Basically, if you are decrypting some bytes that are going to be executed and you put a normal breakpoint on those bytes intending to be hit once the instruction pointer is there, it will end up decrypting incorrectly since what a software breakpoint does is it injects an int3 instruction behind the scenes. So you are actually temporarily changing the content of whats there. So when it goes to decrypt, its going to try and decrypt the changed instruction and will decrypt to the wrong value.
this is such a great video, I kind of wish I understood the logic behind all the steps you take when debugging lmao, but I guess that comes with time. I'm very new to this
Watching you dance between IDA and x64/32 dbg was glorious. How would you recommend someone improve their skills and abilities within mal analysis/rev engineering? Do you have any good resources/samples/trainings you'd recommend?
Thanks for the kind words! For me, it was starting off with more 'basic' samples without any sort of obfuscation other than normal packing as well as learning the methods the malware authors use to inject code (Process Hollowing, CreateRemoteThread Injection, etc) **and actually writing my own PoC in C so I get an understanding of what's happening as opposed to just learning about it without actually knowing it in-depth**. People are good at hearing about something and just repeating what they hear, but to actually write the thing yourself and understand each step helps a ton. It's a bit more difficult to find simple packed samples nowadays than it used to be, I'll have to one day go find some good beginner ones and maybe make a video on them.
Last time I messed with debugging was on Windows XP with OllyDBG so it's been a while. I mainly learned how to get around file packers at the time and didn't learn a lot of basics of assembly that I probably should have but it was mainly for fun anyways. The x64 debugger you're using looks very similar to OllyDBG with a lot more features/fixes/updates I'm sure. The more complex obfuscation techniques used by viruses like this one I couldn't wrap my head around years ago due to lack of knowledge of assembly etc. Does Ghidra come in handy or does IDA do a good enough job that it's not necessary to use?
IDA is better than GHIDRA (in my opinion at least) and the debugger I am using is x64dbg which is the standard nowadays (and objectively WAY better than Ollydbg). I was remembering being a kid trying to use ollydbg on XP as well and having no clue what I was doing 😃.
@@vilvd3934 Do the audio levels sound stable to you? I don't want to increase it entirely by +15 if there are peaks and valleys and have the audio peaks destroy your ears instead :D. I am going to look into borrowing a better microphone tonight
need to learn about breakpoints myself someday
I hope i gave an understandable explanation of why I used a hardware breakpoint. Let me know if there was anything you didn’t understand
Basically, if you are decrypting some bytes that are going to be executed and you put a normal breakpoint on those bytes intending to be hit once the instruction pointer is there, it will end up decrypting incorrectly since what a software breakpoint does is it injects an int3 instruction behind the scenes. So you are actually temporarily changing the content of whats there. So when it goes to decrypt, its going to try and decrypt the changed instruction and will decrypt to the wrong value.
Just came across this. I like the uncut raw type of videos with no music. I dont know much about reverse engineering but it looks hella interesting
this is such a great video, I kind of wish I understood the logic behind all the steps you take when debugging lmao, but I guess that comes with time. I'm very new to this
This guy needs to create a malware course and get big money from it
Haha that would be a dream
@@RyanWeil-r1n make it true then, I'm ready to pay 🤓
God bless you and your work buddy! I learned alot from your videos.
Watching you dance between IDA and x64/32 dbg was glorious. How would you recommend someone improve their skills and abilities within mal analysis/rev engineering? Do you have any good resources/samples/trainings you'd recommend?
Thanks for the kind words!
For me, it was starting off with more 'basic' samples without any sort of obfuscation other than normal packing as well as learning the methods the malware authors use to inject code (Process Hollowing, CreateRemoteThread Injection, etc) **and actually writing my own PoC in C so I get an understanding of what's happening as opposed to just learning about it without actually knowing it in-depth**. People are good at hearing about something and just repeating what they hear, but to actually write the thing yourself and understand each step helps a ton.
It's a bit more difficult to find simple packed samples nowadays than it used to be, I'll have to one day go find some good beginner ones and maybe make a video on them.
@@RyanWeil-r1n That's actually some great advice, thank you sir! I would definitely be interested to watch something like that :)
If people want free Photoshop, they should just get GIMP. Free and open, works on Mac, Linux and Windows. Very powerful.
Awesome video dude! I learned alot
Amazing video, good work! Hopefully YT will start taking action against these channels...
your channel reminds me of eric parker
I'd like to think I'm more technical than him :D
Last time I messed with debugging was on Windows XP with OllyDBG so it's been a while. I mainly learned how to get around file packers at the time and didn't learn a lot of basics of assembly that I probably should have but it was mainly for fun anyways. The x64 debugger you're using looks very similar to OllyDBG with a lot more features/fixes/updates I'm sure. The more complex obfuscation techniques used by viruses like this one I couldn't wrap my head around years ago due to lack of knowledge of assembly etc. Does Ghidra come in handy or does IDA do a good enough job that it's not necessary to use?
IDA is better than GHIDRA (in my opinion at least) and the debugger I am using is x64dbg which is the standard nowadays (and objectively WAY better than Ollydbg). I was remembering being a kid trying to use ollydbg on XP as well and having no clue what I was doing 😃.
Nice video! Dude🌹🤌
Thats what i was thinking
Thank you!
@@RyanWeil-r1nRyan how can l contact you If it’s possible?
What keyboard are you using?
G413 Carbon
Interesting but next time please sound +40dB
Promise I’ll find a solution to the microphone issue next video :)
@@RyanWeil-r1n+15 db gain on the whole vid shoukd be good
@@vilvd3934 Do the audio levels sound stable to you? I don't want to increase it entirely by +15 if there are peaks and valleys and have the audio peaks destroy your ears instead :D. I am going to look into borrowing a better microphone tonight