Video

@@LinuxIsBetter43 For the #US stream length? I believe it’s bytes - a string of <128 bytes results in 1 length byte, otherwise it gets 2. Let me know if you were referring to something else - thanks for watching and congrats on chugging right along!

@@jeFF0Falltrades You are correct. I just confused myself. Strings are measured in bytes, but in his comment there was binary in parenthesis, so it got in my head =)

@@jeFF0Falltrades I do have a question though. Later on you go to say that if 80 flag is set, then the actual length will be the following byte. What happens if the string is even longer than 255 bytes? Do we get another 80 flag and another length bit?

@@LinuxIsBetter43 No worries - I wouldn’t have been surprised in the least if I had misspoken because…well just keep watching my videos and you’ll see that it’s not uncommon 😂

@@jeFF0Falltrades No worries. BTW, RE my question above, AI says that it would be preceded by the 80 flag, and then the next 4 bytes are the length of the string (I asked about 300 byte of string for example), so it said there would be something like 80 2C 01 00 00. Idk maybe incorrect, here we see only 1 byte after 80, but maybe it's not writing them for optimisation purposes.

@@ellisfrancisfarros3935 So glad you’ve enjoyed it! I hope it’s eased your entry into the domain and I hope you continue to learn! Thanks for watching 🙏

Yeah I've racked my brain with this every time I see an AsyncRAT sample. I've looked at the source code itself, debugged, and run it by others, and still don't have a great explanation. Even the LLMs I've put the code through always say: "This line seems like a mistake" X-D You're right in that memoryStream will vary with the input, so some values are 64 bytes, others 128, and still others 736 bytes, for example. So array3 still gets allocated to different sizes depending on the length of input - not any hardcoded value - and that size is always a bit more than needed for the actual decrypted data. I'm of the mind that either: 1) They intentionally did this to leave a buffer at the end of array3 (though it doesn't make sense because at most array3.Length bytes will be read every time) 2) It's a mistake 3) I'm missing something crucial here haha

@@jeFF0Falltrades Sounds good. To me it looks like they were a bit lazy, so they took a relatively big buffer to prevent memory leaking=). I want to thank you for the great content as well!

@@LinuxIsBetter43 Yep, you are probably onto something 😂 And thanks so much for your kind words and engagement! So glad you enjoyed!

Thank you! So glad you enjoyed!

@@dewmi4403 So glad you enjoyed! RCT never dies

Tq jeff❣️

You are absolutely correct - thanks for reporting this! It was a validation typo. Good news is 1) It's fixed now and 2) This must mean you are among the first to get the crackme completed!

There it is! Congratulations and well done!!!

@@jeFF0Falltrades thank you! It was really fun solving the challenges!

@@lukefidalgo8154 Glad to hear it! I'm always nervous leading up to a release b/c I have a lot of fun making them and testing them out, and there's always the "Ah damn, is this going to be something that's just fun for *me*?" X-D So glad you enjoyed!

@@wittingsun7856 Great suggestion! I wanted to start with the basics, but I think a follow-up video with more advanced techniques is called for, too. I’ll add that to the list :-)

@@jeFF0Falltrades I'm happy to hear this, it definitely can't miss 😎

@@xiaonguyen6693 Great question! Some families might have “stoplists” of processes they might monitor for and stop working if they detect them running written into the malware program, as an anti-sandbox measure. But it’s very easy to bypass this as the analyst: In fact, there’s a blog post on Medium by Mohammed Dief that’s a good example of this where he just changes a few attributes of the procmon executable to bypass a video game (of all things) program that checks for procmon as an anti-debug measure. So what I would say is: If it looks like a piece of malware is not running fully or you’re not getting results you expect, either throw it in a debugger like we do with Royal ransomware here to find out more OR, more simply, just experiment with your monitoring tools to see if closing one of them changes the behavior of the malware. That’s the benefit of using a hands-on lab, vs. a fully automated one. Thanks and good thinking!

