1
00:00:01,410 --> 00:00:03,850
I come back, so we continue from where we left off.

2
00:00:04,590 --> 00:00:08,430
So in order to decrease the string, we can put a break point pretty.

3
00:00:09,780 --> 00:00:12,960
So first we remove all existing points.

4
00:00:15,790 --> 00:00:17,980
Yes, and then we put our new break point here.

5
00:00:19,950 --> 00:00:26,280
And then we are going to stop here and step into it, so let's run now, make sure the perimeter argument

6
00:00:26,280 --> 00:00:27,650
is set here, OK?

7
00:00:29,290 --> 00:00:38,630
Yes, and so you stop here and step into this and see the return type for this trip, a function step

8
00:00:38,680 --> 00:00:39,130
into it.

9
00:00:41,780 --> 00:00:48,230
And so we are here now and he has permission, we scroll down to the return, which is a result here

10
00:00:48,230 --> 00:00:52,080
with a break point and run run to this very point.

11
00:00:53,330 --> 00:01:01,650
Now, you can analyze the recent results and see just how this it is trying to decrypt.

12
00:01:02,570 --> 00:01:04,640
So this is a decree to string correctly.

13
00:01:05,680 --> 00:01:10,640
Copy value and pasting here and I better news over here.

14
00:01:11,770 --> 00:01:21,940
So these are the fast extension areas looking for so we already know that we can stop the iboga and

15
00:01:21,940 --> 00:01:28,090
hit that space hubo to go back to our main Backspacer again.

16
00:01:29,230 --> 00:01:29,580
All right.

17
00:01:29,680 --> 00:01:29,980
All right.

18
00:01:29,990 --> 00:01:31,050
So this is where we stop.

19
00:01:31,660 --> 00:01:38,150
So he has decrypted all the attention where he just had a fighting chance.

20
00:01:38,170 --> 00:01:39,430
He's looking for all these files.

21
00:01:40,450 --> 00:01:46,810
And if he's successful, decrypted all those files, he's going to check for each one of these files,

22
00:01:47,260 --> 00:01:48,560
whether it is locked.

23
00:01:49,990 --> 00:01:52,360
You can go inside this function and study to cook.

24
00:01:53,410 --> 00:02:01,270
So this is one of the ways in which he checks whether the file is locked so he can backspaces you define

25
00:02:01,270 --> 00:02:01,870
his nolla.

26
00:02:03,130 --> 00:02:08,210
Then he will go inside and check for this particular house.

27
00:02:09,280 --> 00:02:15,670
That means he's going to filter from this here, is going to filter certain files further.

28
00:02:16,480 --> 00:02:18,320
So what is he going to filter?

29
00:02:19,380 --> 00:02:21,490
We click on this, find out.

30
00:02:22,690 --> 00:02:23,070
All right.

31
00:02:23,080 --> 00:02:30,280
So now it is going to decrypt this great new area of this string.

32
00:02:30,550 --> 00:02:33,460
Click on history and the string is over here.

33
00:02:33,670 --> 00:02:39,940
You can see so the same way we are going to put a break point here and find out what string is trying

34
00:02:39,940 --> 00:02:40,400
to decrypt.

35
00:02:40,990 --> 00:02:42,580
So this is not an obfuscation.

36
00:02:43,750 --> 00:02:44,860
This is a big one.

37
00:02:46,240 --> 00:02:47,230
So let's try it now.

38
00:02:49,660 --> 00:02:51,910
OK, yes.

39
00:02:55,960 --> 00:02:57,040
Remove this point.

40
00:03:00,130 --> 00:03:03,910
All right, so now we are here and we are going to step into this.

41
00:03:06,780 --> 00:03:13,590
All right, so this is a decrypts a thinking and you go down the bottom, put a big point here like

42
00:03:13,590 --> 00:03:14,310
we did earlier.

43
00:03:15,610 --> 00:03:24,400
And run through the grapevine and now go to the results at the bottom and see so you can see it is decrypted,

44
00:03:24,410 --> 00:03:27,870
the string Karpeles is right click.

45
00:03:29,320 --> 00:03:36,470
Copy value and NBC here, so it is looking for database files, Pascual and.

46
00:03:38,580 --> 00:03:45,770
So now we know we can stop this and go back to backspace on the keyboard.

47
00:03:47,140 --> 00:03:54,190
He might be thinking, didn't be thinking until we come back to our mean no more time.

48
00:03:55,830 --> 00:04:03,780
And here so now we know that in this part of the program is filtering out the database files.

49
00:04:05,650 --> 00:04:09,800
Same thing here, so he successfully decrypted the database files extension.

50
00:04:11,120 --> 00:04:16,910
This would be true and then he would split into separate names.

51
00:04:18,720 --> 00:04:23,730
And then here you try to kill some programs.

52
00:04:25,560 --> 00:04:27,890
So these two can go inside here.

53
00:04:29,860 --> 00:04:37,150
So it is going through the list of all the programs and he's trying to kill some programs, as you can

54
00:04:37,150 --> 00:04:38,150
see, video.

55
00:04:40,230 --> 00:04:42,100
OK, so guess what he's doing here?

56
00:04:43,510 --> 00:04:46,980
No, I don't think he is trying to do is over here, you can see.

57
00:04:48,000 --> 00:04:55,300
Now, over here, if this place falls, there is no database for you to go inside and do something else.

58
00:04:56,610 --> 00:04:57,870
And what is this thing here?

59
00:05:00,120 --> 00:05:05,190
This part here seems to be the encryption encryption routine.

60
00:05:06,070 --> 00:05:06,510
All right.

61
00:05:06,510 --> 00:05:08,510
So he's going to encrypt files.

62
00:05:09,690 --> 00:05:10,290
He never.

63
00:05:13,110 --> 00:05:19,760
And then here, same thing, probably you delete the files from me, from the name of this angry sounding

64
00:05:20,340 --> 00:05:29,760
probably probabilities, a deletion function is how you perform malware analysis using the spy as a

65
00:05:29,910 --> 00:05:34,570
static analysis tool as well as dynamic analysis to two in one.

66
00:05:35,520 --> 00:05:40,170
So I will leave the rest of the of the analysis to you.

67
00:05:40,200 --> 00:05:41,940
The basic principle is like this.

68
00:05:42,360 --> 00:05:49,800
Every time you come to a obfuscated string, you can see instead of trying to manually decrypt the string,

69
00:05:50,560 --> 00:05:56,950
we use the debugger and use the break points and let it be obfuscate industry is for us.

70
00:05:57,600 --> 00:06:02,360
So this is the technique for reverse engineering.

71
00:06:02,950 --> 00:06:04,770
Melvin, thank you for watching.