WEBVTT

00:02.180 --> 00:04.130
Hello and welcome back.

00:04.160 --> 00:12.470
In the previous lesson, some of my students have mentioned that even after they have put the breakpoints

00:12.710 --> 00:25.310
over here and inside, this decreased function over here and run, the breakpoint does not hit because

00:25.310 --> 00:27.260
the program goes into a running state.

00:28.070 --> 00:30.440
So I will explain how to solve that.

00:30.710 --> 00:35.390
So let's press the backspace on your keyboard to go back to the previous code.

00:35.960 --> 00:38.030
So you have put a breakpoint here.

00:38.420 --> 00:48.230
And the problem happens because when the execution comes to here and perform a test, it fails because

00:48.230 --> 00:51.320
the file does not exist.

00:52.610 --> 00:56.120
And even though it does, for some reason it fails.

00:56.120 --> 00:58.850
So it will not enter the the the block of code.

00:59.150 --> 01:03.350
Instead, it will just exceed the block of code and come up here.

01:03.890 --> 01:10.530
So what we want to do is to force it Forced to enter the block of code so that it can come to the RSM

01:10.530 --> 01:18.780
decrypt here, and from the RSM decrypt, it will come here and perform this unpacking and the decryption

01:18.810 --> 01:21.660
of the of the resource.

01:22.410 --> 01:23.130
Resource.

01:23.370 --> 01:24.090
Resource.

01:24.120 --> 01:24.480
Key.

01:24.510 --> 01:24.720
Key.

01:24.750 --> 01:25.290
Source.

01:25.320 --> 01:26.700
That's what we want to do.

01:27.180 --> 01:35.910
So in order to do that we have to reverse this logic by removing the negation operator here.

01:36.420 --> 01:40.890
So in order to remove the negation operator we have to modify the code.

01:41.460 --> 01:42.900
So let's do that now.

01:43.350 --> 01:48.150
We'll select on this right click on this edit instruction.

01:50.010 --> 01:55.740
And then automatically you will see that this three lines is selected because you already right click

01:55.770 --> 01:56.310
on it.

01:56.640 --> 02:01.350
So this is called the Ill instruction intermediate language.

02:02.220 --> 02:08.940
It's a lower level language used in the C sharp and VB.Net frameworks.

02:09.600 --> 02:12.950
So it's like the assembly For dot net.

02:13.940 --> 02:20.270
So what you need to do to reverse the logic is to reverse the buyout rule, to turn it to buyout false.

02:21.830 --> 02:24.950
And you can see here there's a call to the file string exists.

02:24.950 --> 02:27.380
And then after that there's we are true.

02:27.380 --> 02:29.090
So we just have to change this.

02:29.090 --> 02:31.610
So we have to change this to be false.

02:32.030 --> 02:33.590
So left click on this.

02:33.590 --> 02:38.480
And then in here you see a list of possible opcodes.

02:38.690 --> 02:42.830
So just scroll up a bit and you can see there's a false.

02:42.830 --> 02:45.200
Select the BR false to replace it.

02:45.320 --> 02:46.700
Then click okay.

02:47.510 --> 02:51.680
And now you see the negation is gone.

02:51.680 --> 02:57.800
That means when the the program comes here, it will enter this block of code and execute this line.

02:58.520 --> 03:03.980
We will now dump this this new bash code.

03:04.010 --> 03:05.660
We will patch the code.

03:05.660 --> 03:09.710
So to patch it we right click on this assembly here.

03:09.740 --> 03:12.470
This module here and select remove.

03:13.640 --> 03:16.910
When you select remove it will prompt you to save the file.

03:17.000 --> 03:17.340
Click Okay.

03:17.340 --> 03:18.000
Yes.

03:19.410 --> 03:24.720
So to save the file in a different name, we don't want to overwrite the original file.

03:24.750 --> 03:28.260
We click these three dots here and we give it a new name.

03:30.630 --> 03:31.740
Call it dash two.

03:33.150 --> 03:35.760
And then here select all files.

03:35.760 --> 03:38.910
And you can see your first original file is here.

03:38.910 --> 03:41.580
And then now we are going to rename it as dash two.

