1

00:00:00,900 --> 00:00:10,080

Hello and welcome to a new section in this video, I'm going to show you how to reverse engineer a scription



2

00:00:10,530 --> 00:00:12,570

using it.



3

00:00:13,560 --> 00:00:18,530

So now we have here malware which we created from a previous lesson.



4

00:00:19,170 --> 00:00:29,250

I think, you know, I see you are going to use ACTG to reverse engineer this and decrypt the encrypted



5

00:00:29,250 --> 00:00:31,890

mail and dump it in another file.



6

00:00:33,000 --> 00:00:40,650

So going download in this project, in the resource section, unzip it, put it in the mail for you.



7

00:00:42,210 --> 00:00:48,780

So let's run our Viju 64 beta version and then options.



8

00:00:48,780 --> 00:00:50,700

Preferences, sure.



9

00:00:50,910 --> 00:01:00,330

Entry breakpoint is set and the others are all on checked, click on file and then open your.



10

00:01:02,840 --> 00:01:05,140

Project for the country.



11

00:01:05,550 --> 00:01:06,200

Yes.



12

00:01:07,040 --> 00:01:17,630

Click on the EIC openi, and now we are going to put breakpoint on candy.



13

00:01:21,560 --> 00:01:32,220

Can you criticize us by email that to decrypt the cushion before executing it, before we execute you?



14

00:01:32,580 --> 00:01:36,150

So that's why we put Breakpoint on this.



15

00:01:38,150 --> 00:01:46,310

So check on take on the breakpoints that come down to the bottom in time, be critically



16

00:01:48,950 --> 00:01:51,680

hit, enter and Hannibal.



17

00:01:53,980 --> 00:01:55,090

So now we just run.



18

00:01:58,330 --> 00:01:58,940

Before that.



19

00:01:58,960 --> 00:02:02,590

Make sure you click Symbol's and go to a think tank.



20

00:02:02,920 --> 00:02:05,980

Meanwhile, you can run to synchronize.



21

00:02:06,790 --> 00:02:12,640

So it now is synchronized and is waiting for you to press, enter to decrypt.



22

00:02:13,120 --> 00:02:19,910

So just hit, enter on your keyboard and immediately hit our breakpoint to decrypt.



23

00:02:21,130 --> 00:02:28,090

And then we come down to the parameters for decrypt and give you crepuscule.



24

00:02:28,180 --> 00:02:30,250

Six parameters in total.



25

00:02:30,790 --> 00:02:33,430

As you can see from the MSD documentation.



26

00:02:34,630 --> 00:02:42,670

So that's why we have to come down here and increase this by one so that we can see all of the six parameters



27

00:02:42,670 --> 00:02:42,940

here.



28

00:02:44,170 --> 00:02:46,180

Now, the one that we are interested in.



29

00:02:48,780 --> 00:02:58,800

Is the fifth and sixth parameter, your fifth parameter is the location of the address of the payload,



30

00:02:59,160 --> 00:03:07,530

which is encrypted, and then the sixth parameter is a location on the address, which does the length



31

00:03:07,590 --> 00:03:08,220

of the payload.



32

00:03:08,850 --> 00:03:16,440

So we need to go to these two locations in memory and take a look at what is in there.



33

00:03:17,070 --> 00:03:26,310

So the fifth one parameter you can actually scroll down to read or description immediately is appointed



34

00:03:26,310 --> 00:03:28,830

to a buffer that contains the data to be decrypted.



35

00:03:29,760 --> 00:03:34,470

After the decryption has been performed, the plaintext is placed back into the same buffer.



36

00:03:34,950 --> 00:03:44,310

Demissie overwrite the encrypted data to decrypt one after he has the capacity, and then the six parameter



37

00:03:44,310 --> 00:03:50,520

is a pointer to a given value that indicates the length of their DB data.



38

00:03:50,940 --> 00:03:54,510

And this is an experiment that shows you the length of the bill.



39

00:03:55,500 --> 00:04:03,000

So let's go to the fifth parameter now to see the bill just right click on this follow in done, which



40

00:04:03,000 --> 00:04:04,710

is by default done, number one.



41

00:04:05,340 --> 00:04:10,440

And this is the critical group that async.



42

00:04:12,030 --> 00:04:17,790

And then to see the light, we need to go to the sixth parameter.



43

00:04:18,250 --> 00:04:27,000

But first, you select them two and then follow this in dumb to rankly for low income.



44

00:04:27,870 --> 00:04:33,300

And you can see in them two values today is one to zero in Henkes.



45

00:04:33,360 --> 00:04:38,460

Remember, this is little Hengdian convention because process, entire process.



46

00:04:38,670 --> 00:04:40,200

So you have to really reverse.



47

00:04:40,800 --> 00:04:45,230

So the length of the included below is one to zero in hex.



48

00:04:46,290 --> 00:04:49,920

That means from here you can take this value.



49

00:04:50,430 --> 00:04:52,750

The offset to f7 seals.



50

00:04:52,960 --> 00:04:55,710

You want to go to this, you get the line.



51

00:04:56,070 --> 00:04:56,650

Critical.



52

00:04:57,330 --> 00:05:05,610

And that means you take this address to F 70 plus values to this address.



53

00:05:05,820 --> 00:05:06,450

One to go.



54

00:05:08,080 --> 00:05:09,800

You did it later after we did.



