WEBVTT

00:00.540 --> 00:10.500
Okay, After jumping to s-E-X, we come to this location and here is where the part of the unpack code

00:10.500 --> 00:11.370
resides.

00:11.610 --> 00:15.750
So if you look down here at the bottom, there is another anomaly.

00:16.020 --> 00:19.920
Another anomaly where it pushes an address before return.

00:19.950 --> 00:22.310
Normally you should pop, not push.

00:22.320 --> 00:29.510
So this highly suspicious thing could mean that this probably is the another unpack code.

00:29.520 --> 00:35.010
So we can put a breakpoint here and F2 and run to it.

00:36.030 --> 00:44.970
And now if we follow this in the endgame, the content of this address, and you will see down here

00:44.970 --> 00:49.890
that this is a newly allocated memory from a previous call to Virtualalloc.

00:50.130 --> 00:52.080
So now it's going to push.

00:52.320 --> 00:53.610
It's going to move this to.

00:54.270 --> 00:59.190
So let's remove the breakpoint first F step over F8.

01:00.150 --> 01:05.810
So it's moved to edX and now the F8 is going to push this to the stack.

01:05.820 --> 01:11.220
And then now when it returns, it's going to return to this address instead of the normal return to

01:11.220 --> 01:12.900
the previous function.

01:13.050 --> 01:15.510
So let's press F8 to go there.

01:16.290 --> 01:20.750
So we are now inside the newly unpacked section of the memory.

01:20.760 --> 01:27.120
So let us now step through this and take a look at the various calls inside it, starting with this

01:27.120 --> 01:27.880
first one.

01:27.900 --> 01:32.260
So once you come here, you press f7 step into this and see what's inside.

01:32.280 --> 01:32.670
Okay.

01:32.670 --> 01:33.750
It doesn't do much.

01:33.750 --> 01:35.620
Just goes to the return here.

01:35.650 --> 01:43.810
So let's put the breakpoint over there and go straight to the return press F2 to remove breakpoint,

01:44.020 --> 01:45.430
step over to return.

01:45.850 --> 01:54.280
So we are now here, continue to F8 and it seems that it is going in a loop over and over again.

01:55.120 --> 02:05.740
So we can step our loop by putting a breakpoint over here, pushing the F2 and then run to it to step

02:05.740 --> 02:06.370
out of the loop.

02:07.780 --> 02:09.820
And then remove the breakpoint.

02:09.850 --> 02:14.590
Basically, we are trying to see what this unpacked code is trying to do.

02:14.620 --> 02:18.250
Most likely, it's unpacking an executable file into memory.

02:18.250 --> 02:20.680
And you want to dump that exe file.

02:21.280 --> 02:24.310
So let's analyze all the calls below this.

02:24.340 --> 02:29.660
See which part of it it actually impacts the into memory.

02:29.680 --> 02:34.450
So let's now step over F8 and let's go inside this F7.

02:36.010 --> 02:38.320
And you can see it is using stacked strings.

02:38.320 --> 02:42.450
So this is an abnormal way of using the stack instead of pushing.

02:42.460 --> 02:47.890
It is moving the various string directly into the stack using the move.

02:48.700 --> 02:55.660
So another common way of malware authors in order to obfuscate the code, what it's doing is actually

02:55.660 --> 03:01.200
pushing all this to the stack and using all this as a parameter for the call here.

03:01.210 --> 03:06.370
So this call is actually making use of all this thing which is indirectly pushed to the stack.

03:06.370 --> 03:14.260
And you can see that the library is trying to to run is actually load library kernel32.

03:15.010 --> 03:17.770
So this is the parameter for this call.

03:18.310 --> 03:21.850
So let's go straight away to the return.

03:21.880 --> 03:23.560
We know what it's trying to do here.

03:26.790 --> 03:30.630
Go straight to the return over here.

03:31.410 --> 03:32.730
Put a breakpoint here.

03:33.400 --> 03:34.140
F2.

03:35.160 --> 03:35.970
Run through it.

03:36.300 --> 03:45.480
Remove the breakpoint, press F2 again and then f8 to step to the return and then hit F8 again to return

03:46.230 --> 03:47.480
to the main function.

