1
00:00:01,230 --> 00:00:03,420
Hello and welcome back.

2
00:00:03,420 --> 00:00:12,900
Today we show you the second way of solving this cracking meter teen which is to hide the debugger to

3
00:00:12,900 --> 00:00:16,810
unpack then bash these hero key.

4
00:00:16,860 --> 00:00:17,940
So let's get started.

5
00:00:20,940 --> 00:00:24,540
So we will open the cranky

6
00:00:27,580 --> 00:00:35,360
using 64 BBG they define it.

7
00:00:36,040 --> 00:00:42,880
Tell me one more time remind you that he is back and you can check by using the.

8
00:00:42,890 --> 00:00:43,720
Take it easy

9
00:00:48,330 --> 00:00:49,660
issues say display

10
00:00:52,420 --> 00:00:54,680
now we are going to unpack it.

11
00:00:57,010 --> 00:00:59,660
So let's opening in 64 for the BBG

12
00:01:04,900 --> 00:01:18,290
and then now the ad is addressing why the entry point and Avis amount to push the registers to this

13
00:01:18,290 --> 00:01:32,310
tank and the button one you're interested in is the memory address in EVP Sue press F eight and see

14
00:01:32,610 --> 00:01:33,240
what happens

15
00:01:36,170 --> 00:01:36,550
now.

16
00:01:36,570 --> 00:01:49,090
Notice all the registers having pushed in a stack and one of ACL a BP address in 19 8 0

17
00:01:54,340 --> 00:01:56,810
reaches over here.

18
00:01:56,910 --> 00:01:58,970
So this is a one way intersection.

19
00:01:59,250 --> 00:02:04,320
So we will go and look at a dumb and its location so rightly.

20
00:02:04,750 --> 00:02:15,460
And then follow in dumb and the following We are looking for this man the address of the stack.

21
00:02:15,480 --> 00:02:20,430
So now over here 19 f f f sees here.

22
00:02:20,500 --> 00:02:22,700
This is the EVP memory address.

23
00:02:22,940 --> 00:02:31,890
There has been push onto this day in reverse order because on the little engine system in the intel.

24
00:02:32,090 --> 00:02:37,730
So a 19 f f a 0 is your IP address.

25
00:02:37,730 --> 00:02:45,580
So now we'll put a hardware breakpoint on his memory address likely and then.

26
00:02:45,590 --> 00:02:51,170
Here select breakpoint Sally highway address and select view.

27
00:02:52,420 --> 00:03:01,700
And now you can run and see when the program assesses the hardware brick fine.

28
00:03:01,900 --> 00:03:12,670
So that is the time when the EVP is button that to the register so we run and you can see now it is

29
00:03:12,670 --> 00:03:13,450
faster.

30
00:03:13,570 --> 00:03:14,620
Have every point.

31
00:03:15,700 --> 00:03:25,600
So if you know score up here you will see that he has popped the EVP back so probably will pop everything

32
00:03:25,660 --> 00:03:38,150
from this tank that into the registers and then now you can press have a to step over and go to the

33
00:03:38,180 --> 00:03:40,200
jam.

34
00:03:40,250 --> 00:03:48,380
He has a loop here and we can come up with a loop by selecting the address after it and selecting DBA

35
00:03:48,980 --> 00:03:52,930
run until selection press run.

36
00:03:53,540 --> 00:04:00,590
So we end up here and then we are about to jump to the outside of here.

37
00:04:00,620 --> 00:04:02,680
Stop all the pecker.

38
00:04:02,810 --> 00:04:12,140
So now you press have been looking for the gem and we are out of the Pekka so now we press it again

39
00:04:12,960 --> 00:04:19,160
and a gem right over here so this is the origin entry point.

40
00:04:19,160 --> 00:04:22,410
The court has me unpack and we are about to go there.

41
00:04:23,300 --> 00:04:28,090
So now and then we put a new comment here.

42
00:04:28,180 --> 00:04:30,500
Visa or AP homogeneity by

43
00:04:34,700 --> 00:04:34,970
all right.

44
00:04:35,000 --> 00:04:45,270
So now we are ready to dump the memory of the extracted quote So we click on the plugin.

45
00:04:45,510 --> 00:04:46,860
Go to this killer plugin

46
00:04:50,070 --> 00:05:02,790
and over here click on the file silly down memory and then scroll down and look for the quote that has

47
00:05:02,790 --> 00:05:16,180
been back because this one over here and in in dumb the be slightly on be ending save it in the new

48
00:05:16,350 --> 00:05:19,170
location incriminating fact folder.

49
00:05:20,260 --> 00:05:23,160
And you can give it a name.

50
00:05:26,920 --> 00:05:30,580
And put it down here ascension please save

51
00:05:33,730 --> 00:05:36,180
and there's no need to save the men.

52
00:05:36,370 --> 00:05:38,310
Recently cancer.

53
00:05:38,900 --> 00:05:43,060
And now we need to fix the IED table.

