1
00:00:00,090 --> 00:00:02,190
Hello and welcome to a new section.

2
00:00:02,880 --> 00:00:06,960
We are now going to do reversing function obfuscation.

3
00:00:07,500 --> 00:00:12,240
So please go and download this project and zip hoodie king.

4
00:00:12,240 --> 00:00:20,400
And therefore, on your desktop incited, you find a function of whiskey to EIC, which we created in

5
00:00:20,400 --> 00:00:21,390
your previous person.

6
00:00:22,110 --> 00:00:31,680
So this function of Coskata, easy Hights, which function call so that if you were to open this with

7
00:00:31,770 --> 00:00:36,120
these two, you you will not see which are ADOC or.

8
00:00:37,200 --> 00:00:41,430
The string, which I like so we can try now.

9
00:00:41,480 --> 00:00:42,780
Be open, be studio.

10
00:00:43,790 --> 00:00:47,840
And then if you drink the esky fast, we used to do.

11
00:00:48,950 --> 00:00:52,160
If we click on Impulse and click on group.

12
00:00:53,500 --> 00:00:57,070
And memory, you will not see any virtual clock.

13
00:00:58,950 --> 00:01:05,940
Same thing if you go to strings and so ascending by clicking on this day and scroll all the way down

14
00:01:05,940 --> 00:01:06,810
to V.

15
00:01:12,850 --> 00:01:19,530
You will also not see any which are OK because we have hidden, obfuscated the emotional strain.

16
00:01:20,050 --> 00:01:28,540
And we also use the proper address API to dynamically look to virtual lock function during runtime.

17
00:01:31,090 --> 00:01:39,610
However, we can still use reverse engineering technique to see what EPA is being dynamically loaded

18
00:01:39,880 --> 00:01:40,750
during runtime.

19
00:01:41,410 --> 00:01:46,180
So to do that, you use actually GBG debugger and a 64 bit conversion.

20
00:01:46,600 --> 00:01:48,090
So let's click on this to open.

21
00:01:51,420 --> 00:02:00,930
Treatment options, preferences, make sure that only the entry point is checked, then open the --

22
00:02:00,940 --> 00:02:01,590
obfuscated.

23
00:02:01,830 --> 00:02:02,140
Yes.

24
00:02:02,300 --> 00:02:02,640
Fog.

25
00:02:05,430 --> 00:02:13,280
And now we can put breakpoint on, get Proc. address, that is because from the previous I, I've seen

26
00:02:13,290 --> 00:02:19,310
it get progress is used to dynamically look what you alac yo.

27
00:02:19,320 --> 00:02:22,260
This is to MSD reference in case you have forgotten.

28
00:02:23,550 --> 00:02:29,760
And these are the notes that accompany the previous lesson we shall also put in the current recession.

29
00:02:30,780 --> 00:02:31,560
So what year law?

30
00:02:33,420 --> 00:02:43,670
He's been loaded here and in here is see APIs that I used to know which are getting more you handle

31
00:02:43,700 --> 00:02:46,170
to get connected to and then.

32
00:02:47,190 --> 00:02:52,530
Going to try to jam the contents of which are lock and key, proper addressed to extract witchell from

33
00:02:52,530 --> 00:02:56,670
the more you wish study to gain entry to the air.

34
00:02:57,420 --> 00:02:58,310
And then here you run.

35
00:02:58,950 --> 00:03:04,410
So that's why we're putting a breakpoint on get proper address.

36
00:03:04,770 --> 00:03:08,880
So come down to the bottom here and put a Bitcoin vpe.

37
00:03:09,540 --> 00:03:18,810
Get your address in there and then go to your breakpoint and confirm that you have gotten this breakpoint

38
00:03:18,810 --> 00:03:19,170
set.

39
00:03:20,220 --> 00:03:24,840
So now you can run and you get the address.

40
00:03:25,470 --> 00:03:28,680
And then from here you see the parameters and get proper address.

41
00:03:29,340 --> 00:03:33,570
Get proper address has got two parameters, Monju and Brotton in.

42
00:03:34,140 --> 00:03:38,640
So we are interested in the second argument, which is the proper name.

43
00:03:38,940 --> 00:03:42,960
From there, we can know what API is trying to dynamically.

44
00:03:43,800 --> 00:03:49,800
So from this you can see to the API is loading is initialize critical section.

45
00:03:51,310 --> 00:03:52,090
King run again.

46
00:03:53,030 --> 00:03:57,340
In his great address, again, this time, India is trying to look at a.

47
00:03:58,760 --> 00:03:59,450
Run again.

48
00:04:01,560 --> 00:04:04,140
And I said, Will you run again?

49
00:04:04,740 --> 00:04:08,040
Initialise critical section, ran again.

50
00:04:08,640 --> 00:04:14,670
And if I CELAC run again ever S.K value ran again.

51
00:04:15,120 --> 00:04:17,730
And asset value run again.

52
00:04:18,630 --> 00:04:19,440
No strings.

53
00:04:20,420 --> 00:04:21,050
Running again.

54
00:04:22,360 --> 00:04:25,800
Favia I wrong again, but which are?

55
00:04:27,830 --> 00:04:35,630
So this is a simple way to find out all the functions or APIs that that particular Melva is trying to

56
00:04:35,630 --> 00:04:43,310
look dynamically just by putting a breakpoint on get proper address is all we need to do to see.

57
00:04:43,940 --> 00:04:45,380
So that's all for this video.

58
00:04:45,620 --> 00:04:47,000
Thank you for watching.