1
00:00:01,030 --> 00:00:06,160
Hello and welcome to this demo, practical in this lab.

2
00:00:06,180 --> 00:00:14,940
We are going to disassemble the net application, a simple one, and then modify or patch it.

3
00:00:15,700 --> 00:00:23,140
So download this from the recent session and I repeat the password to unzip these Cifas is cracking

4
00:00:23,140 --> 00:00:23,590
lessons.

5
00:00:23,770 --> 00:00:29,650
Come put the folder in this new folder on the desktop.

6
00:00:30,430 --> 00:00:32,730
I call it that malware analysis.

7
00:00:33,460 --> 00:00:38,290
If you open the ANZFA, you will see HCFA dot net demo.

8
00:00:38,320 --> 00:00:47,940
And so let us first see what it does so great on the bottom left corner and look for a developer coming

9
00:00:47,950 --> 00:00:54,900
from the developer and then you will see develop a common problem for Visual Studio to 019.

10
00:00:55,330 --> 00:01:06,760
This click I need to open and then copy the path from this window here and then go to the command from

11
00:01:07,420 --> 00:01:09,700
JS Directory Seed Space.

12
00:01:10,180 --> 00:01:17,230
Right, click to paste a new territory bar and hit enter if you type, there are no you will see the

13
00:01:17,230 --> 00:01:17,880
content of it.

14
00:01:18,490 --> 00:01:21,970
So if you run this program target demo one.

15
00:01:24,450 --> 00:01:33,990
If we just play Hello, Demo, and that's all, so in order to use ILADS to disassemble this technical

16
00:01:33,990 --> 00:01:46,170
mine, I am the same, followed by the name of the executable and into you then open it in the application

17
00:01:46,200 --> 00:01:48,450
called I PSM.

18
00:01:48,930 --> 00:01:53,490
And from here you will see there is a hierarchy of files and folders.

19
00:01:53,970 --> 00:01:55,500
You will see that manifest here.

20
00:01:55,740 --> 00:02:02,250
If you double click here, he will show you the manifest contents, many faxes they will contain.

21
00:02:03,030 --> 00:02:10,830
And then and here you see there is another folder called on that one, the name of the application itself.

22
00:02:11,220 --> 00:02:14,150
And this also applies here to explain it further.

23
00:02:15,090 --> 00:02:21,420
Now, the first thing I believe we want to do and we are analyzing the executable, is to locate the

24
00:02:21,420 --> 00:02:22,200
entry point.

25
00:02:22,980 --> 00:02:27,830
The entry point is usually in a programs class or here program.

26
00:02:28,260 --> 00:02:30,450
Sometimes you will see many folders here.

27
00:02:31,200 --> 00:02:38,070
Look for the one with the name program in the back and end up click on it, open it and you will see

28
00:02:38,070 --> 00:02:39,090
the main program here.

29
00:02:39,120 --> 00:02:40,340
So this is the entry point.

30
00:02:41,220 --> 00:02:46,020
So if we double click on this now, you will see that this is the disassemble.

31
00:02:47,220 --> 00:02:48,960
This is the instructions.

32
00:02:50,160 --> 00:02:58,950
And this is the main function in method, the first instruction is to look strong, so the first thing

33
00:02:58,950 --> 00:03:02,370
that you lost is hello, the one he lost it to the stick.

34
00:03:02,910 --> 00:03:06,950
And then the next instruction you call the IPPEI function, correct.

35
00:03:07,040 --> 00:03:11,010
I'm from this class system console to write the string.

36
00:03:11,220 --> 00:03:15,140
The parameter to this function is the string which you load up here.

37
00:03:15,780 --> 00:03:17,710
So that's how you get your output.

38
00:03:18,750 --> 00:03:23,000
When you see the string demo move be returned to the council.

39
00:03:24,060 --> 00:03:33,410
So now if you wanted to to to see the AM in separate editor, you have to be done this first.

40
00:03:33,960 --> 00:03:42,930
So to them then you just go too far here and click them and then here, do not change the default settings,

41
00:03:44,250 --> 00:03:45,120
just click, OK.

