1
00:00:00,300 --> 00:00:09,090
Welcome to this demonstration, this is the file which you have downloaded and I've put mine on the

2
00:00:09,090 --> 00:00:09,600
desktop.

3
00:00:11,500 --> 00:00:19,390
And you need to scan this, you take it easy, Vye, in order to confirm that this is indeed Doneck

4
00:00:19,570 --> 00:00:20,390
application.

5
00:00:21,640 --> 00:00:27,530
So once you confirmed that it is hand on application, you can just run it now and see what it does.

6
00:00:28,150 --> 00:00:29,740
You can open the command from.

7
00:00:32,640 --> 00:00:43,560
And then head over to this location computer office and see to it click and based upon president's desire

8
00:00:43,560 --> 00:00:49,520
to see the contents of the file and then to run this just.

9
00:00:49,860 --> 00:00:53,220
Yes, followed by the name of the hero.

10
00:00:54,150 --> 00:00:59,460
And you see, after a while, you get a pop up message by saying try again.

11
00:01:00,360 --> 00:01:12,540
So the objective of this demonstration is to analyze their behavior and defeat any anti analysis, any

12
00:01:12,550 --> 00:01:17,810
ism, defend your frustrations and find the flight, which is an email address.

13
00:01:18,720 --> 00:01:24,990
So the first thing we run into is this kind of anti analysis mechanism.

14
00:01:25,680 --> 00:01:28,140
So do understand centenaries mechanism.

15
00:01:28,650 --> 00:01:33,010
We need to use the inspire to this decompiled.

16
00:01:34,410 --> 00:01:36,780
So this is a sixty four week program.

17
00:01:37,350 --> 00:01:42,870
So I'm going to open the city for the NSA by releasing this location.

18
00:01:47,420 --> 00:01:52,690
Now, you drag and drop it into the audience by three.

19
00:01:55,170 --> 00:02:03,800
The first thing we do is look for the entry point, so the suspense is Reichling on the ending, so

20
00:02:03,840 --> 00:02:05,370
like go to entry point.

21
00:02:06,920 --> 00:02:15,290
So this is the entry point, and if you analyze the main function, you will see that there is verification

22
00:02:15,290 --> 00:02:19,130
at startup function which returns boolean value.

23
00:02:19,790 --> 00:02:28,880
If the flight is true, then you execute the spot and then open a new and a new classical client.

24
00:02:29,720 --> 00:02:37,580
But if this flight is false, then it will show the message to try again, which we just saw just now,

25
00:02:37,590 --> 00:02:38,940
maybe try to run.

26
00:02:39,620 --> 00:02:41,200
This is the one try again.

27
00:02:42,080 --> 00:02:44,590
So obviously we don't want the airlines to execute.

28
00:02:45,080 --> 00:02:46,570
We want the flag to be true.

29
00:02:47,210 --> 00:02:53,510
So in order to find out what makes the flight true, we need to enter this function.

30
00:02:53,520 --> 00:03:00,650
So we just click on that and you can see the return value is good for this function.

31
00:03:00,800 --> 00:03:11,680
This method in here, we see that whether or not he returns, true or not, depends on the check that

32
00:03:11,690 --> 00:03:12,560
is performed here.

33
00:03:14,280 --> 00:03:14,620
Check.

34
00:03:15,390 --> 00:03:26,660
So over here it is comparing string B with check string, so extreme V is not equal to string B, then

35
00:03:26,670 --> 00:03:29,430
it is true, then you return false.

36
00:03:30,390 --> 00:03:36,060
So what we want is for the check string to be equal to the V string.

37
00:03:36,780 --> 00:03:41,790
So in order to find out what is the value of the check string and the B string, we need to put a break

38
00:03:41,790 --> 00:03:42,990
point in.

39
00:03:44,250 --> 00:03:48,000
So put a break by clicking here and click on the run.

40
00:03:49,620 --> 00:03:56,600
OK, the program has stopped our breaking point, and at about panel, you can see the local variables

41
00:03:57,080 --> 00:04:04,500
presently the restring is showing now and the beastliness also showing now.

42
00:04:04,940 --> 00:04:13,610
So let us step over the execution and see what happens to the check string, which actually now has

43
00:04:13,610 --> 00:04:15,440
got the value of a.

44
00:04:16,480 --> 00:04:23,920
Hexadecimal string this value, we are about to execute the thirty three.