03:47.490 --> 03:49.620
So we just came out from this call here.

03:50.550 --> 03:55.560
So this next function, let's instead of stepping into it, we can actually double click to see what's

03:55.560 --> 03:56.130
inside.

03:57.120 --> 04:01.400
And it looks like it's doing the same thing, the same trick using stack strings.

04:01.410 --> 04:09.510
And we know what the purpose of is just getting the library's addresses to run and we don't want not

04:09.510 --> 04:10.350
interested in this.

04:10.350 --> 04:15.090
So we press the minus key to step out of the call.

04:15.090 --> 04:16.230
We didn't actually go in.

04:16.230 --> 04:17.430
We just inspect it.

04:18.210 --> 04:22.980
So we skip through this call by pressing F8, step over it.

04:23.580 --> 04:26.190
So just press F8, keep going down.

04:32.260 --> 04:32.550
So.

04:35.650 --> 04:39.340
Without stepping into this call, we can double click to see what's inside.

04:39.610 --> 04:39.970
All right.

04:39.970 --> 04:40.800
It's the same trick.

04:40.810 --> 04:46.240
So we're now interested in this plus minus, continue to step over F8.

04:49.370 --> 04:51.920
And it is calling this a few times.

04:52.040 --> 04:54.230
See here, here and here, the same call.

04:54.230 --> 04:58.070
So we can just ignore them by stepping over them.

04:59.130 --> 05:01.590
Until we come to something different.

05:04.420 --> 05:04.780
Okay.

05:04.780 --> 05:06.040
We are not here again.

05:06.040 --> 05:06.900
We do the same trick.

05:06.910 --> 05:10.300
Instead of stepping into it, we double click to see what's inside.

05:11.220 --> 05:11.490
All right.

05:11.490 --> 05:14.310
Again, here, there are no calls here of any interest.

05:14.340 --> 05:21.690
We just click minus press on, minus on the keyboard to go back and press F8 to continue to step over

05:21.690 --> 05:22.020
it.

05:25.910 --> 05:27.980
And then for this one, we do the same trick.

05:28.550 --> 05:28.900
All right.

05:28.910 --> 05:29.750
We do this.

05:29.780 --> 05:30.860
Nothing much as well.

05:30.860 --> 05:38.870
So we minus two step out again and it looks like this is the last function call after this.

05:38.870 --> 05:39.680
So.

05:39.890 --> 05:41.240
So this is the last one here.

05:41.240 --> 05:43.160
Let's step over until we reach there.

05:43.730 --> 05:44.160
F8.

05:44.810 --> 05:46.280
Let's press F8.

05:48.150 --> 05:52.930
So being the last function call is important, so we need to step into it.

05:52.950 --> 05:58.680
So we just press this one step into or f7 the shortcut key to step into it.

05:58.890 --> 06:02.010
And here, interestingly enough, you will see down here.

06:03.450 --> 06:06.630
There is a push each year.

06:07.790 --> 06:09.890
And that's a idea here.

06:10.950 --> 06:12.900
And let's push 40 here.

06:14.800 --> 06:20.050
So this looks like probably the parameters for virtual ALLOC.

06:20.350 --> 06:26.110
And if you look at virtual ALLOC, this 40 is a meaningful constant.

06:26.230 --> 06:29.280
That's why it gives the impression that it's a virtual lock.

06:29.690 --> 06:32.230
Four parameters for virtual lock.

06:32.650 --> 06:34.300
The fourth one is protect.

06:34.600 --> 06:42.220
And if you go to the explanation for virtual protect and for the protect, here it is.

06:42.670 --> 06:46.030
And analyze and look up the memory protection constants.

06:51.490 --> 06:52.150
Scroll down.

06:52.150 --> 07:03.160
You will see 44 040 means to set the memory location as read, write and executable rw x.

07:03.730 --> 07:08.180
So that's why this 40 is such a give away.

07:08.200 --> 07:12.310
When you see push 40, that means most probably this is a virtual lock here.

07:12.970 --> 07:14.500
This is the fourth parameter.

07:15.730 --> 07:19.360
Four, three, two, one four parameters.

07:19.360 --> 07:20.830
So this should be a virtual lock.