03:41.610 --> 03:43.110
This will be the patch file.

03:43.530 --> 03:44.370
Click save.

03:45.150 --> 03:46.110
Click okay.

03:48.690 --> 03:48.990
All right.

03:48.990 --> 03:55.350
So now we reload the new file into the NSP file.

03:55.380 --> 03:56.250
Open.

03:58.020 --> 03:59.430
Select all files.

03:59.580 --> 04:01.620
Click on the batch file.

04:01.860 --> 04:08.370
Click open and go back to the place where you put your your breakpoint.

04:09.480 --> 04:12.930
So that was the batch file.

04:13.680 --> 04:14.760
This is a new file.

04:14.760 --> 04:16.560
So your breakpoint will have been lost.

04:16.560 --> 04:17.760
So no worries.

04:17.790 --> 04:19.920
Let's re-insert our breakpoints.

04:19.920 --> 04:21.660
Select this code here.

04:21.690 --> 04:26.030
This module here edit search assemblies.

04:26.450 --> 04:29.180
And then search for read mail.

04:32.600 --> 04:36.170
And that is search.

04:36.260 --> 04:36.830
Okay.

04:36.830 --> 04:38.270
This is the one you want.

04:38.300 --> 04:38.840
Read mail.

04:38.870 --> 04:41.330
That's where we we that's where we were at.

04:41.360 --> 04:45.200
So just double click on that and you will come back to the same place.

04:45.230 --> 04:47.930
So let's let's reinsert our breakpoints.

04:49.100 --> 04:50.210
This one one here.

04:50.390 --> 04:51.680
Click on this.

04:51.770 --> 04:55.370
RSM decrypt and put one more here.

04:56.270 --> 04:58.010
So now we are ready to run.

04:59.540 --> 05:03.140
So when it runs click okay.

05:04.160 --> 05:05.210
Click yes.

05:06.860 --> 05:14.270
If we hit our breakpoint here and then let it let it uh let it run in the second time.

05:17.210 --> 05:19.160
And now it hits our second breakpoint.

05:20.120 --> 05:24.050
So now we're going to step over until it comes to the last line.

05:25.790 --> 05:28.070
Step over, step over.

05:28.070 --> 05:36.600
Were step over, step over, and by the time it reaches here, it will have decrypted the rest of the

05:36.600 --> 05:37.410
resources.

05:38.100 --> 05:39.150
Key resources.

05:39.180 --> 05:48.180
So to see the decrypted bytes, just look down in under London locals here and then right click on array

05:48.210 --> 05:53.640
two and then select Show in Memory.

05:53.670 --> 05:54.720
Memory one.

05:55.410 --> 05:59.220
And you can see there's a header here right.

05:59.730 --> 06:02.760
That means this is a PE executable file.

06:03.360 --> 06:05.310
So we want to dump that.

06:05.340 --> 06:15.840
We just right click here and then select Save Selection and call it dump dot bin.

06:17.880 --> 06:21.300
So from here onwards it's the same as the previous lesson.

06:22.170 --> 06:23.370
So you have saved it.

06:23.370 --> 06:25.320
So you can close this now.

06:26.070 --> 06:31.380
You can stop this and then open this with PE studio.

06:33.000 --> 06:34.430
Use PE Studio.

06:37.670 --> 06:41.360
And open your dump bin and analyze it.

06:45.170 --> 06:50.450
And you can see here that this is a email password recovery program.

06:54.950 --> 07:01.550
And if you go down here to the version you can see it's, uh, by a company called Nero Soft.

07:01.970 --> 07:06.710
So Nero Soft is probably a company which makes email recovery programs.

07:07.730 --> 07:15.530
So from here, we can deduce that this malware developer did not write his own mail, his own mail email

07:15.530 --> 07:16.610
recovery program.

07:16.610 --> 07:24.860
Instead, he took somebody's email recovery program and embedded it, decrypted it, and put it inside

07:24.890 --> 07:30.530
the malware as an as an embedded encrypted resource.

07:30.950 --> 07:33.470
So that's all for this video.

07:33.500 --> 07:35.180
Thank you for watching.