54
00:05:43,060 --> 00:05:48,790
If you were to run the damn now he wouldn't be able to run because he doesn't know where to find the

55
00:05:48,940 --> 00:05:51,170
details that he needs.

56
00:05:51,490 --> 00:05:55,060
So disclose if we are going to fix the IED by now.

57
00:05:55,690 --> 00:06:01,420
Go back to Skyler and over here on Heidi auto search

58
00:06:04,570 --> 00:06:07,440
and he has to say no.

59
00:06:08,130 --> 00:06:13,350
Hey you found the I.T. table to start any of the I.T. diva.

60
00:06:13,890 --> 00:06:21,770
OK and now key on these getting passed you get all the addresses for the details.

61
00:06:21,850 --> 00:06:23,910
We can be fixed and done so.

62
00:06:23,950 --> 00:06:36,010
Click on the system and said and done you open and you can see the status in part reboot success and

63
00:06:36,010 --> 00:06:38,120
he has created a new file dump.

64
00:06:38,140 --> 00:06:39,270
See why.

65
00:06:39,700 --> 00:06:48,470
So now we can test how damn I see Y to see if he runs does DoubleClick and it is running.

66
00:06:49,080 --> 00:07:01,930
Okay so now that you successfully unpacked it let's confirm that is really and pay so close my so far.

67
00:07:01,930 --> 00:07:04,790
And check this file with the I

68
00:07:09,420 --> 00:07:10,930
and you confirmed it.

69
00:07:11,070 --> 00:07:12,160
There is no pecker.

70
00:07:13,990 --> 00:07:15,710
So now we can go ahead and bash

71
00:07:19,280 --> 00:07:22,500
too close they were close tequila and close.

72
00:07:22,530 --> 00:07:32,020
Uh I for first and then you reopen How can you far open entity.

73
00:07:32,090 --> 00:07:34,560
I for the veggie run

74
00:07:38,100 --> 00:07:40,630
and now you can run again

75
00:07:46,570 --> 00:07:48,610
and oh here you can enter any

76
00:07:51,400 --> 00:07:57,590
Syria number and a here click on the boss and notice he his passed.

77
00:07:57,580 --> 00:08:07,900
Now you can inspect the coast and look for the user mail you can follow from

78
00:08:10,690 --> 00:08:13,960
an oh here we see the.

79
00:08:13,980 --> 00:08:16,390
Gee I like probably saw earlier.

80
00:08:17,300 --> 00:08:22,700
So now you can bash by assembling the jump.

81
00:08:23,230 --> 00:08:25,030
Here and here.

82
00:08:25,130 --> 00:08:26,810
OK.

83
00:08:27,050 --> 00:08:31,050
Closes and you can see of in Beijing.

84
00:08:32,900 --> 00:08:34,690
If you want to test you can test.

85
00:08:34,710 --> 00:08:36,220
So yes.

86
00:08:36,230 --> 00:08:36,710
Uh

87
00:08:39,700 --> 00:08:44,620
can run and then going closest Hinkley check.

88
00:08:46,070 --> 00:08:47,720
So our uh.

89
00:08:47,910 --> 00:08:50,560
Sure how we jam assembly works.

90
00:08:50,690 --> 00:08:54,460
Now we can actually go here.

91
00:08:54,470 --> 00:08:54,910
Fine.

92
00:08:56,460 --> 00:09:02,300
English batch file and this time you click is button bashing offer.

93
00:09:03,990 --> 00:09:06,500
And then selling and Union for a call.

94
00:09:06,510 --> 00:09:16,060
Damn I see why we've ne prefix how it is half expect safe.

95
00:09:17,080 --> 00:09:19,920
OK and.

96
00:09:20,800 --> 00:09:28,930
Now we can test our patience quickly and anything can check.

97
00:09:29,890 --> 00:09:32,200
So our patch works.

98
00:09:32,380 --> 00:09:45,000
So just as a quick summary what we did was firstly we open this uh page file and be very open.

99
00:09:45,370 --> 00:09:57,320
He also had to make sure that the scalar high plugin is uh set to basic so that you can hide the debugger

100
00:09:57,710 --> 00:09:59,770
from the program.

101
00:10:00,830 --> 00:10:10,040
And then we went through the unpacking process and we created then after that we opened a fixed income

102
00:10:10,390 --> 00:10:16,260
hierarchy table to produce to dump a c y file.

103
00:10:16,790 --> 00:10:24,860
Once you got the damage so far we confirmed the IP that is already successfully unpacked and then we

104
00:10:24,870 --> 00:10:32,680
reopening again with the ICC for the biggie and passionate file to produce this file.

105
00:10:33,770 --> 00:10:46,130
So this is how we can use a skill high to hide the debugger and produce a patch file so that's all for

106
00:10:46,150 --> 00:10:47,020
this lesson.

107
00:10:47,020 --> 00:10:48,550
Thank you for watching.

108
00:10:48,550 --> 00:10:49,480
See you in the next one.