1
00:00:01,540 --> 00:00:05,740
So guys, in this video, we'll be talking about the app hacking technique.

2
00:00:05,740 --> 00:00:14,170
So this technique is used to make static analysis, static malware analysis a little bit difficult because

3
00:00:14,170 --> 00:00:21,040
a model can handle the static analysis like opening in the accelerator or running the strings on that

4
00:00:21,370 --> 00:00:22,060
XY.

5
00:00:23,540 --> 00:00:33,080
And find that this exec is using the message box or any other function so he can deduce that if the

6
00:00:33,080 --> 00:00:42,050
malware is connecting to the Internet or it is using any encryption functions to encrypt the or of the

7
00:00:42,050 --> 00:00:42,860
contents of the disk.

8
00:00:42,890 --> 00:00:52,220
So these strings are very useful for the malware analysts to identify what the malware is doing.

9
00:00:52,220 --> 00:01:00,650
So in this API hacking technique, we are going to convert this API function into this string.

10
00:01:00,650 --> 00:01:02,840
So this is a simple amplifier algorithm.

11
00:01:02,840 --> 00:01:10,040
You can I have used this hash ripping python to generate the hexadecimal hash.

12
00:01:10,130 --> 00:01:12,200
So this is the message box here.

13
00:01:13,820 --> 00:01:15,710
And also

14
00:01:18,560 --> 00:01:25,370
we are also using this MD5 function, this disturbance I have copied from StackOverflow.

15
00:01:25,370 --> 00:01:28,550
It's just taking the string and computing the hash.

16
00:01:28,970 --> 00:01:32,240
So this will be the result of this hash.

17
00:01:32,240 --> 00:01:33,200
So let's.

18
00:01:35,470 --> 00:01:36,010
See.

19
00:01:36,220 --> 00:01:38,140
Get me five of.

20
00:01:44,980 --> 00:01:46,280
Message box here.

21
00:01:48,550 --> 00:01:52,510
And let's go and print this one.

22
00:01:54,160 --> 00:01:55,690
We should get the same result.

23
00:01:58,310 --> 00:01:59,720
And we can see the same result.

24
00:01:59,720 --> 00:02:01,010
But in that case.

25
00:02:07,370 --> 00:02:11,930
Now, let's, uh, remove this and paste the hash here.

26
00:02:12,710 --> 00:02:14,420
You can remove this comment as well.

27
00:02:14,450 --> 00:02:23,120
Now, what we're going to do is we are going to load this data, that is user data to a dealer.

28
00:02:23,390 --> 00:02:25,340
You can also load any data.

29
00:02:25,790 --> 00:02:31,550
So after loading the data, we need to enumerate all of the exported functions of the data.

30
00:02:32,420 --> 00:02:39,110
So after enumerating each of this function, so let's say the first one acquired as W excuse you, we

31
00:02:39,110 --> 00:02:49,100
need to get the MD5 hash for this function name and check that hash with this original hash when it

32
00:02:49,100 --> 00:02:49,610
matches.

33
00:02:49,610 --> 00:02:59,360
So that means we need to use that function and we can use the get proc address to get the address of

34
00:02:59,360 --> 00:03:00,200
this function.

35
00:03:00,290 --> 00:03:09,380
And in a similar way, we need to enumerate all of these export functions and apply this MD5 hash function

36
00:03:09,380 --> 00:03:16,080
on that name to get them the hash and check that hash with this, our function hash.

37
00:03:16,100 --> 00:03:19,280
If that matches, then that means we are going to use that function.

38
00:03:21,250 --> 00:03:21,700
So.

39
00:03:21,700 --> 00:03:28,900
Okay, so let's, uh, I have already created this function get, get function from hash.

40
00:03:28,900 --> 00:03:30,940
So get function from hash.

41
00:03:30,940 --> 00:03:34,510
And first one is we need to pass the data in user 32 dot.

42
00:03:36,620 --> 00:03:38,330
And second one is cash.

43
00:03:39,200 --> 00:03:45,860
So it will load this user that you draw and it will enumerate all of the X Factor functions and hash

44
00:03:45,860 --> 00:03:51,050
those function names and see whether that hash matches this hash given in this parameter.

45
00:03:51,050 --> 00:03:54,680
And if it matches, then that is the right function we need to use in our code.