45
00:04:24,860 --> 00:04:30,660
So let's take a look and see what is the value of a B string after this line executes.

46
00:04:31,280 --> 00:04:33,900
And you can see the B string is this value.

47
00:04:33,950 --> 00:04:35,580
So obviously, they are not the same.

48
00:04:36,080 --> 00:04:38,830
That is why this flag is returning through.

49
00:04:39,740 --> 00:04:42,560
So how do we make both of them the same?

50
00:04:43,370 --> 00:04:51,470
So in order to make both of them the same, we have to ensure that one of these is change to retain

51
00:04:51,470 --> 00:04:53,460
a string which is similar to the other one.

52
00:04:54,350 --> 00:04:58,100
So if you can see from to here, Changwon.

53
00:04:59,470 --> 00:05:07,570
Wang is returning a string, so we have to make sure that this check one functions return a string,

54
00:05:07,990 --> 00:05:10,750
which is similar to be string B.

55
00:05:11,990 --> 00:05:14,170
So he can be seen being on.

56
00:05:15,720 --> 00:05:16,440
Over here.

57
00:05:17,590 --> 00:05:21,880
Now, a copy be and then you enter Changwon function by clicking on.

58
00:05:23,890 --> 00:05:32,140
And then over here, you can see the Changwon is dysfunction here it is turning this valley seven zero

59
00:05:32,140 --> 00:05:32,380
eight.

60
00:05:33,430 --> 00:05:39,070
So you can see here so you can see the dysfunction.

61
00:05:39,070 --> 00:05:42,700
Changwon is returning the value in this.

62
00:05:43,900 --> 00:05:44,920
Check one, two.

63
00:05:44,990 --> 00:05:51,990
One is the key and the value is so we need to return the value we copy.

64
00:05:52,750 --> 00:05:57,400
And so we need to add this and paste hash that we copy clear.

65
00:05:58,030 --> 00:05:59,440
So to do that, we can right.

66
00:05:59,440 --> 00:06:03,520
Click here and then edit the class Zetia.

67
00:06:04,390 --> 00:06:08,320
And then from here we just go for the value that we wish to add.

68
00:06:09,190 --> 00:06:10,100
Here is this one.

69
00:06:11,080 --> 00:06:13,120
So we sell this string here

70
00:06:16,300 --> 00:06:17,900
and this.

71
00:06:19,060 --> 00:06:19,450
All right.

72
00:06:19,450 --> 00:06:20,920
So now you click on compile.

73
00:06:23,380 --> 00:06:29,560
Right now, we click on the backspace to go back to the previous one, so we have to done this to create

74
00:06:29,560 --> 00:06:31,030
a new executable.

75
00:06:31,030 --> 00:06:36,850
So we click on you and then we are going to call it a different name calling.

76
00:06:36,850 --> 00:06:39,220
Dumb number one, dumb one

77
00:06:42,640 --> 00:06:44,200
and click.

78
00:06:47,360 --> 00:06:56,300
So now if you go to our location in a folder, we see that in your file and if you run it, how you

79
00:06:56,300 --> 00:06:57,140
run down one.

80
00:07:01,040 --> 00:07:04,700
We don't get the end analysis message.

81
00:07:04,880 --> 00:07:05,630
Try again.

82
00:07:06,030 --> 00:07:09,670
Instead, we get a new different kind of dialogue.

83
00:07:10,800 --> 00:07:18,990
So if you click on this dial up now he says the valley fire teslik severity or the defeater the analysis.

84
00:07:19,590 --> 00:07:27,240
So now you have to go and see how we can analyze this to find out how what is the event handler for

85
00:07:27,240 --> 00:07:27,920
this button.

86
00:07:28,890 --> 00:07:31,830
So to do that, you open back how?

87
00:07:33,370 --> 00:07:34,210
He ends by.

88
00:07:36,390 --> 00:07:37,010
And then.

89
00:07:38,140 --> 00:07:44,140
Remove the breakpoint, go back to our main entry point by pressing the button,

90
00:07:47,590 --> 00:07:54,430
and we notice that if the flag on any return is true, he should return.

91
00:07:54,450 --> 00:08:01,540
True, because they've already evaded the and the analysis.

92
00:08:01,900 --> 00:08:07,740
So he will return true and he will run this spot and run this new class new line.

93
00:08:08,320 --> 00:08:10,510
So let's click on this new plane and see what we get.

94
00:08:12,820 --> 00:08:18,060
So this new plan here is the one that he's supposed to show us from here.

