1
00:00:00,240 --> 00:00:04,600
Hello, everyone, welcome to new video of our bad during P series.

2
00:00:05,820 --> 00:00:12,090
Last time we were able to back-door our seven Zipp application by creating a new executable section

3
00:00:12,090 --> 00:00:14,070
and execute our show code from it.

4
00:00:15,240 --> 00:00:19,080
But this method is not very effective against most antivirus software.

5
00:00:20,040 --> 00:00:26,070
The reason why is an antivirus were detected, the entry point of the program was hijacked and also

6
00:00:26,070 --> 00:00:27,870
a new section header was created.

7
00:00:29,640 --> 00:00:31,680
Let's make it harder for the antivirus.

8
00:00:31,680 --> 00:00:37,950
And instead of creating a new section header, we will find unused space inside the application and

9
00:00:37,950 --> 00:00:41,610
take advantage of it by inserting our shield code and execute it.

10
00:00:43,190 --> 00:00:49,500
We are also not hijacking the entry point of the program, but instead we will find a certain function

11
00:00:49,500 --> 00:00:51,460
of the program to hijack its flow.

12
00:00:53,190 --> 00:00:56,750
This time we are using PUDI application instead of seven zip.

13
00:00:58,530 --> 00:01:02,820
Let's first open Pudi and try to connect to any server via S.H..

14
00:01:12,920 --> 00:01:16,670
Noticed the string appeared on the screen, logging has.

15
00:01:19,930 --> 00:01:21,320
This string is very useful.

16
00:01:21,430 --> 00:01:24,590
We can try and look it up in our next theory to the book.

17
00:01:27,010 --> 00:01:27,790
Let's find it.

18
00:01:52,670 --> 00:01:57,560
After downloading, we can type log in, as in the search bar at the bottom.

19
00:02:01,940 --> 00:02:06,470
I've really tried the first memory address before, but it wasn't what I wanted.

20
00:02:07,370 --> 00:02:10,100
Let's set a break point to the second memory address

21
00:02:12,860 --> 00:02:14,560
by pressing F2.

22
00:02:17,180 --> 00:02:20,490
Now let's continue our execution and connect to our IP address.

23
00:02:20,960 --> 00:02:23,450
I'm going to click continue two times.

24
00:02:33,000 --> 00:02:33,640
Very good.

25
00:02:33,660 --> 00:02:35,190
We hit our breakpoint.

26
00:02:36,810 --> 00:02:40,100
Also, the log in as string did not appear yet.

27
00:02:40,770 --> 00:02:42,330
This is a very good indication

28
00:02:46,470 --> 00:02:49,560
if you notice the instruction at our break point.

29
00:02:52,210 --> 00:02:58,820
As we discussed before, the push and destruction with a memory address is five hex bytes, and if we

30
00:02:58,840 --> 00:03:02,980
replace it with our jump in destruction, then it should be the same size.

31
00:03:04,480 --> 00:03:08,800
That means we're not overwriting any other instructions after this one.

32
00:03:11,190 --> 00:03:14,770
Let's save the up code of this instruction first in a text file.

33
00:03:36,460 --> 00:03:43,000
We also need to save the memory address of the very next instruction, this one, since we are returning

34
00:03:43,000 --> 00:03:44,500
back to it later.

35
00:04:04,070 --> 00:04:12,950
Now, we don't know we are we are jumping to we can find an unused space in the program by a tool called

36
00:04:12,950 --> 00:04:16,730
Cave Miner to find our code cave section.

37
00:04:19,870 --> 00:04:23,830
You can install this tool in Inch'Allah using PIP install goldminer.

38
00:04:32,670 --> 00:04:39,480
To use this tool, we can type cave dash from the command line, followed by a search, then the size

39
00:04:39,480 --> 00:04:47,160
of the unused space, and lastly, they file here using five hundred bytes as the minimum space that

40
00:04:47,160 --> 00:04:47,820
I'm looking for.

41
00:04:53,970 --> 00:04:58,470
As you noticed, we found few caves, two of them in the data section.

