1
00:00:01,100 --> 00:00:03,340
Hello and welcome back.

2
00:00:03,350 --> 00:00:13,420
As I mentioned in the earlier lesson on the introduction to A.T. buggy there are two methods mostly

3
00:00:13,990 --> 00:00:21,630
used Ford Dee Dee Dee buggy on how to bypass key and debugging feature.

4
00:00:22,000 --> 00:00:32,810
The first method is by patching which is to celebrate pine on the end to debugging API for example is

5
00:00:32,880 --> 00:00:36,400
about the present and then patching it.

6
00:00:36,400 --> 00:00:44,680
So in this lesson we show you how to use the first method to bypass the anti debugging feature.

7
00:00:44,920 --> 00:00:46,990
So let's get started.

8
00:00:48,220 --> 00:01:00,980
Your Chrome browser and look for him as the N is debugger present and press enter Hinkley on their first

9
00:01:00,980 --> 00:01:01,580
visa.

10
00:01:01,610 --> 00:01:02,240
Then you see

11
00:01:05,860 --> 00:01:17,650
this is the API most commonly used in checking whether or not the software is attached to debugger and

12
00:01:17,650 --> 00:01:26,350
he has no parameters but he retains a boolean value which can either be true or false.

13
00:01:26,530 --> 00:01:34,570
So if the software he takes is that a debugger has been attached he will return true else it will return

14
00:01:34,630 --> 00:01:35,170
false.

15
00:01:36,210 --> 00:01:38,810
So let us now open the program.

16
00:01:38,890 --> 00:01:40,420
If a debugger

17
00:01:43,400 --> 00:01:44,580
click on run.

18
00:01:49,580 --> 00:01:55,300
And then now click on run again to go to the entry point.

19
00:01:55,900 --> 00:02:02,210
And now over here days have come online which you can type commands.

20
00:02:02,940 --> 00:02:05,030
So the command to celebrate.

21
00:02:05,040 --> 00:02:19,170
Pine can be used by typing BP full followed by the name of the symbol his new vulgar presence.

22
00:02:19,830 --> 00:02:21,060
So just typing.

23
00:02:21,060 --> 00:02:25,330
BP space is the the present.

24
00:02:25,470 --> 00:02:29,710
So this is the API that we are putting a brake point on.

25
00:02:29,880 --> 00:02:33,300
So it is a new method which we have not used before.

26
00:02:33,300 --> 00:02:41,120
Previously we did it by using the mouse and click on the breakpoint but now we are typing using the

27
00:02:41,130 --> 00:02:42,610
command blocks.

28
00:02:42,720 --> 00:02:46,850
So after you have time this breakpoint is about the present.

29
00:02:46,860 --> 00:02:50,810
Just press enter and you will see breakpoint head.

30
00:02:50,820 --> 00:02:52,730
This address is set.

31
00:02:52,980 --> 00:03:00,220
So now that be running taken run he will see here in three breakpoint.

32
00:03:01,020 --> 00:03:08,290
So he has already found the reply because here and stop and you can see no.

33
00:03:08,440 --> 00:03:18,910
This is the API is about present so yeah not in the user module we are in the system are you.

34
00:03:18,990 --> 00:03:27,570
So if you remember in the earlier lessons I have taught you how to go back to using what do you still

35
00:03:27,570 --> 00:03:30,530
remember yes.

36
00:03:30,950 --> 00:03:37,610
So to go back to using more new you click on this button here run to use a code so just click on it

37
00:03:37,610 --> 00:03:47,300
now and you will go back to the address in using module just after the call to the API.

38
00:03:47,300 --> 00:03:56,790
So if you screw up now you see no account to the API was made here and he jumped to the system use a

39
00:03:56,910 --> 00:04:00,980
new system address and now he comes back to the user more you.

40
00:04:01,610 --> 00:04:09,830
So now we have detected this is the place where the call to the API is being made history by the present.