55

00:05:10,730 --> 00:05:15,710

So now we're here in the Encrypt Decrypt API.



56

00:05:15,980 --> 00:05:17,450

So let us execute this.



57

00:05:17,660 --> 00:05:21,770

We have these parameters by clicking on this Runtu user.



58

00:05:21,950 --> 00:05:27,680

So when you click Rantes record, he will execute all these and go back to the user, Miyu in it.



59

00:05:27,860 --> 00:05:32,840

And then you see the decrypted payload overwriting to this address.



60

00:05:33,500 --> 00:05:37,460

Now, before we do that, you can click on this and follow in memory.



61

00:05:38,900 --> 00:05:44,890

And notice that the encrypted payload is on the track.



62

00:05:45,290 --> 00:05:47,870

Known as EFC, it is on the stack.



63

00:05:48,110 --> 00:05:50,240

So AC is in hexadecimal.



64

00:05:50,750 --> 00:05:54,740

If you want to see the value in D.g in decimal.



65

00:05:55,040 --> 00:06:04,100

You can convert it by using a calculator and then EFC and he will convert it to two, A1, two.



66

00:06:04,880 --> 00:06:06,730

So if we want to you can go to trace.



67

00:06:06,740 --> 00:06:08,630

You can see check to A1 two.



68

00:06:08,630 --> 00:06:12,370

This is a stack containing Peter.



69

00:06:13,670 --> 00:06:19,960

So now we know that this bill was created in function ghettoised on a stick.



70

00:06:20,720 --> 00:06:23,210

It is not in the data section or he may.



71

00:06:23,810 --> 00:06:26,120

Have you seen the stack?



72

00:06:27,050 --> 00:06:35,300

OK, so now you can execute this by going to court and notice it has overwritten this.



73

00:06:35,300 --> 00:06:41,590

The address, which was previously encrypted and now is indicated and overwritten, decrypted.



74

00:06:43,580 --> 00:06:50,340

And then the line is previously we saw was one two zero one two zero.



75

00:06:50,360 --> 00:06:56,360

So we can go you can use this value one to zero in hex it to this all set.



76

00:06:56,360 --> 00:07:01,040

And you know how much of this is the decrypted bill.



77

00:07:01,520 --> 00:07:10,070

So we take two F seven zero clue to the calculator to have a seven C zero.



78

00:07:14,090 --> 00:07:19,190

And today, we at hext value one to zero.



79

00:07:20,690 --> 00:07:23,540

We get to ever hit you.



80

00:07:23,960 --> 00:07:29,180

So we scroll down Nilufer to ever hit EOH, which is here.



81

00:07:31,590 --> 00:07:32,220

Which is here.



82

00:07:32,760 --> 00:07:37,140

But because our offset starts at zero, so we have to minus one.



83

00:07:37,560 --> 00:07:38,220

Come to here.



84

00:07:39,600 --> 00:07:42,020

So in this order, this is our decrypted bullet.



85

00:07:43,530 --> 00:07:43,830

Yes.



86

00:07:43,830 --> 00:07:46,980

You can see the last string is not bent on the icy.



87

00:07:49,840 --> 00:07:52,160

Initial initia is supposed to run a bit on the.



88

00:07:52,930 --> 00:07:53,950

So that confirms it.



89

00:07:54,220 --> 00:07:55,540

So now we can dump this.



90

00:07:57,120 --> 00:08:05,820

After the senator, all of this erectly quoting binary and then safe to a far, and then you can drown



91

00:08:05,850 --> 00:08:16,580

this in email and go to the project for the weekend, you can call this a yes, if you could take



92

00:08:20,610 --> 00:08:24,780

a yes, decrypt decrypted B or any other name you prefer.



93

00:08:26,280 --> 00:08:28,140

So let's see if now.



94

00:08:30,210 --> 00:08:31,500

And then you came to the stage.



95

00:08:32,970 --> 00:08:38,580

Now we want to check to see whether it is the same content here if the original Chalco.



96

00:08:39,390 --> 00:08:43,140

So now we can open both in Hex editor.



97

00:08:43,470 --> 00:08:47,730

So let's out how to go to fly flat hexameters.



98

00:08:48,240 --> 00:08:48,720

Open up.



99

00:08:50,490 --> 00:08:55,770

And David, how he kept a binary in here.



100

00:08:55,950 --> 00:09:04,170

And we also have a note that not been the shock before he was encrypted in here.



101

00:09:04,980 --> 00:09:05,980

And now you compare.



102

00:09:05,980 --> 00:09:08,850

We see both are identical, exactly the same.



103

00:09:09,900 --> 00:09:10,510

I said that.



104

00:09:10,510 --> 00:09:13,570

And this one has quite a strong knock.



105

00:09:13,600 --> 00:09:13,790

Right.



106

00:09:13,790 --> 00:09:14,340

I turn it back.



107

00:09:14,880 --> 00:09:15,540

So.



108

00:09:17,500 --> 00:09:24,850

This confirms that we have properly decrypted were so we see that any.



109

00:09:25,060 --> 00:09:29,290

So these kind of things, you have probably nicotine gum or chocolate.



110

00:09:30,070 --> 00:09:32,260

So that's all for this video.



111

00:09:32,290 --> 00:09:33,520

Thank you for watching.



112

00:09:34,010 --> 00:09:37,030

I will see you in the next video.