1 00:00:00,150 --> 00:00:03,890 So in this video, we will be parsing the exports from that area. 2 00:00:04,020 --> 00:00:08,280 If you generate a data using the Metasploit, it won't have any exports. 3 00:00:08,280 --> 00:00:11,790 So it's kind of like a XY, but a dealer. 4 00:00:12,750 --> 00:00:18,420 So that's why I have taken the Sims V C runtime one to the other. 5 00:00:18,870 --> 00:00:22,130 So we'll be parsing all of these export functions. 6 00:00:22,140 --> 00:00:28,140 So if we go to option header in the data directory we have, the starting one is the export directory. 7 00:00:28,350 --> 00:00:30,960 So it has the address and it has the size. 8 00:00:30,960 --> 00:00:35,690 So if I click on this address, I will go to this array. 9 00:00:37,260 --> 00:00:40,020 Now here we have these. 10 00:00:40,290 --> 00:00:43,860 You can pass these into this export descriptor. 11 00:00:43,860 --> 00:00:49,880 So the characteristics is zero and you can pass these as well timed each time. 12 00:00:50,010 --> 00:00:52,140 And the important one is the name. 13 00:00:52,140 --> 00:00:52,470 So. 14 00:00:53,010 --> 00:01:02,220 So then we have the number of functions, number of names, number of orders of functions, address 15 00:01:02,220 --> 00:01:03,770 of names and name address. 16 00:01:03,780 --> 00:01:09,570 So these number of functions define the total number of functions that the dealer is exporting. 17 00:01:09,810 --> 00:01:17,130 And the number of names is how many functions that are being exported via name. 18 00:01:17,400 --> 00:01:24,600 So the function can also be exported by our name or without any, without having any name to it. 19 00:01:25,710 --> 00:01:32,490 But in our case you can see both are sound and that means our functions are exported via our names and 20 00:01:32,490 --> 00:01:34,620 here we have of functions. 21 00:01:34,620 --> 00:01:40,770 So if you go to this, we have array of addresses where each belongs to the string. 22 00:01:41,460 --> 00:01:49,650 So the function, address and address of names contains the array of addresses. 23 00:01:49,650 --> 00:01:55,150 And if you go to the address, you will find the strings and address of name address. 24 00:01:55,170 --> 00:01:59,610 So here we have index to this array. 25 00:01:59,790 --> 00:02:07,350 So what we're going to do is let's first go to that list of names and you can see the first four bytes 26 00:02:08,070 --> 00:02:12,300 d2507 so d2507 is this one. 27 00:02:12,480 --> 00:02:17,670 So if I click on this one, I will be redirected to this function name. 28 00:02:19,440 --> 00:02:22,470 And to find the address of this function. 29 00:02:22,470 --> 00:02:26,610 What you need to do is you need to look at the name of Dennis. 30 00:02:27,090 --> 00:02:29,850 The first parallel to this. 31 00:02:30,810 --> 00:02:32,100 This is the first element. 32 00:02:32,100 --> 00:02:35,940 And you need to look at the first element in the order of name orders. 33 00:02:35,950 --> 00:02:36,950 That is zero. 34 00:02:36,960 --> 00:02:41,340 So go to the zero index of this order of functions. 35 00:02:42,660 --> 00:02:44,930 So a zero index of these functions. 36 00:02:44,940 --> 00:02:46,830 If I go to this, I will have this area. 37 00:02:46,830 --> 00:02:53,330 And if I go to the first element that is this four bytes, 07e798. 38 00:02:53,370 --> 00:02:59,430 So 77 nine if I go and that will be the address. 39 00:03:01,940 --> 00:03:06,590 So here we can see it looks like a function. 