1
00:00:00,720 --> 00:00:01,410
Welcome back.

2
00:00:01,770 --> 00:00:08,910
In a previous lesson, I already showed you how to hide your function, call names from the antivirus

3
00:00:09,240 --> 00:00:09,900
scanners.

4
00:00:10,740 --> 00:00:16,590
However, when we look at new strings and to you, you can still see who here.

5
00:00:17,040 --> 00:00:21,780
So now in this video, I'm going to show you how to hide the strings by escaping it.

6
00:00:22,410 --> 00:00:28,650
So one way to do it, a simple way to do it, is to replace your string Geetha encrypted string.

7
00:00:29,670 --> 00:00:35,880
And then when the program runs, if we decrypt to produce back the origin, to allow string.

8
00:00:36,330 --> 00:00:40,260
And basically this function as the second parameter.

9
00:00:41,220 --> 00:00:43,440
So let's first close our B studio.

10
00:00:44,550 --> 00:00:48,990
Now, in order to do that, we need to create a new variable.

11
00:00:49,860 --> 00:00:51,360
So let's create a new variable.

12
00:00:52,920 --> 00:00:55,410
You can call it string, which aola.

13
00:00:59,240 --> 00:01:01,810
And in here, he uncomment this.

14
00:01:04,140 --> 00:01:09,900
So this is truly shallow and this is what the story should look like after encryption.

15
00:01:10,850 --> 00:01:15,050
But for now, let's pretend we don't have it again.

16
00:01:15,620 --> 00:01:18,980
If you wanted to encrypt something, you need to decrypt it.

17
00:01:19,400 --> 00:01:22,610
So you need to provide the key to what you were saying could be.

18
00:01:23,300 --> 00:01:25,190
So in this case, we use a simple key.

19
00:01:25,370 --> 00:01:28,000
One, two, three, four, five, six, seven, eight, nine, ABC.

20
00:01:28,650 --> 00:01:35,060
Now, you should now use something which is suspicious, which would be easily stand out via scan or

21
00:01:35,060 --> 00:01:36,470
any kind of string scan.

22
00:01:36,950 --> 00:01:40,040
So it is something which is harmless.

23
00:01:41,180 --> 00:01:43,850
For example, like a string of one, two, five like this.

24
00:01:44,820 --> 00:01:53,040
You can also use any of the strings which you see when you need to be studio string skin, so any of

25
00:01:53,040 --> 00:02:00,120
those species a day could be used as the encryption key, then baby withdraw any malware analyst who

26
00:02:00,120 --> 00:02:03,720
happens to be scanning for strings so far.

27
00:02:04,030 --> 00:02:05,490
So you're just going to keep it simple.

28
00:02:05,610 --> 00:02:08,970
Who will use 123456 79 a, b, c?

29
00:02:10,080 --> 00:02:18,330
However, there is one warning after encrypting your which our last name, you should make sure that

30
00:02:18,330 --> 00:02:22,200
there are no not characters as a result of the encryption.

31
00:02:22,530 --> 00:02:28,410
If they are, you need to change your encryption key and could begin until there are no known characters

32
00:02:28,410 --> 00:02:28,830
in sight.

33
00:02:28,890 --> 00:02:30,060
OK, so let's get started.

34
00:02:30,540 --> 00:02:38,670
So now here you have already created you were able to replace the name of the which I locked the string

35
00:02:39,180 --> 00:02:41,730
before encrypted string.

36
00:02:42,330 --> 00:02:44,740
You are going to use who action.

37
00:02:45,360 --> 00:02:46,590
So in in here.

38
00:02:47,770 --> 00:02:56,020
We are going to pierce our encrypted so our string here, which is actually the which name in encrypted

39
00:02:56,020 --> 00:02:56,380
form.

40
00:02:57,130 --> 00:02:59,740
So because he is encrypted, we need to decrypt it.

41
00:03:00,220 --> 00:03:01,690
So I'm going to uncomment this.

42
00:03:02,380 --> 00:03:04,960
So here we are going to decrypt.

43
00:03:08,140 --> 00:03:11,440
And this is the functional decree which is up here.

44
00:03:12,520 --> 00:03:17,300
We have used this before when we did the actual encryption lessons.

45
00:03:17,740 --> 00:03:19,780
So it's exactly the same function.

46
00:03:20,590 --> 00:03:22,690
So we're just really reusing here.

47
00:03:23,350 --> 00:03:25,300
So how does this code works?

48
00:03:25,630 --> 00:03:28,750
So this could make this program runs.

49
00:03:29,380 --> 00:03:38,500
It will go to the main here, main function, and then it will decrypt this string.

50
00:03:39,040 --> 00:03:43,550
This encrypted virtual lock string, which is actually actually encrypted even.

