1 00:00:01,230 --> 00:00:03,420 Hello and welcome back. 2 00:00:03,420 --> 00:00:12,900 Today we show you the second way of solving this cracking meter teen which is to hide the debugger to 3 00:00:12,900 --> 00:00:16,810 unpack then bash these hero key. 4 00:00:16,860 --> 00:00:17,940 So let's get started. 5 00:00:20,940 --> 00:00:24,540 So we will open the cranky 6 00:00:27,580 --> 00:00:35,360 using 64 BBG they define it. 7 00:00:36,040 --> 00:00:42,880 Tell me one more time remind you that he is back and you can check by using the. 8 00:00:42,890 --> 00:00:43,720 Take it easy 9 00:00:48,330 --> 00:00:49,660 issues say display 10 00:00:52,420 --> 00:00:54,680 now we are going to unpack it. 11 00:00:57,010 --> 00:00:59,660 So let's opening in 64 for the BBG 12 00:01:04,900 --> 00:01:18,290 and then now the ad is addressing why the entry point and Avis amount to push the registers to this 13 00:01:18,290 --> 00:01:32,310 tank and the button one you're interested in is the memory address in EVP Sue press F eight and see 14 00:01:32,610 --> 00:01:33,240 what happens 15 00:01:36,170 --> 00:01:36,550 now. 16 00:01:36,570 --> 00:01:49,090 Notice all the registers having pushed in a stack and one of ACL a BP address in 19 8 0 17 00:01:54,340 --> 00:01:56,810 reaches over here. 18 00:01:56,910 --> 00:01:58,970 So this is a one way intersection. 19 00:01:59,250 --> 00:02:04,320 So we will go and look at a dumb and its location so rightly. 20 00:02:04,750 --> 00:02:15,460 And then follow in dumb and the following We are looking for this man the address of the stack. 21 00:02:15,480 --> 00:02:20,430 So now over here 19 f f f sees here. 22 00:02:20,500 --> 00:02:22,700 This is the EVP memory address. 23 00:02:22,940 --> 00:02:31,890 There has been push onto this day in reverse order because on the little engine system in the intel. 24 00:02:32,090 --> 00:02:37,730 So a 19 f f a 0 is your IP address. 25 00:02:37,730 --> 00:02:45,580 So now we'll put a hardware breakpoint on his memory address likely and then. 26 00:02:45,590 --> 00:02:51,170 Here select breakpoint Sally highway address and select view. 27 00:02:52,420 --> 00:03:01,700 And now you can run and see when the program assesses the hardware brick fine. 28 00:03:01,900 --> 00:03:12,670 So that is the time when the EVP is button that to the register so we run and you can see now it is 29 00:03:12,670 --> 00:03:13,450 faster. 30 00:03:13,570 --> 00:03:14,620 Have every point. 31 00:03:15,700 --> 00:03:25,600 So if you know score up here you will see that he has popped the EVP back so probably will pop everything 32 00:03:25,660 --> 00:03:38,150 from this tank that into the registers and then now you can press have a to step over and go to the 33 00:03:38,180 --> 00:03:40,200 jam. 34 00:03:40,250 --> 00:03:48,380 He has a loop here and we can come up with a loop by selecting the address after it and selecting DBA 35 00:03:48,980 --> 00:03:52,930 run until selection press run. 36 00:03:53,540 --> 00:04:00,590 So we end up here and then we are about to jump to the outside of here. 37 00:04:00,620 --> 00:04:02,680 Stop all the pecker. 38 00:04:02,810 --> 00:04:12,140 So now you press have been looking for the gem and we are out of the Pekka so now we press it again 39 00:04:12,960 --> 00:04:19,160 and a gem right over here so this is the origin entry point. 40 00:04:19,160 --> 00:04:22,410 The court has me unpack and we are about to go there. 41 00:04:23,300 --> 00:04:28,090 So now and then we put a new comment here. 42 00:04:28,180 --> 00:04:30,500 Visa or AP homogeneity by 43 00:04:34,700 --> 00:04:34,970 all right. 44 00:04:35,000 --> 00:04:45,270 So now we are ready to dump the memory of the extracted quote So we click on the plugin. 45 00:04:45,510 --> 00:04:46,860 Go to this killer plugin 46 00:04:50,070 --> 00:05:02,790 and over here click on the file silly down memory and then scroll down and look for the quote that has 47 00:05:02,790 --> 00:05:16,180 been back because this one over here and in in dumb the be slightly on be ending save it in the new 48 00:05:16,350 --> 00:05:19,170 location incriminating fact folder. 49 00:05:20,260 --> 00:05:23,160 And you can give it a name. 50 00:05:26,920 --> 00:05:30,580 And put it down here ascension please save 51 00:05:33,730 --> 00:05:36,180 and there's no need to save the men. 52 00:05:36,370 --> 00:05:38,310 Recently cancer. 