40 00:03:06,830 --> 00:03:08,630 So this. 41 00:03:12,710 --> 00:03:16,340 Is the functional dress and. 42 00:03:20,260 --> 00:03:22,420 The similar way for the second element. 43 00:03:22,480 --> 00:03:26,710 The second element is the one, 3 to 5. 44 00:03:28,030 --> 00:03:29,860 rb2513. 45 00:03:29,860 --> 00:03:30,180 Sorry. 46 00:03:30,610 --> 00:03:32,170 So this is the. 47 00:03:34,420 --> 00:03:35,920 This is the second function. 48 00:03:35,920 --> 00:03:39,930 And if we go to the second element of this one, you will have this address. 49 00:03:39,930 --> 00:03:41,230 So the address. 50 00:03:44,010 --> 00:03:49,680 He's won for C, so one for C yet is the functionary. 51 00:03:49,710 --> 00:03:52,020 So we are going to pass this information. 52 00:03:52,020 --> 00:03:58,370 So first let's go to the optional header and get this data directory. 53 00:03:58,380 --> 00:04:06,480 So we have already password all of these headers previously so we can say. 54 00:04:09,760 --> 00:04:15,730 Anti header dot optional header dot export table dot, whatever address. 55 00:04:15,880 --> 00:04:23,890 So this gives you the this one your address so we can say long export offset. 56 00:04:26,240 --> 00:04:27,460 So we have this offset. 57 00:04:27,470 --> 00:04:33,560 If you add it to the base address, you'll be taken to this one. 58 00:04:39,730 --> 00:04:47,770 So what we can do is we can master this one hour shall dot pointer to structure. 59 00:04:48,490 --> 00:04:51,250 And the first one is the pointer. 60 00:04:51,250 --> 00:04:52,870 We need to point this one. 61 00:05:01,140 --> 00:05:03,300 So Bill's address. 62 00:05:04,300 --> 00:05:05,950 Not two in 64. 63 00:05:11,440 --> 00:05:14,430 Press export offset. 64 00:05:14,440 --> 00:05:15,880 So that gives you. 65 00:05:17,240 --> 00:05:17,870 This one. 66 00:05:44,770 --> 00:05:46,960 So we have this one. 67 00:05:49,630 --> 00:05:53,080 But convert this to the pointer. 68 00:05:55,400 --> 00:05:57,680 And we need to marshal as. 69 00:06:00,620 --> 00:06:03,110 The Export Directory. 70 00:06:04,490 --> 00:06:06,080 Image Export Directory. 71 00:06:09,950 --> 00:06:11,430 Export is equals to. 72 00:06:11,450 --> 00:06:15,830 So we have the we have some error here. 73 00:06:26,700 --> 00:06:27,000 Okay. 74 00:06:27,000 --> 00:06:28,680 We have the expert. 75 00:06:28,690 --> 00:06:29,310 So. 76 00:06:32,460 --> 00:06:39,510 Also this export offset should not be zero, so this export offset will be zero if in the case of EXS, 77 00:06:40,260 --> 00:06:47,510 if export offset not is equal to zero, then only pass the image export directory. 78 00:06:53,480 --> 00:06:53,840 Now. 79 00:06:53,840 --> 00:06:56,330 The name is this one. 80 00:06:56,330 --> 00:06:57,140 So. 81 00:07:01,000 --> 00:07:02,500 What we can do is. 82 00:07:08,340 --> 00:07:09,660 This address. 83 00:07:11,370 --> 00:07:13,290 Press export dot name. 84 00:07:13,290 --> 00:07:20,580 So if you combine the best address plus this one, you get the address pointing at this starting other 85 00:07:20,580 --> 00:07:31,380 thing and then you can convert this interesting master pointer to string and see. 86 00:07:38,230 --> 00:07:41,430 Now let's over this string data. 87 00:07:50,490 --> 00:07:52,930 Now I'm going to print that name. 88 00:08:04,990 --> 00:08:07,960 So we should get the distributor name. 89 00:08:08,230 --> 00:08:09,370 So let's run this. 90 00:08:12,130 --> 00:08:12,980 I'm sorry. 