42
00:05:01,190 --> 00:05:07,180
I've already tried to put my shortcode in the second cave, which is the largest, but it didn't work

43
00:05:07,180 --> 00:05:07,460
well.

44
00:05:08,320 --> 00:05:14,080
The reason why is sometimes the cave won't be completely empty and you might find many instructions

45
00:05:14,080 --> 00:05:16,760
replaced every time you open the program.

46
00:05:17,680 --> 00:05:21,430
With that said, I'm going to choose the first cave for my shortcode.

47
00:05:26,580 --> 00:05:29,550
Let's copy its memory address through a text file first.

48
00:05:42,420 --> 00:05:49,160
Now, before we do anything, let's make sure that the DOT data section is marked as an executable using

49
00:05:49,170 --> 00:05:50,130
Lord P.

50
00:06:19,750 --> 00:06:23,950
I'm going to start the program again until I hit the break point from before.

51
00:06:42,310 --> 00:06:46,270
Now, let's override this push instruction and jump to our new cave.

52
00:07:02,340 --> 00:07:04,170
Now, quick step into.

53
00:07:08,040 --> 00:07:14,720
Notice that not all instructions are reserved, some of them are overwritten by other instructions,

54
00:07:15,600 --> 00:07:20,730
this might cause us a problem later, since the program will still replace these instructions every

55
00:07:20,730 --> 00:07:21,640
time we open it.

56
00:07:24,000 --> 00:07:27,210
Let's choose a different memory address inside our cave.

57
00:07:32,320 --> 00:07:34,100
Going to copy its memory address.

58
00:07:47,640 --> 00:07:51,360
Now, I'm going to reopen my program and jump to this address instead.

59
00:08:25,970 --> 00:08:30,050
Let's add some knob instructions and patch this file with a different name.

60
00:08:56,550 --> 00:08:58,530
We're going to work on the new Corbino.

61
00:09:05,050 --> 00:09:08,290
Now let's look for our jump in instruction and set a breakpoint.

62
00:09:46,470 --> 00:09:47,040
Very good.

63
00:09:47,550 --> 00:09:52,530
Again, the same procedures from before, let's say the registers and the flags.

64
00:10:04,400 --> 00:10:09,440
Now, let's pace our show code, going to save it in text files first.

65
00:10:31,820 --> 00:10:34,290
Let's not our infinite loop and destruction.

66
00:10:34,310 --> 00:10:38,570
Same as before and at two hundred and four to our E.S.P.

67
00:10:54,580 --> 00:11:00,130
Let's pass the destruction we saved in the beginning and continue the flow of our program by jumping

68
00:11:00,130 --> 00:11:02,650
back to the address we saved in our text file.

69
00:11:15,650 --> 00:11:19,640
But before we do that, let's restore our registers and the flags first.

70
00:11:35,780 --> 00:11:40,880
Now, let's jump to the very first point we received in our text file.

71
00:11:57,340 --> 00:11:59,710
Let's patch this file with a different name.

72
00:12:15,530 --> 00:12:18,110
With three, open it in 30 to deport.

73
00:12:39,080 --> 00:12:44,240
I'm going to set a breakpoint at the bottom of our show code and check if we get a reverse shelf first.

74
00:13:12,370 --> 00:13:14,070
Let's continue the flow of the program.

75
00:13:16,830 --> 00:13:17,350
Very good.

76
00:13:17,520 --> 00:13:18,930
We got we got our show.

77
00:13:32,450 --> 00:13:36,950
Let's exit the program from six to a and try to run it normally.

78
00:14:07,380 --> 00:14:07,870
Perfect.

79
00:14:08,310 --> 00:14:11,730
We were able to use the Code K for our show code and it worked.

80
00:14:12,240 --> 00:14:13,380
We got our show.

81
00:14:15,000 --> 00:14:16,350
That was all for this video.

82
00:14:16,800 --> 00:14:18,810
Thanks for watching and see you in the next one.