41
00:04:09,890 --> 00:04:22,410
If you recall every API returns a value to be ex register the return value is in bool is a current process

42
00:04:22,440 --> 00:04:25,980
is running in a context with Ivana and the return result.

43
00:04:26,060 --> 00:04:30,140
He's gone 0 so over here

44
00:04:33,300 --> 00:04:43,520
if you look at this so he returns there is up in X and he X is non-zero that means he has detected a

45
00:04:43,520 --> 00:04:53,540
debugger if you press have enough to go here and you see he would press every now and you come to this

46
00:04:53,540 --> 00:04:56,530
line you refined it he would not jump.

47
00:04:56,870 --> 00:05:04,860
So if he doesn't dumb he will go to his pages message then you will have to die.

48
00:05:05,050 --> 00:05:06,250
So you can see here

49
00:05:09,150 --> 00:05:15,310
the Zero flag is not set because he X is not zero.

50
00:05:15,330 --> 00:05:16,390
So he will 9 10.

51
00:05:16,920 --> 00:05:24,860
So if you press heavy now he will enter and set up the message.

52
00:05:25,140 --> 00:05:28,880
The bad message then he will call this are here.

53
00:05:29,040 --> 00:05:33,670
He will show debugger delighted so now if you click

54
00:05:38,750 --> 00:05:46,910
and then click on F nine to run he will be terminated debugging stuff.

55
00:05:47,530 --> 00:05:57,620
Okay so now let's restart the program again and try the Apache let's run and now it has hit our very

56
00:05:57,620 --> 00:06:06,400
fine a key run to use him good and screw up.

57
00:06:06,400 --> 00:06:12,850
And now where do you think we should patch to causes me here.

58
00:06:12,940 --> 00:06:14,500
The result is tiny X

59
00:06:18,040 --> 00:06:30,530
so we actually attach only here to the junk will not be taken every press every time he saw that injury

60
00:06:31,410 --> 00:06:32,270
is not taken.

61
00:06:32,280 --> 00:06:35,250
So we want the junk to be taken.

62
00:06:35,250 --> 00:06:42,410
So how do we take this issue make jam here to this address.

63
00:06:43,080 --> 00:06:45,040
So take note of this address.

64
00:06:45,390 --> 00:06:48,750
This address is 4 3 8 9.

65
00:06:48,780 --> 00:06:55,880
So we wanted to jam here so that you and I showed the NSA and you will not call this function.

66
00:06:56,070 --> 00:07:08,220
So as assembly here my double taking and modifying this to jam a checklist in issue and the size is

67
00:07:08,220 --> 00:07:09,850
the same or less.

68
00:07:09,850 --> 00:07:13,500
So he took the instructions the same size Leslie.

69
00:07:13,510 --> 00:07:15,080
OK.

70
00:07:15,830 --> 00:07:18,820
So now he will jam.

71
00:07:18,860 --> 00:07:33,410
So now let's press Enter here jumped Navy press run and you see he has successfully bypassed the anti

72
00:07:33,410 --> 00:07:42,230
debugging for DSA so now let's dash this survey.

73
00:07:42,630 --> 00:07:57,730
So go to the file play batch file and then here click on page file and give it a name with a new suffix

74
00:07:58,960 --> 00:08:08,570
batch sixty one special play close.

75
00:08:08,610 --> 00:08:13,940
So now you can close these other

76
00:08:18,110 --> 00:08:20,210
and open the page file with the debugger

77
00:08:25,030 --> 00:08:38,930
get a run and if can run run again and you will see he had bypass the anti debugging feature so this

78
00:08:38,930 --> 00:08:42,740
is how we perform the first method.

79
00:08:43,290 --> 00:08:48,390
Oh and D can do debugging by using patching.

80
00:08:48,450 --> 00:08:50,280
So thanks for watching.

81
00:08:50,280 --> 00:08:54,600
In the next lesson I will show you how to use plugins to do the same thing.

82
00:08:54,600 --> 00:08:55,250
See you then.

83
00:08:55,350 --> 00:08:55,800
Bye bye.