well thanks for scrolling to the comments so anyway join my newsletter at jh.live/newsletter and check out jh.live/training to learn more cybersecurity stuff

Realising that entire ascii value-ish blob of nonsense was the actual malware, which was executed as string joins, has been a truly astonishing upload. I've never expected this'd be my morning

I came to see what this was. Was going to watch for 5mins... stayed till the end and wanted more 😄

This video is just an artistic description of how much John hates tangent functions

When he sad "Now we're getting to the real malware", that's when I started not understanding anything anymore

Probably the tangent stuff was intended to send a malicious person on a tangent. This was fascinating to watch.

"I'll secure my malware by obscurity". Nice

So in VB, you can have arrays that can indexed in anyway you choose, and this can be chosen per array. If you wanted, you could have an array that's valid indices were 5-10. The purpose of LBound and UBound is to determine what that range is for a given array. LBound(array) returns the lowest index while UBound(array) returns the highest index. This allows for a generic loop structure of For i = LBound(array) to UBound(array) stuff using array(i) Next

Thank god im not the only one what looks up these functions, reads the documentation, and the first words out of my mouth are "but wtf does that even mean"

Those random, doing nothing functions such as the excessive amount of sleeps and tangent functions are to evade from anti virus sw, that checks for hashes and heuristics. Those are added progressively with each version of the virus.

That switch to dark mode killed me 😂 Google was like "HACKER MODE ENABLED"

Just when I was saying "he is wasting his time, this code is just a troll joke" you made the @@@@@ magic and BOOM! you found the cake! ^_^ Thanks for sharing your skills John! Really appreciated

I really enjoy these kinds of videos; fast-paced unnedited breakdown of malware ur a legened

"Lol. Let's just copy paste some random function a couple hundred times. There. Obfuscated. I'm a genius." -some bad guy, probably

If i remember correctly, those tangets were called 'sandpiles', random piles of odd maths with completly randomized variables, was used to hide the first steps to decode stuff.

Just here to say you should definitely do more of these

I've seen these obfuscated vbscipts before, even deconstructed them a bit (but not to it's conclusion like you did ). Never thought I would see parsing a vbscript on KZbin, this was fun!

It may sound a bit weird, but I love seeing you struggle with some things. Thanks for recording the whole thing. What matters the most to me is to understand your thought pattern and how you resolve the problems you encounter.

why did I just watch all of this and enjoy all of it... I'm really realizing how little I know about computers now

As someone starting to work in the coding/IT field, it blows my mind that someone made something this thorough.

I just got into learning IT and im very interested in coding. As I search more about coding, youtube recommends me videos like this. So You really got my attention by that caption. You got me even more hyped up about this all and you just earned another follower!

This was a great work-through! I loved watching your process! As a soon-to-graduate CS student, this brought a lot of stuff into focus, especially on how to work through these kinds of problems!

"I swear I've done this before." - Famous last words

If the hacking action in hollywood movies are "real" like this, those movies would take hours before finish

this is so satisfying to watch I was like I'm going to go watch an episode of a serie and than change my mind like nah I'm just going to watch a short KZbin video and sleep but here I'm at the end of the video.

The way you un-obfuscated that code was inspiring.

Me: Uh wow that's a long video. Let's watch it for 10 minutes and save it later. 40 minutes later - *subscribes*

Him fighting the ragex is literally me, tears roll down my face everytime.

As soon as you stopped yourself to go back and explain the keyboard shortcut, I subscribed. Keep up the good work.

I love learning with you! It’s always interesting and I feel like I’m learning along side you rather than being taught.

That first tag said "HAAAAA" because it was mocking you. It realized that it actually managed to stop you from reading the file

This reminds me of a situation that happened at a client I was consulting at in the late 90s (it might have been ILoveYou, but I can't remember). An e-mail with an attached .vbs file was running rampant on user's machines. They finally stopped it, but they had no idea what it was doing. Since I had VB experience, I was asked to dive in and see if I could figure it out. The code was obfuscated in many ways similar to what Hammond runs into in this video, but I finally figured out what the code was doing....and it was pretty nasty.