51
00:03:43,570 --> 00:03:44,200
All right.

52
00:03:44,440 --> 00:03:48,550
This string with the name of the actual virtual string.

53
00:03:49,420 --> 00:03:55,630
And this string will be used as the second parameter in a block address.

54
00:03:56,290 --> 00:03:58,000
So that's how to get progress.

55
00:03:58,000 --> 00:04:01,780
Knows what function that you are going to call.

56
00:04:03,130 --> 00:04:04,720
So and the rest is the same.

57
00:04:04,990 --> 00:04:11,260
So the only difference now is you are encrypting you are encrypting the name of the function that you

58
00:04:11,260 --> 00:04:11,800
are using.

59
00:04:12,070 --> 00:04:15,930
And in, say, here when the program runs, is decrypting it.

60
00:04:16,780 --> 00:04:20,200
So now how do we get the encrypted string?

61
00:04:20,680 --> 00:04:23,840
How do we take the string to allow and encrypted?

62
00:04:24,620 --> 00:04:27,580
We will use a python script, which is here.

63
00:04:28,030 --> 00:04:30,850
This is the Python script which you have used before.

64
00:04:31,240 --> 00:04:37,060
Then we were studying x y encryption, and it's exactly the same script.

65
00:04:37,600 --> 00:04:40,000
The only difference is now encryption key.

66
00:04:40,420 --> 00:04:42,070
I put it up here.

67
00:04:42,640 --> 00:04:47,380
Now, this encryption key must also be the same as the decryption key.

68
00:04:47,980 --> 00:04:50,350
Then you are going to put in your main function.

69
00:04:50,680 --> 00:04:56,530
So if you make any changes here, you must also added it here and vice versa.

70
00:04:57,790 --> 00:04:59,470
So now how do we include this?

71
00:04:59,950 --> 00:05:04,690
Now, remember that this script requires an input file.

72
00:05:05,200 --> 00:05:06,850
So you need to create a proof.

73
00:05:07,030 --> 00:05:08,980
Let's call let's create any Bufano.

74
00:05:09,460 --> 00:05:12,130
Let's call it new.

75
00:05:13,770 --> 00:05:16,710
Text document, and you will shivaya virtual

76
00:05:21,220 --> 00:05:22,120
dead inside.

77
00:05:22,830 --> 00:05:29,700
The idea is going to put one string which you add up, and then we are going to save this and use this

78
00:05:29,700 --> 00:05:32,430
as an input file for this Python script.

79
00:05:32,820 --> 00:05:40,370
So that Python script, we think this will open this file registry and then and create it.

80
00:05:41,130 --> 00:05:50,160
We have the key, this key over here and output the result of the encryption in the separate file Debka.

81
00:05:50,580 --> 00:05:54,660
So now let us save this and then close it.

82
00:05:54,960 --> 00:05:57,300
And now we are ready to call this.

83
00:05:58,410 --> 00:06:06,060
Python script using Python two point seven, as you'll recall, we need to provide a path to our python

84
00:06:06,060 --> 00:06:08,640
two point seven, which we have done before.

85
00:06:10,100 --> 00:06:16,730
So for me, it is in this folder C folder, Python two seven Python.

86
00:06:18,020 --> 00:06:25,520
And then now provide the name of the Python script, which in this case it is called in GTV r.

87
00:06:27,950 --> 00:06:31,290
Now, Lightning Nim input fire.

88
00:06:32,870 --> 00:06:34,790
The input file is called virtual.

89
00:06:35,400 --> 00:06:36,550
The steam.

90
00:06:39,450 --> 00:06:46,200
Now, before you redirect to Aberfan, you just hit enter first to see whether there are any not characters

91
00:06:46,200 --> 00:06:50,790
that is being generated yet is being created because of the encryption.

92
00:06:51,600 --> 00:06:57,840
So in this case, there is none sometimes because of the key that you are using.

93
00:06:58,200 --> 00:07:03,330
You may result in one on this character being or X or Y zero.

94
00:07:04,260 --> 00:07:11,310
So if you see any way zero emesis and not character, you have to change the key and try again until

95
00:07:11,310 --> 00:07:17,850
you get an encrypted array, which doesn't have any null character.

96
00:07:18,400 --> 00:07:20,940
Now, the reason you should not have a nakata is because.

97
00:07:28,510 --> 00:07:31,450
So in this case, it is OK, there is no not character.

98
00:07:31,480 --> 00:07:33,220
So now we can repeat the command.

99
00:07:33,670 --> 00:07:43,420
By this time, three, redirect to an output file, which will allow dot axolotl Hitchen to nowadays

100
00:07:43,420 --> 00:07:45,780
a new file here called virtual SLR.