46
00:04:00,020 --> 00:04:06,080
So we got the dealer name and the original has Now let's go and get.

47
00:04:09,120 --> 00:04:10,740
Marjorie handed off.

48
00:04:13,510 --> 00:04:14,790
Be real name.

49
00:04:21,740 --> 00:04:25,520
So we will get the dealer base address.

50
00:04:26,930 --> 00:04:30,140
So database address means this starting one.

51
00:04:31,800 --> 00:04:34,440
Starting that MJ bites.

52
00:04:35,980 --> 00:04:45,700
Okay, From here onwards, we need to pass the each and every P header, or you can directly go and

53
00:04:45,790 --> 00:04:47,590
skip to this offset.

54
00:04:47,590 --> 00:04:49,060
You can see the option header.

55
00:04:50,350 --> 00:04:52,780
That exploded three offset 170.

56
00:04:52,960 --> 00:04:57,800
But it's good to pass this be fine.

57
00:04:58,750 --> 00:05:08,770
So let's pass this one Marcia dot pointer to structure and the database.

58
00:05:11,100 --> 00:05:14,850
And type of image does.

59
00:05:21,530 --> 00:05:23,090
So does header.

60
00:05:31,010 --> 00:05:34,520
We can print those that are not magic.

61
00:05:49,460 --> 00:05:51,650
So let's run this and we can see.

62
00:05:51,650 --> 00:05:53,240
If you see Amjad, we are good to go.

63
00:05:54,490 --> 00:05:55,990
Now let's remove this.

64
00:05:56,020 --> 00:05:58,630
Now we need to pass that signature.

65
00:06:02,300 --> 00:06:11,900
Signature is equals to signature takes four bytes and Marshall that read.

66
00:06:13,880 --> 00:06:14,990
Then a copy.

67
00:06:19,000 --> 00:06:25,480
From the source that is database press.

68
00:06:25,540 --> 00:06:28,200
Does header dot E revenue.

69
00:06:28,210 --> 00:06:36,430
So this gives you the offset to the starting address of that anti header that is p header.

70
00:06:36,430 --> 00:06:41,650
So starting index zero and destination signature.

71
00:06:42,980 --> 00:06:44,450
And the rent is four.

72
00:06:56,250 --> 00:06:57,180
The this one.

73
00:06:59,290 --> 00:07:00,340
Signature.

74
00:07:08,780 --> 00:07:14,090
Now the signature by Derek countries of this signature.

75
00:07:14,240 --> 00:07:17,860
Now we need to create a header.

76
00:07:22,250 --> 00:07:25,910
How into our dot signature is equals two.

77
00:07:26,030 --> 00:07:29,630
And this beta, we need to convert this into integer.

78
00:07:55,050 --> 00:07:55,380
Now.

79
00:07:55,380 --> 00:07:58,320
Next year, we need to pass this fire marshal.

80
00:07:59,430 --> 00:08:03,360
Pointer to structure, database plus.

81
00:08:04,460 --> 00:08:06,320
Last year.

82
00:08:06,320 --> 00:08:12,770
Revenue +44 is the signature size and then type of.

83
00:08:15,880 --> 00:08:17,050
Image file header.

84
00:08:25,420 --> 00:08:28,650
So we are studying this scene and they are not.

85
00:08:31,820 --> 00:08:32,560
Fire header.

86
00:09:02,760 --> 00:09:10,410
And the next one we need to pass is the optional head of Z course to master the pointer to structure

87
00:09:11,040 --> 00:09:12,990
the base plus.

88
00:09:14,910 --> 00:09:16,020
Or DART.

89
00:09:16,680 --> 00:09:23,250
When you press for that signature and press 20, that is a size of fire header and type of.

90
00:09:24,140 --> 00:09:25,820
They have optional had a.

91
00:09:34,020 --> 00:09:35,340
So copy this.

92
00:09:36,540 --> 00:09:37,440
And to you.

93
00:09:37,920 --> 00:09:39,300
So we have copied.

94
00:09:39,480 --> 00:09:40,080
We have.

95
00:09:42,910 --> 00:09:45,250
Marshall everything we need.

96
00:09:45,250 --> 00:09:51,060
So we need to go to this offset export directory.

97
00:09:51,070 --> 00:09:56,610
So if you add the base address, plus this address, you will be landed here.

