You are the best teacher on this stuff. Been searching for days and haven’t found any good explanations for just how this stuff actually works. Thank you.
Fantastic video! Checking the "I will not use this for bad guy stuff" box is very similar to what you get in the car tuning world. There are a lot of things for sale that are marked "For offroad use only" driving down the road :)
Lol! Yeh I think the packer developers were hoping this little check box would save them from prosecution by law enforcement for writing malware... the joke being that if you look at the "evasion" options and the sneaky auto-run that they added it's just malware by definition, regardless of what checkboxes they added 😂
Great video as usual... It was refreshing and nostalgic to watch... :) Ugh I can relate to the being busy thing. Ah well, at least we're young and hopefully have years left to put up more vids :)
I think your explanation on the EOF "End of File" part is incorrect. I could have misunderstood you, but the EOF option on crypters means that the crypter will extract the EOF data from the malware itself and append it to the end of the stub file because some malwares look at the EOF data and pull settings to run properly. If you crypted malware with EOF data and failed to append said EOF data to the end of the crypted stub then when executing the stub... the malware itself would be ran in memory without the ability to read the EOF data and thus error out or simply fail to load at all. Nice Video! Keep teaching people we need more IT Security Researchers in the world.
I must be missing something very basic here, but when you pressed run at 13:15, the EIP didn't increase which would mean no instruction was executed and yet something was written in the memory address virtualalloc returned? And this was repeated multiple times. Super useful video but I would really appreciate it if you kindly explain what happened there. Thanks!
Hey, that's a good question! So when I pressed run EIP was pointing to the address of the breakpoint I had set. The program executed and then stopped because the same breakpoint was hit again. Since it was the same breakpoint it looked that EIP hadn't changed. No tricks : )
@@OALABS Thank you so much for the reply! I now understand that the VirtualAlloc function gets called 4 times before calling CreateInternalProcessW which is why you hit the ret line four times before hitting CreateProcessInternalW, giving the illusion that EIP isn't changing. Simple enough, should've noticed it on the first go, but actually downloading your sample from malshare and playing around with it made me understand what's happening. Slow but sure improvement I guess. I can't thank you enough for these videos though, I'm going through them all one by one and it's opening up the cryptic world of malwares to me! Keep 'em coming!
I am confused on why this packer uses CreateProcessInternalW() and VirtualAlloc(). I thought CreateProcess* was used for process injection in combination with WriteProcessMemory() or MapViewOfSection(), and VirtualAlloc() was used in self-injection in combination with VirtualProtect(). Why would you create a new process AND allocate heap in the current process?
I see everyone using 32 bit VM's but 32 bit's Ghydra is deprecated, and I want to learn it instead of IDA Pro. Is it ok to use W10, 64 bit, with general RE, this stuff and crackme's?
Also because ppl are stuck to IDA because they know it and cba to switch, also Ghidra is free, aint nobody gonna pay 300 for IDA Pro, or risk getting infected instead by getting a cracked version .
Hey Bjorn, I think I may have answered this in a reply to another one of your comments, sorry if it's a double post. So our tutorials are simply demonstrations of how we analyze malware ourselves, day to day. We show the tools we use, and the VM setups that we like. But at the end of the day this is just our own preference, there are tons of other excellent setups and tools that we just don't use so we don't cover them here. Ghidra and Win10 VMs fall into this category. We don't use them so we don't put up tutorials for them on the channel. That being said I don't think there is anything wrong with using Win10 and Ghidra for RE/malware analysis. There are tons of great tutorials on these setups on TH-cam so it seems lots of people are indeed reversing with this setup.
Yes for sure. I wanted to cover that a bit more in detail in this video but it was getting too long and I was worried everyone would get bored. At some point in the future we will do a more in-depth video where we step through the functionality of this stub and explain what each part does... hopefully it won't be too boring : )
how do I test the malware that I make ( for research purposes I swear ), I cant obviously upload it to virus total it will get detected and I can't scan it with an AV it will get reported to the AV company then signatured, and I cant just scan it offline because the scan wont be as effective without the AV having access to the internet ( Cloud and stuff )
I don t know why . But when i do some reverse on stuffs like infected shareware . I use only Sandboxie + IDA . Don't need a VM or anything specialy with my 4 gb ram . (Sorry for my english it s not my native language )
Sandboxie isn't good for serious analysis because there are low-level things that you cannot do in Sandboxie at all which you can do in a full VM... For example you cannot do kernel debugging or hooking system callbacks.
These guys are right, infection happens even with professionals. There are several sandbox escapes not to mention VM escapes.. a VM won't take up too much resources and safer than getting infected and having things go poorly.