91 00:08:40,160 --> 00:08:44,050 Let's run this and we can see the exported uranium. 92 00:08:44,090 --> 00:08:48,830 Now we can go and pass these functions. 93 00:08:52,130 --> 00:08:57,470 So the first normally printout are the functions function names. 94 00:08:59,150 --> 00:09:00,500 We can also print. 95 00:09:03,240 --> 00:09:05,220 A number of functions. 96 00:09:09,850 --> 00:09:13,710 Export a number of functions not to string. 97 00:09:24,420 --> 00:09:26,540 A number of names. 98 00:09:40,020 --> 00:09:42,780 So it's going to run this and we can see some red face on it. 99 00:09:43,020 --> 00:09:47,670 So in hexadecimal now let's go and print all of these names. 100 00:09:47,670 --> 00:09:53,790 So at risk of names, if you go to this, I will have array of addresses and I need to master these 101 00:09:54,510 --> 00:09:56,400 the content that this address to the screen. 102 00:09:58,230 --> 00:10:06,570 So I export that address off names. 103 00:10:07,500 --> 00:10:10,590 So if I add base address. 104 00:10:12,060 --> 00:10:15,090 So this one aggregate exact address. 105 00:10:19,950 --> 00:10:29,760 Exact address at this first function so I can loop over this number of functions for int equals to zero 106 00:10:30,030 --> 00:10:31,950 less then export dot. 107 00:10:32,940 --> 00:10:34,590 Number of functions. 108 00:10:35,130 --> 00:10:35,430 I. 109 00:10:35,430 --> 00:10:35,730 Press. 110 00:10:35,730 --> 00:10:36,240 Press. 111 00:10:36,240 --> 00:10:37,020 So I'm. 112 00:10:42,110 --> 00:10:43,850 I'm going to report this. 113 00:10:46,820 --> 00:10:49,190 So this is a pointer. 114 00:10:49,190 --> 00:10:49,730 So. 115 00:11:00,800 --> 00:11:07,190 So Mark shared our pointer to String and C and specify this pointer. 116 00:11:13,010 --> 00:11:15,230 String function name. 117 00:11:17,240 --> 00:11:18,860 Now let's go and print this. 118 00:11:18,860 --> 00:11:20,480 So we are not incrementing. 119 00:11:20,480 --> 00:11:24,890 Now we are just printing out the function name. 120 00:11:25,190 --> 00:11:26,780 For now, let's run this. 121 00:11:35,680 --> 00:11:35,980 Okay. 122 00:11:35,980 --> 00:11:39,850 We need to read that for veterans or not at this, uh. 123 00:11:46,210 --> 00:11:49,630 So let's cut this one. 124 00:11:51,180 --> 00:11:53,910 We need to read the contents at this. 125 00:11:56,460 --> 00:12:01,440 So, Marshall, not read into the tea to. 126 00:12:08,720 --> 00:12:12,110 Now I am reading that address. 127 00:12:13,520 --> 00:12:14,630 Now I get the value. 128 00:12:14,630 --> 00:12:17,450 These the 2507. 129 00:12:18,610 --> 00:12:20,860 So that will be stored in. 130 00:12:23,820 --> 00:12:27,320 It's a function of set. 131 00:12:33,500 --> 00:12:37,370 I can see a function of offset if I want to run this. 132 00:13:10,450 --> 00:13:16,720 So I think I found that what we are doing, we are not adding the base address to this function offset. 133 00:13:18,190 --> 00:13:19,540 So sorry for that. 134 00:13:20,500 --> 00:13:23,470 Actually, we are reading the only the function offset. 135 00:13:24,130 --> 00:13:27,310 I forgot to add this base address to this one. 136 00:13:28,180 --> 00:13:35,590 Now, if we can run this and we can see the function name, now I can look through this export x number 137 00:13:35,590 --> 00:13:36,610 of functions. 138 00:13:42,850 --> 00:13:48,520 Each time I'm looping, I need to add four points. 139 00:13:50,030 --> 00:13:54,860 Because I need to read all through these four bites at a time. 140 00:13:54,860 --> 00:13:59,810 So how I can do is I can say, plus I. 141 00:14:01,620 --> 00:14:02,880 In the Four Seasons. 