Sergei, thanks again for another great video and for enriching our community.
@andylockhart2576 жыл бұрын
Awesome video guys! Unpacking some banking malware then actual reversing of how it performs "Man-in-the-browser" would be great
@OALABS6 жыл бұрын
That's a great idea! Might be a bit more of a challenging tutorial since there is some background that is needed but we might try a 3-part series or something like that : ) Thanks!
@Demonslay3356 жыл бұрын
Ooo that's an awesome trick! Shame IDA Free doesn't support remote debugging, so you just have to be extra careful doing it locally (snapshots!). P.S. Thanks for the plug. :)
@OALABS6 жыл бұрын
Yeh IDA Free is pretty limited... but on the plus side you don't have to worry about malware stealing your license if you debug on the same VM that has it installed ; ) Also, we ❤️all the work you do, no need to thank us : ))))
@Stokpos6 жыл бұрын
Big up for the ida debugger meme :)
@BGroothedde5 жыл бұрын
Very useful information, thanks for sharing!
@rayray19991003 жыл бұрын
Great Video
@Kippykip3 жыл бұрын
Holy hot damn, you're really good at this!
@alyagomaa51014 жыл бұрын
THANK YOU SO MUCH
@FreakinKatGaming4 жыл бұрын
Love virus total. And your video
@1a4s4l76 жыл бұрын
Great vid btw!
@ashvinbhuttoo6 жыл бұрын
Please please please show us how to unpack ENiGMA 5.X!
@ahmedezzat12436 жыл бұрын
I'm not sure how i suppose to feel after watching malware analysis and memes together
@OALABS6 жыл бұрын
😆😆 you l̶a̶u̶g̶h̶ IDA you lose? 😆😆 If it's too annoying we will stop... just thought we would mix it up a bit : )
@h0pde6 жыл бұрын
@@OALABS it was fitting, i think its great!
@ahmedezzat12436 жыл бұрын
@@OALABS No it's awesome
@_nit6 жыл бұрын
Hey guys, fantastic video as always! I had no idea you could use snapshots in IDA, that's brilliant stuff. However I have one question as to why you used HxD to look at that section when PE Bear already gives you a hex dump on the top whenever you click on a particular section :P
@OALABS6 жыл бұрын
Hey glad to see you are enjoying the tutorials! So I use HxD because we usually want to look at the space right before the section starts to see if it is also all null bytes (for more context) and unfortunately PE Bear only allows you to scroll down in the hex view and not up .... this might be fixed soon : )
@breakingtwitting4 күн бұрын
what would be strategy of dealing with hugely packed binaries. i got like 500 mb binary it takes forever to analyze.
@OALABSКүн бұрын
check if there is a giant overlay that can be stripped.. usually this is just a silly trick used by malware devs to prevent scanning of their binary
@pinokio5143 жыл бұрын
OALabs, тут обратились к вам как Sergei - вы что, из наших? В смысле из СНГ? А откуда и когда переехали? Может в детстве и поэтому так шпарите?) Просто по голосу не скажешь, акцента не заметил. Обычно чувствуется з.ы. А здесь - 21:48 - не нужно было также указать и в Input File и директорию? МОжет поэтому IDA обратилась к файлу на ЭТОЙ виртуальной машине?
@OALABS3 жыл бұрын
Привет, я канадец. Я забыл установить правильный каталог в IDA. Кроме того, я набрал это с помощью Google Translate)
@pinokio5143 жыл бұрын
@@OALABS Hi. Hm..Is your name Sergei?
@OALABS3 жыл бұрын
Да. Меня зовут Сергей.
@pinokio5143 жыл бұрын
@@OALABS Это очень популярное имя в exUSSR. Я не могу вспомнить, в какой еще стране есть имя Sergey/Sergei . Есть Серхио (Serhio) у испаноязычных. А вот Сергей... Может ваши прадедушка/прабабушка когда-то уехали из России или Украины... Мне просто было интересно, не обращайте внимания =) з.ы. у меня есть вопросы, может вы в курсе: 1) Есть такая библиотека api-ms-win-core-winrt-l1-1-0.dll Там есть вызов RoActivateInstance и т.п. В kernel32 я вижу в виде текста эти функции. Но в импорте и экспорте их нет. Откуда они вызываются, не знаете? 2) Какая API (NTDLL или Kernel) вызывает функции из импорта и экспорта? Я знаю про GetProcAddress. Но может есть еще что-то?
@OALABS3 жыл бұрын
1) I think those have to do with Windows Runtime Components docs.microsoft.com/en-us/windows/uwp/winrt-components/create-a-windows-runtime-component-in-cppwinrt. 2) I'm not too sure what you are asking? But if you load a library the exports will be mapped into your process so you don't need to do any additional work to identify the functions. Maybe I misunderstood the question?
@SaliyaRuchiranga6 жыл бұрын
can you do a video about unpacking custom or unknown packers ??
@OALABS6 жыл бұрын
Sure! We are always taking suggestions if you have some hashes of ones you think might be interesting. In most of our videos we are looking at unknown/custom packers.
@therock99pk2 жыл бұрын
Yeah it's very useful I have a same issue with a software can you help me to bypass a activation please
@lakshayarora39165 жыл бұрын
I saw you had ftk imager on your desktop, why don't you upload some windows forensics analysis tutorial on your channel, that would be fun 😀
@OALABS5 жыл бұрын
Sharp eyes : ) Now we mostly use FTK to quickly look at images that we sometimes receive, but in a past life both Sean and myself did a lot of forensics as incident responders. At the time FTK, EnCase, and later Volatility, were the boss tools. But over time, as EDR solutions became the norm, these tools sort of took a back seat, and we both moved to malware analysis full time. Present day, I'm not really sure what the best practices are for Windows forensics so I wouldn't really be comfortable giving out incorrect advice. I can ask around though and see if maybe we can get a guest who is working IR full time to do a tutorial. Thanks for the suggestion : )
@1a4s4l76 жыл бұрын
Have you got a discord server ?
@OALABS6 жыл бұрын
No sorry. We were thinking of opening up something like that (maybe slack?) but we just haven't had a lot of time to think it through. We would need some mods since we get so many crazy game unpack requests I'm sure if we had a public group it would just get spammed 😂😂
@therock99pk2 жыл бұрын
I want you to keep a video zoom it's very hard to see on mobile