42
00:03:45,960 --> 00:03:49,350
And he would dump the contents of the.

43
00:03:50,360 --> 00:03:53,490
Back to a location of her choice.

44
00:03:53,600 --> 00:04:01,030
We are going to choose the desktop here, the net framework and in here, give a name for it, then

45
00:04:02,030 --> 00:04:04,110
notice the extension you dial.

46
00:04:04,190 --> 00:04:04,730
So click.

47
00:04:06,710 --> 00:04:14,690
So now what it does is it will disassemble the FFA into the IFR and save it in a separate file called

48
00:04:14,690 --> 00:04:15,350
Dump It.

49
00:04:15,770 --> 00:04:16,640
So this is the one.

50
00:04:17,210 --> 00:04:23,540
Now, in order to see the content on this, you need to open it with a text editor so I can read it

51
00:04:23,540 --> 00:04:25,300
now and I open it.

52
00:04:25,340 --> 00:04:30,500
We I'm going to use something line open with sublime text.

53
00:04:33,270 --> 00:04:42,390
So even opening sublime text and you can see the eye language, so this is all in our language, we're

54
00:04:42,720 --> 00:04:44,220
going to see eye language.

55
00:04:46,780 --> 00:04:48,400
And here's the entry point.

56
00:04:49,890 --> 00:04:56,520
And here is a look string hello, Demel one, and here is a cause and a function, you write the string

57
00:04:56,520 --> 00:04:58,000
as a parameter to the function.

58
00:04:58,620 --> 00:05:02,570
So if you wanted to pass this now, you need you can do it this way.

59
00:05:02,580 --> 00:05:06,510
Let's say I wanted to change the string so I can just timing.

60
00:05:06,540 --> 00:05:14,280
Hello, demo one and a key changed and then I save this for these days and down here, meaning that

61
00:05:14,380 --> 00:05:18,450
have edited it but haven't saved it yet so far.

62
00:05:18,450 --> 00:05:29,570
Save and I save the -- so far you have to reassembly back to the Heisey so to reassemble to see you

63
00:05:29,640 --> 00:05:31,190
use the ESM.

64
00:05:31,710 --> 00:05:35,940
So let me clear the screen first in time I have ESM.

65
00:05:36,420 --> 00:05:37,920
This is a different program.

66
00:05:38,160 --> 00:05:43,070
The only one is I have the ESM, the means to disassemble.

67
00:05:43,410 --> 00:05:52,560
Now we are doing our ESM --, so we just take the name of the two ESM followed by the Alfa.

68
00:05:52,860 --> 00:06:00,510
So in this case, the IFRS condemned I can enter and then you will see the operation completed successfully

69
00:06:00,810 --> 00:06:02,190
and you have a new faculty.

70
00:06:03,420 --> 00:06:06,800
So now let's randomizer and see what we get done.

71
00:06:06,930 --> 00:06:07,440
I see.

72
00:06:09,840 --> 00:06:12,480
And I you see the string has been out.

73
00:06:12,480 --> 00:06:14,190
It has been modified.

74
00:06:14,310 --> 00:06:14,940
Hello there.

75
00:06:15,010 --> 00:06:16,340
One change.

76
00:06:16,350 --> 00:06:20,460
So this is a string yet we modify using the text editor.

77
00:06:21,030 --> 00:06:22,560
So this is how you can use.

78
00:06:22,890 --> 00:06:27,180
I have the same to disassemble SFR.

79
00:06:27,600 --> 00:06:35,820
I don't need any SFR and then use a text editor and then use I have ESM to rebuild the editor file to

80
00:06:35,820 --> 00:06:36,630
create a new.

81
00:06:36,640 --> 00:06:37,020
Yes.

82
00:06:37,860 --> 00:06:40,670
So that's all for this video.

83
00:06:41,070 --> 00:06:42,270
Thank you for watching.

84
00:06:42,450 --> 00:06:43,650
I'll see you in the next one.