Will you be making more Malware Analysis videos?

It's just crazy how many people stay here because they relate to what you're doing :D. I love your content and I'm actually amused by watching something close to what I do every day.

Watching this video brought me back to my days of studying for the OSCP. I enjoyed this a lot more than I thought I would.

What lifeOverflow has taught me: if you see a long string, there must be some decoding going on. So ignore the junk code and go straight to the decoding loop. Then you can get the return value of that decoding loop (or just the value you end up with when the decoding is done) and go around with it. Removing all of those /Tan functions is time wasteful

I saw this right before going to bed at 11PM, stayed up watching pretty much the whole video, thank you xD

Interesting how the code was hidden behind some random garbage. Even the tangent functions make some sense now

It got real juicy after second stage. I loved this video way more than I thought I would. Keep up the good work man!

Those tan functions and the weird functions at the end did just what they were supposed to; you spent twice as long messing around with those puzzles than it took to figure out the core code! :D

I have a cursory understanding of programming. Not enough to write a program myself, but enough to sort of follow along. I'm 20 minutes in, and this is great. Why is this so interesting?!

At 29:56 you can see it's using windows new line which is 2 characters and (CR & LF) (Linux is only ), so in your regular expression you should have used . Also, in vb you can declare arrays from any index to any index, so you can make an array like "Dim my_array(10 to 20) As Integer". LBound will return the lower bound = 10, and UBound returns upper bound = 20

I found it very cool that you were figuring it out as you recorded the video and showed all the troubleshooting though processes.

I love how @25:00 he is the embodiment of "if you have a problem you are trying to solve with a regex you now have 2 problems"

I reverse engineered a malicious PowerShell script I found somewhere in almost the exact same way. There even was a 2000+ lines blob of nonsense (divided string whose parts were being added to a variable one after the other) that was literally a malicious executable encoded in Base64 format. Who knew that YT would recommend me an actually useful video today? Pretty neat stuff! As a beginner programmer I'm really proud of myself for the process and thankful that I came across your video. Have a nice day, John.

I'm only about 20 minutes in, but it's interesting to see this idea of a program obfuscating it's own code, then during it, possibly rebuilding it so that it can bypass virus detection. If that's what this thing is doing it's kind of brilliant if that's even possible. It seems like it has strings of characters that it's joining together, recursively. If, after all of that it used that newly made string for something devious, that's pretty interesting.

This video is bit old but if you by any chance read this comment i have to let you know, this was amazing, i watched the whole thing twice, i love your personality. At first I tought the script was nothing but nonsense but somehow you got a readable output. Like i said it was really interesting and i hope you keep doing this kind of videos. And lastly, thank you for the amazing content

You're like if Seth Rogen was a computer guy instead of an actor

I'm addicted to these videos. I learned more here than many other places. Keep it up bro!

The premiere is perfect for this format of video. Feels live, but I think you as the creator can concentrate on chat + the hacking at the same time 👍🏻👨‍💻

Saw this as a random recommendation and midway through I already knew where it would go (eval + garbage code) but stayed for the whole thing. Thanks for making this.

I just love how he stares into the void for a bit before he starts talking

I did not expect to watch as much of this as I did! Great video!

Oh, Houdini! I remember having to deal with some variants of it before! It wasn't prevented by AVs back then. Luckily, they *did* block the extra downloads, so the infection wasn't too serious, but every USB drive ended with all files hidden and links to the VBE added, posing as the files. They did open your files after reinfecting your machine, so did not know anything was happening at all. The first couple times I had to deal with it I did manual cleanups of the systems and the drives, then more variants started coming in so I exploited the infection check and local update mechanism to make my own fake infection for our machines. The script thought it was running and that my version was newer than the ones it knew, so it did not replace it. EDIT: And most new "re-releases" of Houdini or Dunihi are pretty much the exact same script with a different hostname and a different packing added to mess with its signature.

