1
00:00:00,610 --> 00:00:01,090
Hello.

2
00:00:01,120 --> 00:00:02,500
Welcome to a new session.

3
00:00:03,130 --> 00:00:06,960
In this video lesson, we are going to reverse engineer Cookie.

4
00:00:08,230 --> 00:00:16,900
As we all know before, a shark caught in a cookie can execute the program, needs to safety registers

5
00:00:16,900 --> 00:00:17,470
in inflects.

6
00:00:18,310 --> 00:00:24,400
And then additionally, after the shark has finished, he needs to restore the Fleck's and then the

7
00:00:24,400 --> 00:00:27,850
registers based on these two characteristics.

8
00:00:28,150 --> 00:00:36,030
We can search for expectance 60 Nici, which marks the start of the shark appeal.

9
00:00:36,760 --> 00:00:40,270
And then we look for the corresponding hex pattern.

10
00:00:40,570 --> 00:00:43,990
Ninety six one, which marks the end of the shark look.

11
00:00:45,220 --> 00:00:49,990
So between these two, we can identify the Shakuri cell.

12
00:00:50,740 --> 00:00:57,590
So 60 is push had a nice push Ifni, which refers to this region.

13
00:00:57,640 --> 00:01:01,690
The concave receives deregister and set a flex.

14
00:01:02,440 --> 00:01:08,300
And in here from F.D., he's 90 and then probably sixty one.

15
00:01:08,350 --> 00:01:16,210
So at least to restore the flies and Prop 80 is to restore the register.

16
00:01:16,780 --> 00:01:18,100
So let's get started.

17
00:01:19,640 --> 00:01:26,420
So going download this project, reversing cookie estrogen and unzip and put it in a mound for the.

18
00:01:27,490 --> 00:01:32,260
Then open a DBG 32 bit.

19
00:01:35,060 --> 00:01:40,670
Big on the options preferences, make sure that entry break point only is checked.

20
00:01:42,590 --> 00:01:45,740
And then open the correct me.

21
00:01:54,430 --> 00:01:57,850
Cracking the tree, which is in this folder, which you have just on the.

22
00:02:01,740 --> 00:02:05,610
So now we can look for the pattern.

23
00:02:07,630 --> 00:02:09,610
The expected sixty nine seat.

24
00:02:11,640 --> 00:02:14,520
So to do that, we just right clicking here.

25
00:02:15,680 --> 00:02:20,270
And then scroll down, search for current region.

26
00:02:21,540 --> 00:02:22,020
Pattern.

27
00:02:23,840 --> 00:02:39,170
So the pattern here, you are going to type in six zero nine C, six zero nine C again, select entire

28
00:02:39,200 --> 00:02:39,470
block.

29
00:02:40,340 --> 00:02:41,090
Click OK.

30
00:02:43,050 --> 00:02:47,250
And the results will be shown in the references dead and so on hit.

31
00:02:49,080 --> 00:02:50,880
He has found Bush 80.

32
00:02:51,630 --> 00:02:56,580
So right click on this address and select follow in this assembler.

33
00:02:57,610 --> 00:03:01,300
And it takes you right to the beginning of the cookie.

34
00:03:03,300 --> 00:03:10,050
Over here, you could have also reshare by following the Jumeirah entry point by sometimes go against

35
00:03:10,050 --> 00:03:12,570
me, you know, jump at the first line, the entry point.

36
00:03:13,140 --> 00:03:15,150
So this method is more reliable.

37
00:03:16,290 --> 00:03:21,540
So Nadia found this, you know, is the start of the court case should be just one.

38
00:03:22,740 --> 00:03:32,970
Based on her understanding of the anatomy of the court case, they sure comes after you have a 80 and

39
00:03:32,970 --> 00:03:33,900
push hefty.

40
00:03:34,950 --> 00:03:38,430
Now we need to identify where does it end?

41
00:03:38,550 --> 00:03:39,840
So we need to look for.

42
00:03:40,800 --> 00:03:50,790
The property and property, so for for that, this is the one we are following these two wishes here

43
00:03:51,330 --> 00:03:57,600
and heading back Bush-Cheney, and we shall now we need to look for these two to look at the end of

44
00:03:57,600 --> 00:03:58,110
the circle.

45
00:03:59,100 --> 00:04:06,780
So to do that, we can either you repeat this search or easier just to scroll scroll down and look for

46
00:04:06,830 --> 00:04:11,730
a 96 one or Picardy probability.

47
00:04:13,110 --> 00:04:17,940
So you just can just look in this column and you shouldn't have any difficulty finding it.

48
00:04:19,020 --> 00:04:22,080
Here you are, probably 50 and pop lady.

49
00:04:23,200 --> 00:04:25,120
And then you can see 96 one here.

50
00:04:25,540 --> 00:04:30,070
So this marks the end of the circle, the end of the circle is over here.

51
00:04:31,990 --> 00:04:32,560
Over here.

52
00:04:34,090 --> 00:04:37,330
So now we know that he shellcode starts from.

53
00:04:39,700 --> 00:04:43,900
I'm here so we can follow this in the dumb, dumb one.

54
00:04:44,650 --> 00:04:46,030
So we just select this address.

55
00:04:46,060 --> 00:04:46,540
Right click.

56
00:04:47,530 --> 00:04:52,660
And gang following them selected address, and they will.

57
00:04:54,010 --> 00:04:55,900
So six zero nine C.

58
00:04:57,060 --> 00:05:00,980
Is Bush-Cheney, which you can see here year and I see.

59
00:05:02,370 --> 00:05:05,190
And then the enemy shellcode is.

60
00:05:08,460 --> 00:05:16,230
Nine or six one nine oh six one disinfo, nine oh six one.

61
00:05:18,500 --> 00:05:19,100
Six one.

62
00:05:23,210 --> 00:05:30,110
This is nine six one nine eight six one over here.

63
00:05:31,370 --> 00:05:35,510
So your Sherkat is from here to here.

64
00:05:37,380 --> 00:05:43,790
Deselected, but six zero nine CCRA push Haiti, push Aidy.

65
00:05:45,270 --> 00:05:48,760
This is one issue, pop and pop, 80.

66
00:05:49,540 --> 00:05:51,280
So you have selected.

67
00:05:52,780 --> 00:06:01,930
You can dummy so directly, you can also see the spin dicy and the noncommital here Eastend Automator.

68
00:06:02,740 --> 00:06:04,410
So you can no dummy by, right.

69
00:06:04,510 --> 00:06:05,560
Clicking the selection.

70
00:06:06,750 --> 00:06:10,530
Going to binary and click Cifas.

71
00:06:14,090 --> 00:06:18,200
Navigate to the folder that you want to see in.

72
00:06:23,250 --> 00:06:24,780
So we can give it a name.

73
00:06:25,980 --> 00:06:27,030
You can call it gum.

74
00:06:30,100 --> 00:06:34,060
The bin Laden thing on safe.

75
00:06:36,480 --> 00:06:37,560
Now you can close this.

76
00:06:41,670 --> 00:06:43,800
And going to see or dumby.

77
00:06:49,200 --> 00:06:49,780
There you go.

78
00:06:51,810 --> 00:06:54,360
To a better view, you can open it next, Ed.

79
00:06:58,530 --> 00:07:02,140
And you can see the start of the chocolate and English.

80
00:07:04,240 --> 00:07:10,060
So that's how you can reverse engineer Cookie Trojan and done the chocolate.

81
00:07:10,630 --> 00:07:11,530
Thank you for watching.

82
00:07:11,830 --> 00:07:13,210
I'll see you in the next video.