WEBVTT

00:00.440 --> 00:01.310
Welcome back.

00:01.340 --> 00:10.910
In the previous video, we use Cdbg to put some breakpoints, these four breakpoints, and we keep stepping

00:10.910 --> 00:19.160
over and following the virtual lock in, down one, two and three, and then we run and hit virtual

00:19.160 --> 00:19.700
protect.

00:19.700 --> 00:21.110
That's where we stopped.

00:21.110 --> 00:26.450
So now we will continue from virtual protect and we will step over virtual protect.

00:28.840 --> 00:39.220
Jump, jump and push all the parameters to the stack until we come to the call for Virtualprotect.

00:39.580 --> 00:41.750
Now we examine the parameters.

00:41.770 --> 00:50.830
The second parameter and we notice that it is changing the the permission for the Z loader for this

00:50.830 --> 00:51.730
region of memory.

00:51.880 --> 00:55.330
Six for eight followed by three zeros.

00:55.660 --> 00:58.240
So we can follow this in down for.

00:59.750 --> 01:01.550
Right click and follow.

01:02.800 --> 01:04.330
Deerwood in Kaandam.

01:05.620 --> 01:09.520
And now over here we can right click and follow a memory map.

01:11.260 --> 01:18.760
And we see that this is the region of memory where the DNA is being loaded at this point in time.

01:18.760 --> 01:24.640
It may have finished unpacking and that's why the virtual clock has completed.

01:24.760 --> 01:27.070
We have hit watch three times.

01:28.420 --> 01:31.540
So now we will go to user code.

01:31.720 --> 01:33.580
We will step over until this return here.

01:35.550 --> 01:39.600
So this return here, if we step over this, we will go back to user code.

01:40.170 --> 01:43.230
So step over and we are back here.

01:43.980 --> 01:48.840
And if you scroll up, this was the call where the unpacking was probably done.

01:49.200 --> 01:56.580
So now we are here and it is now next going to it is going to jump to the unpack code.

01:56.820 --> 02:01.760
Normally in malware there will be a jump to X or jump to some register.

02:01.800 --> 02:06.150
In this case here, there will not be any jump to a register.

02:06.240 --> 02:09.300
Instead, it will use an anomaly in the epilogue.

02:10.410 --> 02:20.670
We will look for the some kind of address where it will jump to and that address would be the pointer

02:20.670 --> 02:22.530
to the unpack code.

02:23.550 --> 02:26.130
So now we will continue to step over.

02:28.190 --> 02:34.730
So basically when you are exploring this, you have to follow this in dumb each one of these.

02:34.730 --> 02:37.310
So and that might take some time.

02:37.310 --> 02:38.990
So let me save you some time.

02:39.080 --> 02:42.650
And I've already done this and I found that this is the one.

02:42.950 --> 02:46.880
So if you are not sure you do, do it for every one of these.

02:47.360 --> 02:53.060
So now we are going to right click on this one and follow in dumb number four.

02:53.330 --> 03:02.990
So we follow in current dumb the value in plus 6617 and you can see there is a missing header there.

03:03.740 --> 03:05.660
So now we can dump this.

03:06.440 --> 03:14.390
We select the first of the hex here and then we want to scroll down and select the end of this regional

03:14.390 --> 03:14.960
memory.

03:16.070 --> 03:20.780
So click on this first and then scroll all the way to the bottom to find the end.

03:22.660 --> 03:24.250
So the end is somewhere here.

03:24.250 --> 03:27.460
If you scroll on the bottom, there is nothing there at the bottom.

03:28.060 --> 03:33.910
So let's move up a little bit, click on here to move up a little bit

03:37.060 --> 03:40.600
and drag this, make sure there's nothing at the bottom.

03:41.410 --> 03:44.680
We try to make the file that we want to dump as small as possible.

03:46.720 --> 03:48.250
Okay, so we are here.

03:51.010 --> 03:56.920
Try to get the smallest possible region.

03:57.310 --> 03:58.150
Then we want to dump.

04:00.580 --> 04:03.940
Okay, So here, I think.

04:06.130 --> 04:07.070
Go down a little bit more.

04:07.090 --> 04:08.710
Give it some extra blank.

04:29.420 --> 04:29.740
Okay.

04:29.750 --> 04:31.190
This seems to be a nice number.

04:31.190 --> 04:32.970
99999999.

04:33.020 --> 04:35.810
So we can press and hold down shift.

04:36.450 --> 04:38.450
Remember to press and hold down shift.

04:39.380 --> 04:42.170
And then while holding down the shift key, click on this.

04:42.320 --> 04:49.070
So now you've selected the entire region of memory from the header right to the bottom end of the file

04:49.070 --> 04:51.380
and some added some extra padding.

04:51.770 --> 04:57.650
Now we can right click on this and then we can click on binary and save to a file.

05:00.670 --> 05:05.560
So we go to the desktop and save it in the Z loader folder.

05:07.500 --> 05:13.800
We will call it Z loader underscore dump dot bin.

05:14.040 --> 05:15.150
Click on Save.

05:17.350 --> 05:22.360
Now we minimize Xbg and go and check out our Z loader.

05:22.690 --> 05:25.990
It's approximately 185kB.

05:26.980 --> 05:29.290
So we have now done this.

05:29.500 --> 05:32.920
So we will continue with the analysis in the next video.

05:32.950 --> 05:34.270
Thank you for watching.