Unfortunately malshare seems to be borked... we won't be relying on it on the future. For now we are trying to find the samples we uploaded there and upload them to other more stable services. You can find this sample on CAPE here cape.contextis.com/analysis/22343/
Very interesting video, I was wondering if this was really considered unpacking because basically you're just dumping the memory region which contained the calc.exe program. However, that question got answered quite quickly while continuing the video. You did mention that it might be interesting to go through the actual unpacker(@16:20), and reverse it together, did you do this in any of your other videos? EDIT (found the answer, not the same file but it explains something very similar in detail): th-cam.com/video/WlE8abc8V-4/w-d-xo.html
intro's bad ass : i have loads of old malware source some where in my room on a old hdd date backs to about 2010-11 -- 2014 ransoms ware , carbs , crypters,worms , loaders , tones of shitty irc bots -- on and on i need to share this code so it never gets lost , but i need to crack this rar file first , evil laugh ma haha hahaha harrrrrr edit to add i only would only dabble in C/C++ back in the day no skid ware to my knowledge, but i have come a long way since then
Oh man My brain really exploded I want you to take a breath between videos and let our brains rest You only recorded parts of what you were talking about This makes the audience tired
You are the best teacher on this stuff. Been searching for days and haven’t found any good explanations for just how this stuff actually works. Thank you.
Fantastic video! Checking the "I will not use this for bad guy stuff" box is very similar to what you get in the car tuning world. There are a lot of things for sale that are marked "For offroad use only" driving down the road :)
Lol! Yeh I think the packer developers were hoping this little check box would save them from prosecution by law enforcement for writing malware... the joke being that if you look at the "evasion" options and the sneaky auto-run that they added it's just malware by definition, regardless of what checkboxes they added 😂
Very nice example of a crypter. Thanks!
Thank you.
How about VM protection like Dolphin from Themida and other? For example protect simple function and explaning how it's works?
Excited about the side project looking forward to finding out what it is.
Coming soon : )
Awesome! Thanks for making these videos, very helpful.
Glad to see you back :)
Amazing work man! I was just talking to a coworker about packers yesterday haha
Great video as usual... It was refreshing and nostalgic to watch... :) Ugh I can relate to the being busy thing. Ah well, at least we're young and hopefully have years left to put up more vids :)
Hey glad to hear from you! Miss your vids but I def understand being too busy to post : )
Awesome. Been waiting for a new upload 🤗. New glasses Sergei? Looking good!
Thanks! Yeh new glasses ... I'm getting old haha : )
Welcome to the club 🤓
Thank you for this useful tutorial.
AT 12:48 we could use total commander to compare the two files.
Great video. my congratulations
do use trojan bro ? like a njrat or rmcos ?
I think your explanation on the EOF "End of File" part is incorrect. I could have misunderstood you, but the EOF option on crypters means that the crypter will extract the EOF data from the malware itself and append it to the end of the stub file because some malwares look at the EOF data and pull settings to run properly. If you crypted malware with EOF data and failed to append said EOF data to the end of the crypted stub then when executing the stub... the malware itself would be ran in memory without the ability to read the EOF data and thus error out or simply fail to load at all.
Nice Video! Keep teaching people we need more IT Security Researchers in the world.
I must be missing something very basic here, but when you pressed run at 13:15, the EIP didn't increase which would mean no instruction was executed and yet something was written in the memory address virtualalloc returned? And this was repeated multiple times. Super useful video but I would really appreciate it if you kindly explain what happened there. Thanks!
Hey, that's a good question! So when I pressed run EIP was pointing to the address of the breakpoint I had set. The program executed and then stopped because the same breakpoint was hit again. Since it was the same breakpoint it looked that EIP hadn't changed. No tricks : )
@@OALABS Thank you so much for the reply! I now understand that the VirtualAlloc function gets called 4 times before calling CreateInternalProcessW which is why you hit the ret line four times before hitting CreateProcessInternalW, giving the illusion that EIP isn't changing. Simple enough, should've noticed it on the first go, but actually downloading your sample from malshare and playing around with it made me understand what's happening. Slow but sure improvement I guess. I can't thank you enough for these videos though, I'm going through them all one by one and it's opening up the cryptic world of malwares to me! Keep 'em coming!
Great content!!
As usual, great video, keep up the good work! :) - Evilcry
Aegis Crypter and calc.exe download files are missing.
cool.
Will you be at BruCon this year? This is in Belgium yeah?
Yes! We will be at BruCON, one of our favourite conferences! www.brucon.org/2019/
@@OALABS October 11th yeah ? I might be able to come . Or just for the trainings which is for the 7th I think.
I am confused on why this packer uses CreateProcessInternalW() and VirtualAlloc(). I thought CreateProcess* was used for process injection in combination with WriteProcessMemory() or MapViewOfSection(), and VirtualAlloc() was used in self-injection in combination with VirtualProtect(). Why would you create a new process AND allocate heap in the current process?