07:21.100 --> 07:28.060
And we know that virtual lock is always called during unpacking in order to set the permission for the

07:28.060 --> 07:35.380
memory region to make it executable after the malware has unpacked code into those memory regions.

07:35.860 --> 07:39.790
And we can confirm that now by stepping until we reach that line.

07:39.790 --> 07:44.830
So let's continue to press F8 until we reach this call to.

07:50.220 --> 07:53.400
And you can see it is along just as suspected.

07:53.520 --> 07:56.460
And the fourth parameter, one, two, three, four.

07:57.300 --> 08:03.780
Fourth parameter is to set that memory region as a read, write and execute.

08:03.900 --> 08:10.560
If you refer back to the documentation for virtual Alloc, the return value of a virtual ALLOC is the

08:10.560 --> 08:13.560
base address of the allocated region of pages.

08:15.750 --> 08:16.020
Right?

08:16.050 --> 08:17.760
So that is what virtual alloc returns.

08:17.910 --> 08:22.510
So all functions return the result in X.

08:22.530 --> 08:29.250
So let's step over this and we should see the return address here, the address of the new allocated

08:29.250 --> 08:30.540
memory region.

08:30.540 --> 08:41.100
So let's step over it by pressing F8 and this is your newly allocated region so we can go there right

08:41.100 --> 08:42.630
click and follow in.

08:42.630 --> 08:42.900
Done.

08:43.860 --> 08:46.770
And here it is about to unpack something there.

08:48.720 --> 08:54.870
So we can just step, continue to step and I have just continue to, after this call to Virtualalloc,

08:54.910 --> 08:56.860
I continue to step, step, step, step.

08:56.860 --> 09:05.350
And then after this call here, it has copied out the magic byte M, Z and a P header as well.

09:06.700 --> 09:07.350
Over here.

09:07.350 --> 09:09.820
It is also the the sentence.

09:09.820 --> 09:17.890
This program cannot be run in Dos mode, so it seems like it is copying out the an exe file into the

09:17.890 --> 09:20.170
newly allocated region of memory.

09:20.170 --> 09:24.820
So let's continue to step over and allow it to finish copying.

09:24.820 --> 09:29.410
You can see it is copying out the text section, keep on stepping over.

09:30.310 --> 09:36.400
So all this is merely copying out bytes into this allocated region of memory.

09:36.400 --> 09:38.650
So let's continue to step over.

09:41.510 --> 09:45.210
Continue to step f8 and let it do its thing.

09:45.230 --> 09:48.290
Now it's now it's copying out the data section.

09:53.800 --> 09:54.880
Let's continue this step.

09:55.540 --> 09:56.770
This might take a while.

10:00.050 --> 10:03.590
And here is copying out the data section to memory.

10:07.680 --> 10:08.540
Okay, let's press.

10:08.550 --> 10:12.680
I'm just pressing F8 to let it do its thing to copy.

10:12.810 --> 10:14.180
Now the reload session.

10:14.490 --> 10:14.970
Copy it up.

10:19.570 --> 10:23.470
And you can go on like this until you finish copying out everything.

10:28.690 --> 10:30.190
And if you see a return.

10:34.190 --> 10:41.510
Once you see a return, that means he has finished copying out everything, unpacking to memory.

10:45.130 --> 10:46.000
And there you go.

10:48.570 --> 10:54.990
So by the time he finishes this call, you will have copied everything out to memory.

10:58.880 --> 11:01.820
So let us now step over this f eight.

11:04.670 --> 11:04.970
Okay.

11:04.970 --> 11:06.680
We will just finish unpacking.

11:06.710 --> 11:07.640
Let's continue.

11:07.670 --> 11:09.710
We can see the thing has been unpacked here.

11:09.980 --> 11:12.650
Let's continue to see what happens next.

11:18.740 --> 11:19.880
And let's return.

11:23.380 --> 11:23.680
Okay.

11:23.680 --> 11:29.380
I think it finished unpacking is more probably now we can dump this if you wanted to.

11:29.680 --> 11:32.440
So that's all for this video.

11:32.470 --> 11:34.000
I will see you in the next lesson.

11:34.000 --> 11:35.140
Thank you for watching.