Lazy String Decryption Tips With IDA PRO and Shade Ransomware Unpacked!

  Рет қаралды 18,930

OALabs

OALabs

Күн бұрын

Пікірлер: 44
@yakovgoldberg7108
@yakovgoldberg7108 6 жыл бұрын
Sergei, thanks again for another great video and for enriching our community.
@andylockhart257
@andylockhart257 6 жыл бұрын
Awesome video guys! Unpacking some banking malware then actual reversing of how it performs "Man-in-the-browser" would be great
@OALABS
@OALABS 6 жыл бұрын
That's a great idea! Might be a bit more of a challenging tutorial since there is some background that is needed but we might try a 3-part series or something like that : ) Thanks!
@Demonslay335
@Demonslay335 6 жыл бұрын
Ooo that's an awesome trick! Shame IDA Free doesn't support remote debugging, so you just have to be extra careful doing it locally (snapshots!). P.S. Thanks for the plug. :)
@OALABS
@OALABS 6 жыл бұрын
Yeh IDA Free is pretty limited... but on the plus side you don't have to worry about malware stealing your license if you debug on the same VM that has it installed ; ) Also, we ❤️all the work you do, no need to thank us : ))))
@Stokpos
@Stokpos 6 жыл бұрын
Big up for the ida debugger meme :)
@BGroothedde
@BGroothedde 5 жыл бұрын
Very useful information, thanks for sharing!
@rayray1999100
@rayray1999100 3 жыл бұрын
Great Video
@Kippykip
@Kippykip 3 жыл бұрын
Holy hot damn, you're really good at this!
@alyagomaa5101
@alyagomaa5101 4 жыл бұрын
THANK YOU SO MUCH
@FreakinKatGaming
@FreakinKatGaming 4 жыл бұрын
Love virus total. And your video
@1a4s4l7
@1a4s4l7 6 жыл бұрын
Great vid btw!
@ashvinbhuttoo
@ashvinbhuttoo 6 жыл бұрын
Please please please show us how to unpack ENiGMA 5.X!
@ahmedezzat1243
@ahmedezzat1243 6 жыл бұрын
I'm not sure how i suppose to feel after watching malware analysis and memes together
@OALABS
@OALABS 6 жыл бұрын
😆😆 you l̶a̶u̶g̶h̶ IDA you lose? 😆😆 If it's too annoying we will stop... just thought we would mix it up a bit : )
@h0pde
@h0pde 6 жыл бұрын
@@OALABS it was fitting, i think its great!
@ahmedezzat1243
@ahmedezzat1243 6 жыл бұрын
@@OALABS No it's awesome
@_nit
@_nit 6 жыл бұрын
Hey guys, fantastic video as always! I had no idea you could use snapshots in IDA, that's brilliant stuff. However I have one question as to why you used HxD to look at that section when PE Bear already gives you a hex dump on the top whenever you click on a particular section :P
@OALABS
@OALABS 6 жыл бұрын
Hey glad to see you are enjoying the tutorials! So I use HxD because we usually want to look at the space right before the section starts to see if it is also all null bytes (for more context) and unfortunately PE Bear only allows you to scroll down in the hex view and not up .... this might be fixed soon : )
@breakingtwitting
@breakingtwitting 4 күн бұрын
what would be strategy of dealing with hugely packed binaries. i got like 500 mb binary it takes forever to analyze.
@OALABS
@OALABS Күн бұрын
check if there is a giant overlay that can be stripped.. usually this is just a silly trick used by malware devs to prevent scanning of their binary
@pinokio514
@pinokio514 3 жыл бұрын
OALabs, тут обратились к вам как Sergei - вы что, из наших? В смысле из СНГ? А откуда и когда переехали? Может в детстве и поэтому так шпарите?) Просто по голосу не скажешь, акцента не заметил. Обычно чувствуется з.ы. А здесь - 21:48 - не нужно было также указать и в Input File и директорию? МОжет поэтому IDA обратилась к файлу на ЭТОЙ виртуальной машине?
@OALABS
@OALABS 3 жыл бұрын
Привет, я канадец. Я забыл установить правильный каталог в IDA. Кроме того, я набрал это с помощью Google Translate)
@pinokio514