I see everyone using 32 bit VM's but 32 bit's Ghydra is deprecated, and I want to learn it instead of IDA Pro. Is it ok to use W10, 64 bit, with general RE, this stuff and crackme's?
Also because ppl are stuck to IDA because they know it and cba to switch, also Ghidra is free, aint nobody gonna pay 300 for IDA Pro, or risk getting infected instead by getting a cracked version .
Hey Bjorn, I think I may have answered this in a reply to another one of your comments, sorry if it's a double post. So our tutorials are simply demonstrations of how we analyze malware ourselves, day to day. We show the tools we use, and the VM setups that we like. But at the end of the day this is just our own preference, there are tons of other excellent setups and tools that we just don't use so we don't cover them here. Ghidra and Win10 VMs fall into this category. We don't use them so we don't put up tutorials for them on the channel. That being said I don't think there is anything wrong with using Win10 and Ghidra for RE/malware analysis. There are tons of great tutorials on these setups on TH-cam so it seems lots of people are indeed reversing with this setup.
@@OALABS Gotcha :)
Can you do a video explaining how Stubs work in detail?
Yes for sure. I wanted to cover that a bit more in detail in this video but it was getting too long and I was worried everyone would get bored. At some point in the future we will do a more in-depth video where we step through the functionality of this stub and explain what each part does... hopefully it won't be too boring : )
OALabs awesome thanks for getting back to me.
@@OALABS No, trust me what you're doing is extremely important. The videos seem quite clear which is hard to find for a lot of beginners
Yay)!))! good video!!
Hi, thanks!
do use trojan bro ? like a njrat or rmcos ?
dnt find the app in the link why ? is it work on server.exe can i gut clean rslt after scan ???
Thanks for this video, i know im late but it still help me to gain my knowledge.
Can you do about obfucate ? Thanks
need help bro to download if i can get clean rslt
how do I test the malware that I make ( for research purposes I swear ), I cant obviously upload it to virus total it will get detected and I can't scan it with an AV it will get reported to the AV company then signatured, and I cant just scan it offline because the scan wont be as effective without the AV having access to the internet ( Cloud and stuff )
media.tenor.com/qEmU0G67ve4AAAAC/fbi-meme-fbi-open-up-memes.gif
watch this from liveoverflow :)
liveoverflow is one of our favourite channels! : ))
Yeah, he suggest it from twitt 😊
I don t know why . But when i do some reverse on stuffs like infected shareware . I use only Sandboxie + IDA . Don't need a VM or anything specialy with my 4 gb ram . (Sorry for my english it s not my native language )
i don't trust Sandboxie. it feels unstable
Sandboxie isn't good for serious analysis because there are low-level things that you cannot do in Sandboxie at all which you can do in a full VM... For example you cannot do kernel debugging or hooking system callbacks.
These guys are right, infection happens even with professionals. There are several sandbox escapes not to mention VM escapes.. a VM won't take up too much resources and safer than getting infected and having things go poorly.
Trying to download the sample from malshare and it says sample missing contact admin.
Unfortunately malshare seems to be borked... we won't be relying on it on the future. For now we are trying to find the samples we uploaded there and upload them to other more stable services. You can find this sample on CAPE here cape.contextis.com/analysis/22343/
Very interesting video, I was wondering if this was really considered unpacking because basically you're just dumping the memory region which contained the calc.exe program. However, that question got answered quite quickly while continuing the video.
You did mention that it might be interesting to go through the actual unpacker(@16:20), and reverse it together, did you do this in any of your other videos? EDIT (found the answer, not the same file but it explains something very similar in detail): th-cam.com/video/WlE8abc8V-4/w-d-xo.html
How can bypass dx pack hwid protection
do you know how debuggers work internally, through code, please let me know why?
🤔
@@OALABS i found it, you had an video
Weird to see someone say here have some malware
@OALABS
Where did you get this Aegis Crypter and other Crypters from? Can u recommend a reputable site.
Thanks
this link offline Aegis Crypter
download link
Error 14000 (Account not activated)
intro's bad ass : i have loads of old malware source some where in my room on a old hdd date backs to about 2010-11 -- 2014 ransoms ware , carbs , crypters,worms , loaders , tones of shitty irc bots -- on and on i need to share this code so it never gets lost , but i need to crack this rar file first , evil laugh ma haha hahaha harrrrrr edit to add i only would only dabble in C/C++ back in the day no skid ware to my knowledge, but i have come a long way since then
Oh man
My brain really exploded
I want you to take a breath between videos and let our brains rest
You only recorded parts of what you were talking about
This makes the audience tired
Привет, пожалуйста, помоги мне. Уже много месяцев хочу написать распаковщик для одной игры. Не как не могу сделать это. Напиши мне
this guy did a lot of video cut and edit that makes more headache