98
00:10:02,360 --> 00:10:07,280
And we can convert this to image export directory.

99
00:10:08,730 --> 00:10:11,010
Bill Bass Press.

100
00:10:12,960 --> 00:10:19,290
And B header Optional Header Dot Export Table dot Virtual Address.

101
00:10:20,010 --> 00:10:22,170
And this type of.

102
00:10:23,950 --> 00:10:25,090
Export directory.

103
00:10:30,220 --> 00:10:30,940
Copy.

104
00:10:33,560 --> 00:10:34,990
We can say export.

105
00:10:51,060 --> 00:10:52,230
So we are good to go.

106
00:10:52,260 --> 00:10:59,820
Now we have the export and we can print the number of sections.

107
00:11:00,810 --> 00:11:03,840
Export not number of sections.

108
00:11:03,900 --> 00:11:07,020
For a number of functions and export.

109
00:11:07,230 --> 00:11:08,520
Number of names.

110
00:11:16,250 --> 00:11:17,420
Okay, so.

111
00:11:19,830 --> 00:11:26,350
Now, before we are going to enumerate these names, we need to get the pointers for these one at the

112
00:11:26,590 --> 00:11:27,430
functions.

113
00:11:27,450 --> 00:11:34,470
This is called eat expert at this table and this is the ENT expert name table and this is the E export

114
00:11:34,470 --> 00:11:35,230
ordinal table.

115
00:11:35,250 --> 00:11:38,010
So let's get these pointers.

116
00:11:44,390 --> 00:11:46,680
Are best press export.

117
00:11:49,100 --> 00:11:52,070
Are this off functions?

118
00:11:53,030 --> 00:11:56,410
And so this is a pivot point.

119
00:11:56,570 --> 00:11:57,170
So.

120
00:11:59,420 --> 00:12:04,730
Let's call this as it pointer export or the stable.

121
00:12:10,300 --> 00:12:17,680
So copy this and paste you two times and change this to E and T pointer and this one to E word pointer.

122
00:12:18,160 --> 00:12:23,530
And also change this to address of names.

123
00:12:28,790 --> 00:12:29,450
Name.

124
00:12:30,470 --> 00:12:31,490
Cardinals.

125
00:12:33,670 --> 00:12:39,120
So now we have three pointers pointing to this area and this area and this area.

126
00:12:39,130 --> 00:12:44,020
So let's go and enumerate these names.

127
00:12:47,900 --> 00:12:50,570
For I inter is equal to zero.

128
00:12:50,590 --> 00:12:53,780
I then export that number of names.

129
00:12:53,780 --> 00:12:56,870
So I export number of names.

130
00:13:05,910 --> 00:13:14,840
So if you go to this address of names and you can see if you read four bites nine to see five, seven.

131
00:13:14,850 --> 00:13:21,070
So if you go to this nine to see five, seven, that is the first function.

132
00:13:22,970 --> 00:13:28,130
So martial art pointer to string and see.

133
00:13:29,630 --> 00:13:33,410
And E.A. Pointer.

134
00:13:36,910 --> 00:13:37,960
Press.

135
00:13:39,150 --> 00:13:40,200
Are you in for?

136
00:13:42,310 --> 00:13:43,210
Or we can.

137
00:13:46,940 --> 00:13:48,830
Let's read first function.

138
00:13:48,830 --> 00:13:52,340
So this is the function name.

139
00:13:54,360 --> 00:13:59,160
And at Rush, we are going to increment this entry point by four.

140
00:14:00,700 --> 00:14:02,980
And we can print the function name.

141
00:14:10,000 --> 00:14:10,570
Sorry.

142
00:14:11,050 --> 00:14:13,450
Dealer Base Press 70 point.

143
00:14:44,570 --> 00:14:47,180
So let's change this to an offset.

144
00:15:22,330 --> 00:15:23,200
Oh, sorry.

145
00:15:23,500 --> 00:15:25,480
We need to read those bytes.

146
00:15:25,480 --> 00:15:25,930
So.

147
00:15:28,080 --> 00:15:29,280
Forgot that step.

148
00:15:30,840 --> 00:15:32,670
Marcia Dot read.

149
00:15:34,470 --> 00:15:35,610
Into the 32.

150
00:15:36,660 --> 00:15:37,560
Of E.A. Tea.

