47,390 --> 00:01:47,630
OK.

23
00:01:48,740 --> 00:01:58,640
So now we step away and we see here is the address of the newly elected memory, which is one C followed

24
00:01:58,640 --> 00:01:59,390
by four zero.

25
00:02:00,110 --> 00:02:09,380
So you can go to Dunolly to directly and go to the expression one C followed by four years.

26
00:02:11,470 --> 00:02:11,870
OK.

27
00:02:14,420 --> 00:02:17,030
So this is a return memory value.

28
00:02:17,540 --> 00:02:23,840
So you would include the shortcut, the encrypted Exline cryptococcal and dummy here.

29
00:02:24,560 --> 00:02:27,110
So now let's run and see that happen.

30
00:02:30,330 --> 00:02:33,420
OK, so now there he is, waiting for us to present.

31
00:02:33,660 --> 00:02:42,030
So we enter and then come back here you see he has an Bazo into Canada.

32
00:02:42,360 --> 00:02:45,540
And you can see here the last string is not bad.

33
00:02:46,830 --> 00:02:55,710
At this point, you can dummy if you want to wait for it to run with, but you can also do that.

34
00:02:56,310 --> 00:02:57,660
So it's up to you.

35
00:02:58,320 --> 00:03:01,260
So let's say we go ahead and follow reciprocating.

36
00:03:02,070 --> 00:03:07,650
So we step up with a young to watch a day and come over here.

37
00:03:10,780 --> 00:03:12,680
And then now he's going to execute this.

38
00:03:13,190 --> 00:03:21,340
Look, Handies, again, perimeter the security perimeter to watch Apotex, is the region a memory that

39
00:03:21,340 --> 00:03:23,050
is going to change to the mission?

40
00:03:23,950 --> 00:03:34,840
So at a moment, you can follow this in least following them, this Havelin dunam victory, following

41
00:03:34,900 --> 00:03:36,810
them in the tree.

42
00:03:37,220 --> 00:03:44,070
And then from here, you can see he says him and he's done them to the same fire.

43
00:03:45,190 --> 00:03:47,970
So he is actually going to change.

44
00:03:48,460 --> 00:03:52,600
But we shouldn't be for this region in memory to make it executable.

45
00:03:53,440 --> 00:04:00,050
You can see it happening by falling here rightly following memory presently.

46
00:04:00,490 --> 00:04:03,040
You can see it is a and right there.

47
00:04:05,050 --> 00:04:07,000
But let's tamper with these things that happen.

48
00:04:07,840 --> 00:04:10,730
Step away now is changed to executable.

49
00:04:11,710 --> 00:04:15,910
So now for sure, he has finished with this time.

50
00:04:15,910 --> 00:04:17,020
He's going to execute it.

51
00:04:17,530 --> 00:04:19,550
And probably this is the best time to me.

52
00:04:20,170 --> 00:04:30,130
So now you can select all these decrypted, Schuckert, rightly go to binary safe through a file.

53
00:04:38,180 --> 00:04:39,170
You can see over here.

54
00:04:44,170 --> 00:04:48,680
Not that the gun clicks here.

55
00:04:50,590 --> 00:04:51,760
OK, so now we're done.

56
00:04:52,150 --> 00:04:53,440
We can stop this.

57
00:04:56,380 --> 00:05:01,330
We can use our hex editor by opening as editor.

58
00:05:06,750 --> 00:05:17,610
And you're going to compare the newly dumphy great and you say here first and then compare the 50 or,

59
00:05:17,610 --> 00:05:18,270
you know, chanco.

60
00:05:18,810 --> 00:05:24,360
So it could drag it here and now you compare it to anything else.

61
00:05:26,940 --> 00:05:32,190
So we successfully by the X Y encrypted Baylor.

62
00:05:32,950 --> 00:05:34,050
That's all for this video.

63
00:05:34,290 --> 00:05:35,610
Thank you for watching.