53 00:05:38,900 --> 00:05:43,060 And now we need to fix the IED table. 54 00:05:43,060 --> 00:05:48,790 If you were to run the damn now he wouldn't be able to run because he doesn't know where to find the 55 00:05:48,940 --> 00:05:51,170 details that he needs. 56 00:05:51,490 --> 00:05:55,060 So disclose if we are going to fix the IED by now. 57 00:05:55,690 --> 00:06:01,420 Go back to Skyler and over here on Heidi auto search 58 00:06:04,570 --> 00:06:07,440 and he has to say no. 59 00:06:08,130 --> 00:06:13,350 Hey you found the I.T. table to start any of the I.T. diva. 60 00:06:13,890 --> 00:06:21,770 OK and now key on these getting passed you get all the addresses for the details. 61 00:06:21,850 --> 00:06:23,910 We can be fixed and done so. 62 00:06:23,950 --> 00:06:36,010 Click on the system and said and done you open and you can see the status in part reboot success and 63 00:06:36,010 --> 00:06:38,120 he has created a new file dump. 64 00:06:38,140 --> 00:06:39,270 See why. 65 00:06:39,700 --> 00:06:48,470 So now we can test how damn I see Y to see if he runs does DoubleClick and it is running. 66 00:06:49,080 --> 00:07:01,930 Okay so now that you successfully unpacked it let's confirm that is really and pay so close my so far. 67 00:07:01,930 --> 00:07:04,790 And check this file with the I 68 00:07:09,420 --> 00:07:10,930 and you confirmed it. 69 00:07:11,070 --> 00:07:12,160 There is no pecker. 70 00:07:13,990 --> 00:07:15,710 So now we can go ahead and bash 71 00:07:19,280 --> 00:07:22,500 too close they were close tequila and close. 72 00:07:22,530 --> 00:07:32,020 Uh I for first and then you reopen How can you far open entity. 73 00:07:32,090 --> 00:07:34,560 I for the veggie run 74 00:07:38,100 --> 00:07:40,630 and now you can run again 75 00:07:46,570 --> 00:07:48,610 and oh here you can enter any 76 00:07:51,400 --> 00:07:57,590 Syria number and a here click on the boss and notice he his passed. 77 00:07:57,580 --> 00:08:07,900 Now you can inspect the coast and look for the user mail you can follow from 78 00:08:10,690 --> 00:08:13,960 an oh here we see the. 79 00:08:13,980 --> 00:08:16,390 Gee I like probably saw earlier. 80 00:08:17,300 --> 00:08:22,700 So now you can bash by assembling the jump. 81 00:08:23,230 --> 00:08:25,030 Here and here. 82 00:08:25,130 --> 00:08:26,810 OK. 83 00:08:27,050 --> 00:08:31,050 Closes and you can see of in Beijing. 84 00:08:32,900 --> 00:08:34,690 If you want to test you can test. 85 00:08:34,710 --> 00:08:36,220 So yes. 86 00:08:36,230 --> 00:08:36,710 Uh 87 00:08:39,700 --> 00:08:44,620 can run and then going closest Hinkley check. 88 00:08:46,070 --> 00:08:47,720 So our uh. 89 00:08:47,910 --> 00:08:50,560 Sure how we jam assembly works. 90 00:08:50,690 --> 00:08:54,460 Now we can actually go here. 91 00:08:54,470 --> 00:08:54,910 Fine. 92 00:08:56,460 --> 00:09:02,300 English batch file and this time you click is button bashing offer. 93 00:09:03,990 --> 00:09:06,500 And then selling and Union for a call. 94 00:09:06,510 --> 00:09:16,060 Damn I see why we've ne prefix how it is half expect safe. 95 00:09:17,080 --> 00:09:19,920 OK and. 96 00:09:20,800 --> 00:09:28,930 Now we can test our patience quickly and anything can check. 97 00:09:29,890 --> 00:09:32,200 So our patch works. 98 00:09:32,380 --> 00:09:45,000 So just as a quick summary what we did was firstly we open this uh page file and be very open. 99 00:09:45,370 --> 00:09:57,320 He also had to make sure that the scalar high plugin is uh set to basic so that you can hide the debugger 100 00:09:57,710 --> 00:09:59,770 from the program. 101 00:10:00,830 --> 00:10:10,040 And then we went through the unpacking process and we created then after that we opened a fixed income 102 00:10:10,390 --> 00:10:16,260 hierarchy table to produce to dump a c y file. 103 00:10:16,790 --> 00:10:24,860 Once you got the damage so far we confirmed the IP that is already successfully unpacked and then we 104 00:10:24,870 --> 00:10:32,680 reopening again with the ICC for the biggie and passionate file to produce this file. 105 00:10:33,770 --> 00:10:46,130 So this is how we can use a skill high to hide the debugger and produce a patch file so that's all for 106 00:10:46,150 --> 00:10:47,020 this lesson. 107 00:10:47,020 --> 00:10:48,550 Thank you for watching. 108 00:10:48,550 --> 00:10:49,480 See you in the next one.