142 00:14:02,920 --> 00:14:06,730 It starts with zero and ends with number of functions minus one. 143 00:14:06,750 --> 00:14:08,400 We can say two four. 144 00:14:08,430 --> 00:14:13,770 So at the first iteration, it takes a zero and second iteration for eight, etc.. 145 00:14:14,190 --> 00:14:15,480 So I won't run this. 146 00:14:22,920 --> 00:14:26,130 So it's, uh, condition based here. 147 00:14:43,660 --> 00:14:44,200 Okay. 148 00:14:44,200 --> 00:14:47,470 We should cut this and paste here. 149 00:14:47,710 --> 00:14:48,970 So sorry for this. 150 00:14:50,260 --> 00:14:51,290 Let's run this. 151 00:14:51,310 --> 00:14:53,680 And here we can see all of the functions. 152 00:14:54,070 --> 00:14:54,530 So why? 153 00:14:54,550 --> 00:14:56,620 Because we need to increment at this function. 154 00:14:56,620 --> 00:14:56,970 Offset. 155 00:14:56,980 --> 00:14:59,470 So we are moving the function offset by four. 156 00:15:01,500 --> 00:15:03,340 So I think we are good to go. 157 00:15:03,360 --> 00:15:09,540 The function now, what we're going to do is we are going to resolve these name, address. 158 00:15:13,820 --> 00:15:22,880 So let's say an index ordinal is equal to Marshall not reading the 32. 159 00:15:26,680 --> 00:15:27,460 Pinter. 160 00:15:30,270 --> 00:15:32,970 And this address. 161 00:15:34,530 --> 00:15:37,260 Press export dot. 162 00:15:39,300 --> 00:15:42,000 Are Drosophila models, so they should. 163 00:15:45,870 --> 00:15:50,640 Give you the offset to the first ordinal. 164 00:15:57,910 --> 00:16:02,380 We can also add AI into to. 165 00:16:05,970 --> 00:16:14,700 So to get every index so it is only two bytes 00010203, so on. 166 00:16:19,170 --> 00:16:20,310 So we have the index. 167 00:16:21,660 --> 00:16:26,250 Now we want to loop through these other functions. 168 00:16:30,410 --> 00:16:33,050 So similarly, you can copy out of this. 169 00:16:34,840 --> 00:16:35,950 And based here. 170 00:16:35,980 --> 00:16:43,630 So instead of at this of name address, we can specify that are functions and we want to loop over four 171 00:16:43,630 --> 00:16:44,590 bytes at a time. 172 00:16:48,240 --> 00:16:54,410 We are going to get int function address offset. 173 00:16:57,220 --> 00:16:59,420 Can call this as function name offset. 174 00:17:23,460 --> 00:17:35,280 So for this function there is an ordinance zero and we need to go to this area at the zero index. 175 00:17:35,280 --> 00:17:36,460 That is the first element. 176 00:17:36,480 --> 00:17:38,490 So for this function. 177 00:17:42,130 --> 00:17:47,020 For this output of function, the index will be zero and we need to 178 00:17:49,990 --> 00:17:53,140 use this as an index to this function. 179 00:17:54,700 --> 00:18:00,690 So what we can do is we can say instead of a index ordinal. 180 00:18:03,080 --> 00:18:08,270 So we are accessing the index ordinance element in this area. 181 00:18:09,770 --> 00:18:13,490 So we had a function address offset so we can. 182 00:18:15,870 --> 00:18:17,160 Go and. 183 00:18:24,650 --> 00:18:31,430 We can go and print this function, address ourselves so we can say function name. 184 00:18:36,740 --> 00:18:38,870 And the index ordinal. 185 00:18:43,020 --> 00:18:44,400 And that dress. 186 00:18:47,210 --> 00:18:47,780 Nobody. 187 00:18:53,060 --> 00:18:57,530 So the function name is the first and the index. 188 00:18:58,650 --> 00:19:00,870 Ordinal and the function. 