1
00:00:00,060 --> 00:00:06,490
Well, everyone, last time we were able to use our, quote, cave for our shall code and we received

2
00:00:06,490 --> 00:00:13,840
the reverse show today, we are going to make it even harder on any antivirus by encrypting our show

3
00:00:13,860 --> 00:00:19,900
code and decrypting it in runtime in order for us to decrypt our show code.

4
00:00:19,920 --> 00:00:23,420
We need to use a second cave for the decryption mechanism.

5
00:00:26,870 --> 00:00:29,720
Let's copy the memory address of our second case first.

6
00:00:41,640 --> 00:00:47,670
Now, let's open the last same version that we worked on the last time and jump through this cave instead.

7
00:01:13,290 --> 00:01:22,110
This is our show code from the last time I'm going to find this command, the reason why I'm doing this,

8
00:01:22,110 --> 00:01:28,530
because every time you patch a file on, you reopen it in X thirty two debugger, pull your breakpoints

9
00:01:28,530 --> 00:01:29,250
are cleared.

10
00:01:31,380 --> 00:01:32,820
Let's set a breakpoint here.

11
00:01:45,170 --> 00:01:47,450
Let's replace this by our new cave.

12
00:01:59,840 --> 00:02:02,610
As you see, the cave is not completely empty.

13
00:02:03,410 --> 00:02:06,950
Let's scroll down and find another memory address to jump to.

14
00:02:34,910 --> 00:02:37,880
Let's reopen the program and use this address instead.

15
00:03:13,490 --> 00:03:21,050
OK, now we need to write our decryption procedure, we're going to use a simple a simple hacksaw operation.

16
00:03:21,890 --> 00:03:27,290
If we use X or one time against the value, it will result of a different value.

17
00:03:27,830 --> 00:03:34,520
But if we use it again against the encrypted value, it will give us back the decrypted or the original

18
00:03:34,520 --> 00:03:36,920
value that we did that we encrypted.

19
00:03:38,340 --> 00:03:45,050
We're going to use the USB side register to store a pointer to the very beginning of our show code in

20
00:03:45,050 --> 00:03:45,800
the other cave.

21
00:03:46,730 --> 00:03:49,550
But let's save the value in the U.S. first.

22
00:03:51,710 --> 00:03:54,320
We're doing this by pushing Ganassi on the stack.

23
00:04:01,110 --> 00:04:04,200
Now, let's copy the show code pointer to the ASI.

24
00:04:17,840 --> 00:04:26,390
Next, we saw one bite at a time by referencing the pointer stored in IACI, I'm going to use the hex

25
00:04:26,390 --> 00:04:29,510
value a you can use anything else you want.

26
00:04:46,140 --> 00:04:49,620
Let's increment this by now to point at the next byte.

27
00:04:55,560 --> 00:05:00,150
Now, we need to compare of IACI has reached the end of the show code or not.

28
00:05:00,810 --> 00:05:05,000
But first, let's go and get the address of the end of our show code.

29
00:05:06,060 --> 00:05:12,390
We can do that easily by multiple followers of our break and then go to the end of show code.

30
00:05:47,570 --> 00:05:51,440
Let's go back to our second cave now by following our breakpoint.

31
00:06:15,480 --> 00:06:15,810
Uh.

32
00:06:30,750 --> 00:06:38,400
We are going to repeat the XOR operation of the address of our pointer is less than or equal to the

33
00:06:38,400 --> 00:06:39,600
end of our show code.

34
00:06:59,680 --> 00:06:59,710
Or

35
00:07:02,550 --> 00:07:05,550
else let's pop back our IACI.

36
00:07:11,960 --> 00:07:16,970
Now, since we are done with the decryption, we can jump back to the beginning of our show called.

37
00:07:32,210 --> 00:07:37,730
But keep in mind, we are not decrypting our civil code now since it's already decrypted, right.

38
00:07:38,630 --> 00:07:43,790
But instead we are encrypting it and then we will copy the encryption result in a text file.

39
00:07:46,160 --> 00:07:49,850
Let's set a break point at the end of this encryption procedure first.

40
00:08:00,480 --> 00:08:04,350
Now, let's run the program until it hits our our break point.

41
00:08:10,750 --> 00:08:15,640
I'm going to step into one time to go to our encrypted code so we can copy it,

42
00:08:18,880 --> 00:08:22,960
see all the instructions are completely different from before.

43
00:08:56,630 --> 00:08:59,090
Now it's patch patches file with different name.

44
00:09:50,800 --> 00:09:54,010
I'm going to follow this address to go to the show called.

45
00:10:12,470 --> 00:10:15,320
Let's copy the encrypted chokehold from before.

46
00:10:21,910 --> 00:10:23,020
And pasted here.

47
00:10:34,610 --> 00:10:36,230
It's patcher with a different name.

48
00:11:02,690 --> 00:11:08,840
Let's go to the end of our show code and set up breakpoint and see if we get a show after we apply the

49
00:11:08,840 --> 00:11:09,860
decryption mechanism.

50
00:11:56,220 --> 00:12:04,830
This is the encrypted code, we didn't run the decryption mechanism yet, scroll go all the way to the

51
00:12:04,830 --> 00:12:05,220
bottom.

52
00:12:17,250 --> 00:12:19,080
Now, let's run our show code.

53
00:12:21,970 --> 00:12:23,560
Nice, we got a shortcut here.

54
00:12:24,400 --> 00:12:26,470
We got a reverse show in our neck at.

55
00:12:32,540 --> 00:12:34,420
And the program was running fine.

56
00:12:40,440 --> 00:12:43,240
Let's try right outside x 32 debugger.

57
00:13:01,000 --> 00:13:04,210
We got a reversal and also the program was running fine.

58
00:13:12,810 --> 00:13:15,540
This was the last video of our back during these series.

59
00:13:15,930 --> 00:13:18,140
Thanks for watching and see you in another video.