151
00:15:40,330 --> 00:15:41,830
Now this is the offset.

152
00:15:41,830 --> 00:15:42,580
So.

153
00:15:43,500 --> 00:15:46,880
You need to offset, let's say, name offset.

154
00:15:51,340 --> 00:15:53,860
Now point to string and see.

155
00:15:55,030 --> 00:15:57,870
And bigger bass plus a name offset.

156
00:16:01,650 --> 00:16:03,720
Our string function.

157
00:16:05,100 --> 00:16:10,920
Now we should get the are the function names and we can see we got all the function names.

158
00:16:11,760 --> 00:16:18,060
Now we are going to apply that MD5 function to get them.

159
00:16:18,060 --> 00:16:19,740
Define hash for this function name.

160
00:16:23,810 --> 00:16:30,590
So if I get MD5 off function name not to lawyer.

161
00:16:33,750 --> 00:16:36,290
Is equal recourse to the hash.

162
00:16:40,320 --> 00:16:41,100
What did you not hear?

163
00:16:44,480 --> 00:16:48,410
Then we are going to print out this function.

164
00:16:52,130 --> 00:16:56,210
So function found for the.

165
00:16:57,710 --> 00:16:58,640
Hash.

166
00:17:02,140 --> 00:17:05,200
So the first one is original hash.

167
00:17:06,490 --> 00:17:07,600
And this function.

168
00:17:07,750 --> 00:17:11,200
So let's run this.

169
00:17:12,350 --> 00:17:13,790
And we should get message box set.

170
00:17:13,790 --> 00:17:16,940
So here we can see function found for the hash message box.

171
00:17:18,200 --> 00:17:22,070
Now we can simply say get proc address.

172
00:17:24,040 --> 00:17:28,270
The best common function name.

173
00:17:31,450 --> 00:17:33,760
We can actually return this phone directory.

174
00:17:36,060 --> 00:17:37,620
So we are.

175
00:17:40,590 --> 00:17:43,530
Getting the address of this function and returning here.

176
00:17:43,530 --> 00:17:47,340
So this will be saved in the this func variable.

177
00:17:47,880 --> 00:17:54,030
Now, I have already declared the delegate that is exact matching of the signatories.

178
00:17:54,030 --> 00:17:55,810
Exact matching of the message box.

179
00:17:57,830 --> 00:18:03,580
Now we need to get the delegate master to get delegate for a function pointer.

180
00:18:03,920 --> 00:18:10,490
So here we need to pass the function that is func which we have got from this function and that type

181
00:18:10,490 --> 00:18:12,050
of message.

182
00:18:12,970 --> 00:18:14,740
So message is the name of the delegate.

183
00:18:14,740 --> 00:18:19,990
I have declared and I can say message or music calls to message.

184
00:18:21,620 --> 00:18:25,550
Now we can call this one and point zero.

185
00:18:27,530 --> 00:18:28,190
Testing.

186
00:18:28,190 --> 00:18:29,150
One, two, three.

187
00:18:31,970 --> 00:18:34,160
Uh, has the API.

188
00:18:37,010 --> 00:18:38,810
For a normal message box.

189
00:18:39,230 --> 00:18:50,090
So let's do this and we can run this one and we can see we got we executed the message box here without

190
00:18:50,090 --> 00:18:52,070
actually calling the message box here.

191
00:18:52,820 --> 00:18:58,310
So with this hash, we have found the actual function.

192
00:18:59,000 --> 00:19:01,790
You can also use directory the.

193
00:19:02,730 --> 00:19:05,010
Our index of this one.

194
00:19:05,010 --> 00:19:12,210
So if you found at this index, you can go to this one at the so name, address and read two bytes from

195
00:19:12,210 --> 00:19:12,600
there.

196
00:19:12,600 --> 00:19:16,500
And at that index of this address of functions, you will find that address.

197
00:19:16,620 --> 00:19:19,230
So you can do that as well.

198
00:19:20,030 --> 00:19:21,800
But just for demonstration purpose.

199
00:19:21,800 --> 00:19:23,990
I have shown that that proper dress.

200
00:19:25,000 --> 00:19:29,800
So this works for any other function you can hash.

201
00:19:31,610 --> 00:19:38,450
So you can just change this, the URL and the hash and you can get that function across.