Its refreshing watching a professional break down a malware code into understandable code ; Great content man

The last man using sublime text

Randomly popped in my recommendations and I enjoyed every second of it! great job :) subscribed

I almost died of pain in the RegEx part. Function .+[\s\S]*End Function Would do it

dude that was a really fun adventure, honestly when i saw the length of the video i thought that i will stop watching after 5 min or so but 41 minutes gone without noticing. gj on the video mate

Houdini, he's the creator of H-worm an Arabic developer specifically from Algeria

I had nearly no hope for this to be an interesting video but I was bored senseless. Yet you delivered! Well done, I subscribed for more.

this was somehow even funnier than every meme channel combined

I like that you explain How to Think instead of just giving us the answer

I prefer to let the code decode itself and then just pulling out what you need from hooking API calls or memory, but manual deobfuscation can be fun every so often.

Loved the video man. Also a lot of the comments were really helpfull on getting a better understanding of what was going on with the first huge piece of code!!!

"Hashtag, at sign, tilde, karat, *haaaa*" why is this so funny

This was fun to watch and I enjoyed seeing your process of "un-obfuscating" the code

Man I laughed so hard when you were trying to beautify the VB code. My company still maintains some VB6 code , its like a blast from the past. VB studio does not even allow wheel scrolling.

I always enjoy seeing your thought process in malware analysis. Good stuff!

Could the tangent lines be written to literally send you on a tangent as sort of a play on words

I didn't think I could watch the entire video, but following your thought process was just super fascinating. Would be super interesting if you did a video about your workflow. Tools,Extensions and maybe some neat resources.

Learned a lot from this video. Please do more of these videos!

Hey John! I'm currently in school for CyberSecurity. Your videos are always interesting and I enjoy watching them in the background while helping myself code. Thanks for the content man :)

comment: "nice vid" purpose: "algorithm"

Fascinating stuff - thank you. Makes me realise now why I switched my brain off to learning coding when I was young. Just crossing my fingers that my yearly purchase of Bitdefender can cope, or that I remember to back up my drive very often!

That was interesting! Thank you, I had a lot of fun

I love that you sound so professional and you also are

This is surprisingly fun for me

I didn't think I was going to stay for the whole video Ended up staying for the whole channel

The regex for getting the line to work would've been [\s.]* ([] For characters to recognize, \s for any space character, . For any other char)

Lol 5:00 "Yup and that spits up and dies". Good video!

I love how he describes his interaction with this vbs script as if he and it danced together.

I genuinely enjoyed this video!! Tbh this video got me motivated to learn more programming so that I can analyze malware. Can't wait to see more !!

9:09 It's always satisfying to find some actually humanly readable source code stuff 😅

Only 10min into the video and i already like it. I enjoy how you explain everything step by step!

More malware analysis please!!!

The best content about hacking. I'm Brazilian, but I learned English just by watching your videos.

this is more interesting than a suspense thriller movie

Straight up hero. Finds a random script then cleans it up and updates to publish

Doing KZbin algorithm 'things' and expanding it.

Fascinating video, have never seen how malware is written and hidden and I've learnt a ton of stuff so thank you, easy Subscribe. Also, your phrase 'I know ive done this before', I feel you there

"More tangent functions, DIE" AHAHA

25:13 I can't say how happy am I to see another folk struggling to write regex. I mean you're probably way better at it than I am but I'm glad.

Google: "You are now using Dark Theme" No shit, Captain Obvious!

Please John. Be doing more of this religiously. You inspire programmers, cybersecurity enthusiasts in ways you can not understand. Keep up!

Me, randomly finding this video and have been learning C# for the past four months, staring at the end of every line: "... Where is it? Does this world know no law and order?"

yeah more of these, this video I really enjoyed and it was suspenseful, funny. Great workflow how you rename the functions to map a picture

microsoft: You must save your eyes, you have ads to look at.

Honestly, this is impressive both ways...Both that someone was smart enough to hide code in such a way, and that people are smart enough to find it.

Looks to me like stage one was just a lot of "weight" to try and hide the actual program's signature.