101
00:07:46,060 --> 00:07:50,350
Let us open it, if not back, and then we can copy this.

102
00:07:50,650 --> 00:08:01,390
Now, notice, voiture along has the same number of characters as this number of Bisha v i r t u a l,

103
00:08:01,900 --> 00:08:05,170
a, l, l or C virtual l.

104
00:08:05,440 --> 00:08:12,010
But this is, of course, the hex values encrypted in SLR.

105
00:08:13,060 --> 00:08:13,900
So let's see.

106
00:08:14,350 --> 00:08:15,610
That is copy this now.

107
00:08:16,660 --> 00:08:22,030
Right click, copy this and then open your -- obfuscated copy.

108
00:08:22,510 --> 00:08:23,590
And frankly.

109
00:08:23,590 --> 00:08:24,910
And paste it here.

110
00:08:25,840 --> 00:08:28,210
This is your encrypted string.

111
00:08:28,930 --> 00:08:29,380
Voiture?

112
00:08:30,130 --> 00:08:30,790
Encrypted.

113
00:08:30,820 --> 00:08:31,360
Excellent.

114
00:08:32,230 --> 00:08:33,280
Now we save it.

115
00:08:33,580 --> 00:08:34,420
You remember the save.

116
00:08:36,040 --> 00:08:37,930
So now let's check one more time.

117
00:08:38,470 --> 00:08:44,990
I mean, this function runs you comes to this line 67 that you call decrypt.

118
00:08:45,190 --> 00:08:51,310
So are passing the string, this string, this array, which is encrypted.

119
00:08:51,850 --> 00:08:52,900
And the length of it.

120
00:08:53,380 --> 00:09:00,190
So the length of it is automatically calculated on the fly string, which allows the encryption key,

121
00:09:00,250 --> 00:09:01,060
which is here.

122
00:09:01,450 --> 00:09:07,900
And we became sure that this encryption key is the same one that you use when you were encrypting it

123
00:09:07,960 --> 00:09:09,580
with Python script.

124
00:09:11,560 --> 00:09:18,790
And then the last perimeter his size and encryption key, which is also calculated on the fly after

125
00:09:18,790 --> 00:09:27,600
that, he will can't get progress address and pass this, decrypt the string into the Caprock headdress.

126
00:09:27,970 --> 00:09:29,770
So now we are ready to comply.

127
00:09:30,580 --> 00:09:32,320
So let's run the Kompass script.

128
00:09:35,120 --> 00:09:39,110
And now let us run the resulting CFR.

129
00:09:40,870 --> 00:09:43,270
He didn't gain any looks.

130
00:09:43,870 --> 00:09:55,120
Now we shall open peace to you and then open our letters, followed by dragging it into the studio.

131
00:10:00,050 --> 00:10:02,000
The studio has finished analyzing.

132
00:10:02,240 --> 00:10:04,190
Now let's go and look at the imports.

133
00:10:05,720 --> 00:10:10,820
This group, according to groups and the memory, do you see any moschella?

134
00:10:11,240 --> 00:10:12,230
No, it's good.

135
00:10:12,650 --> 00:10:18,200
Now let's go to the strings and then click on this to sort it in ascending order.

136
00:10:19,100 --> 00:10:25,520
And let's go down to V under V and see if we can find Michelle.

137
00:10:35,250 --> 00:10:41,040
Gone see that we only have woodchipper thing, which Allah is of.

138
00:10:42,330 --> 00:10:43,110
It is hidden.

139
00:10:43,470 --> 00:10:49,140
So we have successfully obfuscated our what your Allah function call.

140
00:10:50,070 --> 00:10:56,210
So now you know how to obfuscate your -- calls and hide your -- calls from antivirus.

141
00:10:57,000 --> 00:10:59,530
You can do the same for any other function.

142
00:10:59,550 --> 00:11:00,780
And you want to obfuscate.

143
00:11:01,050 --> 00:11:01,770
You want to hide.

144
00:11:01,980 --> 00:11:04,800
For example, you can hide, worship or think you can hide.

145
00:11:04,830 --> 00:11:05,730
Great threat.

146
00:11:06,660 --> 00:11:07,950
You can hide a career track.

147
00:11:08,220 --> 00:11:09,480
You can hide and move memory.

148
00:11:10,090 --> 00:11:10,380
Yes.

149
00:11:10,380 --> 00:11:13,260
About a new function call that you want.

150
00:11:13,290 --> 00:11:14,160
You can hide.

151
00:11:14,400 --> 00:11:16,320
Using this technique of doing so.

152
00:11:16,890 --> 00:11:18,600
So that's all for this video.

153
00:11:18,840 --> 00:11:20,700
Thank you for watching.