@pinokio514 3 жыл бұрын
@@OALABS Hi. Hm..Is your name Sergei?
@OALABS
@OALABS 3 жыл бұрын
Да. Меня зовут Сергей.
@pinokio514
@pinokio514 3 жыл бұрын
​@@OALABS Это очень популярное имя в exUSSR. Я не могу вспомнить, в какой еще стране есть имя Sergey/Sergei . Есть Серхио (Serhio) у испаноязычных. А вот Сергей... Может ваши прадедушка/прабабушка когда-то уехали из России или Украины... Мне просто было интересно, не обращайте внимания =) з.ы. у меня есть вопросы, может вы в курсе: 1) Есть такая библиотека api-ms-win-core-winrt-l1-1-0.dll Там есть вызов RoActivateInstance и т.п. В kernel32 я вижу в виде текста эти функции. Но в импорте и экспорте их нет. Откуда они вызываются, не знаете? 2) Какая API (NTDLL или Kernel) вызывает функции из импорта и экспорта? Я знаю про GetProcAddress. Но может есть еще что-то?
@OALABS
@OALABS 3 жыл бұрын
1) I think those have to do with Windows Runtime Components docs.microsoft.com/en-us/windows/uwp/winrt-components/create-a-windows-runtime-component-in-cppwinrt. 2) I'm not too sure what you are asking? But if you load a library the exports will be mapped into your process so you don't need to do any additional work to identify the functions. Maybe I misunderstood the question?
@SaliyaRuchiranga
@SaliyaRuchiranga 6 жыл бұрын
can you do a video about unpacking custom or unknown packers ??
@OALABS
@OALABS 6 жыл бұрын
Sure! We are always taking suggestions if you have some hashes of ones you think might be interesting. In most of our videos we are looking at unknown/custom packers.
@therock99pk
@therock99pk 2 жыл бұрын
Yeah it's very useful I have a same issue with a software can you help me to bypass a activation please
@lakshayarora3916
@lakshayarora3916 5 жыл бұрын
I saw you had ftk imager on your desktop, why don't you upload some windows forensics analysis tutorial on your channel, that would be fun 😀
@OALABS
@OALABS 5 жыл бұрын
Sharp eyes : ) Now we mostly use FTK to quickly look at images that we sometimes receive, but in a past life both Sean and myself did a lot of forensics as incident responders. At the time FTK, EnCase, and later Volatility, were the boss tools. But over time, as EDR solutions became the norm, these tools sort of took a back seat, and we both moved to malware analysis full time. Present day, I'm not really sure what the best practices are for Windows forensics so I wouldn't really be comfortable giving out incorrect advice. I can ask around though and see if maybe we can get a guest who is working IR full time to do a tutorial. Thanks for the suggestion : )
@1a4s4l7
@1a4s4l7 6 жыл бұрын
Have you got a discord server ?
@OALABS
@OALABS 6 жыл бұрын
No sorry. We were thinking of opening up something like that (maybe slack?) but we just haven't had a lot of time to think it through. We would need some mods since we get so many crazy game unpack requests I'm sure if we had a public group it would just get spammed 😂😂
@therock99pk
@therock99pk 2 жыл бұрын
I want you to keep a video zoom it's very hard to see on mobile
@Bostek
@Bostek 6 жыл бұрын
Gimme some more! :)
Unpacking GlobeImposter Ransomware With x32dbg
23:27
OALabs
Рет қаралды 15 М.
We Attempted The Impossible 😱
00:54
Topper Guild
Рет қаралды 56 МЛН
Support each other🤝
00:31
ISSEI / いっせい
Рет қаралды 81 МЛН
IDA Pro Automated String Decryption For REvil Ransomware
31:45
Decode Malware Strings with Conditional Breakpoints
21:08
Anuj Soni
Рет қаралды 2,7 М.
Unpacking Bokbot / IcedID Malware - Part 1
15:58
OALabs
Рет қаралды 12 М.
How To Defeat Anti-VM and Anti-Debug Packers With IDA Pro
48:37
We Attempted The Impossible 😱
00:54
Topper Guild
Рет қаралды 56 МЛН