WEBVTT 00:00.380 --> 00:00.980 All right. 00:00.980 --> 00:07.490 So we have attempted to dump this now in order to see whether we have correctly dumped at the correct 00:07.490 --> 00:08.270 entry point. 00:08.300 --> 00:13.970 We can check it with something, a tool called B info. 00:14.660 --> 00:20.000 So we go to this flair utilities here look for Bee Studio. 00:21.500 --> 00:23.600 So we open B studio. 00:24.530 --> 00:34.640 So we use PR studio to open the dump file and see if PR studio can successfully identify a signature. 00:35.210 --> 00:40.040 So we pull the dump file into B studio. 00:40.920 --> 00:43.690 And let it try to identify. 00:45.120 --> 00:50.910 And if you can see on this nature, it has correctly identified as a file. 00:51.210 --> 00:56.370 Therefore, this indicates we have successfully dumped the file. 00:56.700 --> 00:58.170 So we can close this now. 00:58.890 --> 01:06.420 Now we can try to to reconstruct the Delphi code using a tool under flair. 01:06.430 --> 01:15.180 Here we go to Delphi and you can open this tool, which stands for Interactive Delphi Reconstructor. 01:15.660 --> 01:22.500 Click on file load file Autodetect version and select dump file and open. 01:24.270 --> 01:28.250 So this tool will use use native knowledge base. 01:28.530 --> 01:28.920 Click on. 01:28.950 --> 01:29.460 Yes. 01:29.820 --> 01:34.920 So this tool will try to analyze and reconstruct the Delphi code. 01:35.550 --> 01:37.350 So this might take some time. 01:37.350 --> 01:41.190 So this might take a long time because it's a big file. 01:41.490 --> 01:46.170 If you look at the file size, it's about, I think, 56MB. 01:46.170 --> 01:47.700 So I'm going to exit this. 01:48.690 --> 01:51.090 The file size, 58MB. 01:51.300 --> 01:59.160 And if you wanted to use Ida, you will also take some time to analyze because of the large file size. 01:59.340 --> 02:10.110 A faster way to analyze would be to open it in X32 DBG so we can run X32 DBG and then open the dump 02:10.140 --> 02:10.500 file. 02:14.630 --> 02:18.200 So from here, we can start to look for strings. 02:18.380 --> 02:28.190 We can click on this button here, find strings, and it will go and scan the module for strings. 02:30.130 --> 02:37.790 If we want to define more strings, you can come to here and right click and here search for. 02:38.580 --> 02:39.480 Current module. 02:39.630 --> 02:41.130 String References. 02:42.660 --> 02:45.120 And here we take some time to scan. 02:46.960 --> 02:49.460 Yeah, it is going through the entire module. 02:49.550 --> 02:53.480 So I'll just pause the video and come back when it's done. 02:54.500 --> 03:02.540 Now that he has finished searching for strings, we can start to filter out Http, for example, and 03:02.540 --> 03:07.340 we can see here we can see some Http strings. 03:10.670 --> 03:11.960 Quite a number of them. 03:18.150 --> 03:19.770 Some foreign language. 03:22.900 --> 03:25.090 And here we have mSFT Microsoft. 03:25.090 --> 03:25.870 Com download. 03:35.640 --> 03:38.670 So these are the ways you can analyze. 03:38.670 --> 03:50.340 You can use Cdbg, you can use the interactive Delphi Reconstructor, or you can open EDA with it. 03:50.340 --> 03:56.880 But if you use EDA, it might take some time to analyze because it's a big file. 04:00.290 --> 04:07.430 Click on new and select the exe file. 04:09.680 --> 04:09.910 Okay. 04:09.920 --> 04:10.670 Okay. 04:14.140 --> 04:14.560 Okay. 04:14.560 --> 04:18.130 So it is trying to do the analysis. 04:19.690 --> 04:23.020 Meanwhile, we can close xdebug. 04:24.580 --> 04:27.610 Although you can proceed to analyze it further if you wanted. 04:31.370 --> 04:33.140 So I will not go ahead with this. 04:33.140 --> 04:40.940 But these are certainly some ways in which you can go ahead and analyze the code further. 04:41.210 --> 04:43.280 So our objective has been met. 04:43.310 --> 04:47.810 We have managed to unpack and dump the file. 04:48.290 --> 04:49.820 Thank you for watching.