189 00:19:01,800 --> 00:19:04,380 Address Sunset Canada crushing. 190 00:19:07,320 --> 00:19:09,180 So I think we are good to go now. 191 00:19:09,210 --> 00:19:11,310 So let's go and print this. 192 00:19:11,880 --> 00:19:12,810 We got an error. 193 00:19:43,350 --> 00:19:43,600 Okay. 194 00:19:43,680 --> 00:19:44,340 Sorry again. 195 00:19:44,340 --> 00:19:47,640 So this is also the area. 196 00:19:47,760 --> 00:19:50,820 So if you go to this one, you will have this. 197 00:19:54,220 --> 00:19:56,080 Any of these artists. 198 00:19:59,840 --> 00:20:01,250 And you need to read again. 199 00:20:01,250 --> 00:20:01,820 So. 200 00:20:03,970 --> 00:20:06,460 Martial Arts Reading 32. 201 00:20:11,720 --> 00:20:13,220 So we are going to read again. 202 00:20:13,220 --> 00:20:20,080 So the function at the outset gives you the gives you it here. 203 00:20:20,090 --> 00:20:24,200 So here we need to read four bytes at a time. 204 00:20:26,030 --> 00:20:28,160 So we can say best address. 205 00:20:29,420 --> 00:20:32,060 Press function address offset. 206 00:20:34,810 --> 00:20:39,430 Plus now we can say index order into four. 207 00:20:46,520 --> 00:20:48,350 Function address. 208 00:20:48,350 --> 00:20:50,600 So I think we are good to go. 209 00:20:54,780 --> 00:20:55,830 So let's run this. 210 00:21:02,200 --> 00:21:02,590 Well. 211 00:21:03,790 --> 00:21:04,840 I to. 212 00:21:31,690 --> 00:21:37,090 So now we can see we got the function name and the index order and the address. 213 00:21:42,720 --> 00:21:46,680 I think we got somewhat wrong, I guess. 214 00:21:54,210 --> 00:21:56,610 We are adding it to the best address. 215 00:21:56,610 --> 00:21:58,980 So that's why we are getting more values. 216 00:22:23,230 --> 00:22:25,450 So to comment on this one. 217 00:22:28,910 --> 00:22:30,200 Now let's run this. 218 00:22:31,430 --> 00:22:33,840 And now we can see we got this. 219 00:22:36,880 --> 00:22:37,300 Address. 220 00:22:37,300 --> 00:22:38,800 7e798. 221 00:22:41,240 --> 00:22:42,080 709. 222 00:22:42,170 --> 00:22:45,060 That is the function outset 143814. 223 00:22:45,080 --> 00:22:45,650 See here. 224 00:22:47,560 --> 00:22:48,750 And see four. 225 00:22:50,710 --> 00:22:53,100 So we got the same function also. 226 00:22:53,110 --> 00:22:56,230 So according to the index, we got some wrong. 227 00:22:57,620 --> 00:22:59,940 So the terms of fixed that index are there. 228 00:22:59,960 --> 00:23:02,750 So we are doing something around this index or not. 229 00:23:02,780 --> 00:23:06,560 So if you go to the base address, press this offset, you will have this one. 230 00:23:11,320 --> 00:23:13,960 His address in this one. 231 00:23:16,420 --> 00:23:20,920 You don't need to do like this. 232 00:23:21,190 --> 00:23:27,220 We can read into 16 so we can directly read two whites at this address. 233 00:23:27,670 --> 00:23:29,430 So if you run this or. 234 00:23:33,910 --> 00:23:38,170 We are printing only the one element, so we need to add AI into too as well. 235 00:23:40,150 --> 00:23:44,800 So let's run this and we can see now the index orders are correct. 236 00:23:52,370 --> 00:23:57,680 So grow one, two, etc. so we can insert off the eye. 237 00:23:57,710 --> 00:23:59,920 We can do index or dinner. 238 00:24:03,370 --> 00:24:07,120 So the printing the correct assets for these functions. 239 00:24:08,730 --> 00:24:11,310 So we can see we got successfully passed. 240 00:24:11,310 --> 00:24:15,610 The exporter functions in a deal.