95
00:08:18,580 --> 00:08:24,700
He saw this film and there should be a button somewhere on this form.

96
00:08:25,450 --> 00:08:27,100
And you can see the send button.

97
00:08:27,100 --> 00:08:28,660
Here is the one.

98
00:08:31,190 --> 00:08:33,080
So when you click on the button.

99
00:08:34,590 --> 00:08:36,890
He's going to perform a.

100
00:08:39,650 --> 00:08:50,240
And if it it is authorized, he will show this message in attempt so we know that is this is true because

101
00:08:50,240 --> 00:08:51,410
this message was shown.

102
00:08:55,130 --> 00:09:03,620
But what we want is to show the house, but the house will give you the flak, as you can see, return

103
00:09:03,620 --> 00:09:04,460
email address.

104
00:09:05,040 --> 00:09:07,020
So you want to be false.

105
00:09:07,760 --> 00:09:10,220
We have to find out why this flag false.

106
00:09:11,180 --> 00:09:14,540
So at any moment the flag is true.

107
00:09:14,770 --> 00:09:15,980
That's why this runs.

108
00:09:16,940 --> 00:09:22,480
So if you want effectively this thing, Washington must listen through.

109
00:09:22,910 --> 00:09:28,490
So you just return to Denver with the operation will negate it to become false.

110
00:09:29,340 --> 00:09:31,060
So that must be true.

111
00:09:31,610 --> 00:09:35,570
So in order to analyze what makes the authentication, that's true.

112
00:09:35,990 --> 00:09:37,040
We can do this.

113
00:09:39,190 --> 00:09:48,250
And you can see the function is authorized here, is authorized here, who get the IP address for this

114
00:09:48,250 --> 00:09:56,230
virtual machine and see it here and then here you go through the collected IP address and they check

115
00:09:56,230 --> 00:09:57,460
whether it is the string.

116
00:09:58,760 --> 00:10:07,610
So if it is destroying them, true, so our objective now is to make the flag true in order to make

117
00:10:07,610 --> 00:10:08,070
it true.

118
00:10:08,150 --> 00:10:12,940
We have to check this IP address to the actual IP address of our virtual machine.

119
00:10:13,790 --> 00:10:16,910
So to do that, we had to find out what is our IP address.

120
00:10:17,540 --> 00:10:23,090
So we click on the command from here to find an IP address.

121
00:10:23,090 --> 00:10:30,110
We type IP config and we see how IP addresses 10 zero to 15.

122
00:10:30,710 --> 00:10:32,370
It will be different for your machine.

123
00:10:33,110 --> 00:10:37,250
So just follow us for me is 10 zero to 15.

124
00:10:37,820 --> 00:10:44,000
So I'm going to add in this by clicking is this time we used to edit our instruction.

125
00:10:44,320 --> 00:10:45,440
I only use the.

126
00:10:49,510 --> 00:10:55,120
So over here, I would look for the string, the loose string over here, and I'm going to chain used

127
00:10:55,120 --> 00:10:58,090
to my IP address, which is 10 zero to 15.

128
00:11:06,030 --> 00:11:12,150
10 zero to 15, and then I click on OK?

129
00:11:13,520 --> 00:11:21,770
Now, I have to dumb this to a new far more you and this time I'm going to call it dumb to.

130
00:11:27,700 --> 00:11:32,160
And I see, OK, and now I have another for.

131
00:11:36,590 --> 00:11:39,210
Let's clear the screen time.

132
00:11:39,260 --> 00:11:46,280
Yeah, let me close this first one now, having you find time to run them to.

133
00:11:51,200 --> 00:11:59,810
And authenticate, so we solve the challenge, this is the the email that we are supposed to fish out

134
00:11:59,810 --> 00:12:01,580
of this binary.

135
00:12:02,390 --> 00:12:14,480
So this is how you can use the spy to let the office yourself by modifying the program behavior to the

136
00:12:14,480 --> 00:12:15,550
debugging process.

137
00:12:16,630 --> 00:12:19,630
And then get our information that we require.

138
00:12:20,500 --> 00:12:25,330
So if this was a malaby, this email would be your indicator of compromise.

139
00:12:25,720 --> 00:12:29,020
So this is hopefully the smartest for you.

140
00:12:29,590 --> 00:12:30,610
Thank you for watching.

141
00:12:30,820 --> 00:12:32,140
I'll see you in the next one.