@@Jarvx Stahppppp 🥰 Seriously thanks for watching and being here 🙏

@@micha7863 Thanks so much and thanks for being here 🙏

Yeah I think we’ll be due for another game-based video soon as many people (myself included) have so much fun with those, and they are great for learning the basics while keeping things fun. Thanks for the suggestion!

@@CrusaderMen Thank *you*! I hope you enjoy this one too

@@0ri0nexe Man you made my day hahaha. I’m in the middle of finishing up editing Part 2 (which I can say DEFINITIVELY will be out tomorrow AM, Eastern Time), and I really needed this motivation. Thanks for being a great hype man and I am glad you find the tools useful! I’m so happy to finally share my lab setup as it’s been good to me all these years.

​@@jeFF0Falltrades Two videos in a row, what a time to be alive.

@@0ri0nexe 🤣

YES!!! I'm so happy for you because that book is a treat. And you'll find my set up is very akin to the one in the book, so I hope this complements it well :-). Also, if you're interested, No Starch Press just this month came out with another book called "Evasive Malware" that I call out in this video. I haven't read through all of it yet, but what I have read has been really good! Thanks for watching and I hope you enjoy both this and PMA!

The alien book is top tier :)

Thanks so much on both accounts, and thanks for being here!

@@micha7863 thanks for attesting to the unattended installation stuff as well - as you’ll see (if you haven’t already) it DOES cause issues for me as well 🥴

@@jeFF0Falltradesoh ok, i was commenting while watching, thanks again!

I figured haha. Didn't mean to spoil it for you, but yeah, had quite a few "live" troubleshooting instances with VirtualBox/Windows

@@b213videoz Nej det vill du inte 😉😂 There are much better Swedish teachers, I’ll just stick to my machine languages thanks 😆 Thanks for watching as always!

Thanks again for this (and I mean sincerely - I appreciate candid feedback and I get scared when I only hear praise or general feedback) and your other comments. I'll also add these clarifications to the pinned comment in hopes that will help others who may have been confused by these segments: 25:08: Apologies for not calling it out; You're right in that it's important for beginners to understand the "why", and I think I was focused on switching to demo'ing it in the debugger and glossed over the extra instruction: This kind of "duplicative instruction" can happen due to compiler optimizations - Different compilers can hold themselves to different "guarantees" and rules around how they compile code, and I think in this instance, we humans can see that the extra instruction is not needed, but the compiler decided for some reason to include it. Why? It's very difficult to say without knowing a LOT about how the compiler is written to work. It could be accounting for optimizations in speed, or scheduling of instructions, or because it uses some standard pattern of instructions for this type of loop, and applies those rules regardless. 25:45: Apologies again as I was not as focused on the decompilation view vs the disassembly view in this segment. To answer your questions: The 0x34 is added to ESP because that happens to be where this array was placed on the stack by the compiler: 0x34 == 52 in decimal, which divided by 4 bytes is 13, so you can think of it as there are 13 other 4-byte segments between ESP and the array, which are other values on the stack. But put more plainly, the array starts at 0x34 past ESP, so we must add 0x34 PLUS our index*4 bytes (because every int is 4 bytes) to access each element of the array. Now (2) and (3) of your question are interesting: The additional "+ 3" of the decompilation you see there does not appear in other decompilers I used, and it's likely just a case of the decompiler "hallucinating" - meaning that it tried to decompile this segment, but realized the way it decompiled the address to the array was out of alignment, and so it compensated by just tacking on a "+ 3" to make the math work. Sounds silly, but this is why decompilers are not perfect. To see this practically, you can check the values in the debugger: The decompiler says that auStack_4f should be at EBP-0x4f But in the debugger, if EBP is at address 0x9FFB98, EBP-0x4f would be at 0x9FFB49, which is right after the first byte of a DWORD, so the decompiler adds 3 more bytes to align the array to the start of the next DWORD (4-byte) address. In reality, the array starts at EBP-0x44 in the debugger. That value makes more sense because according to our disassembly and decompiler math: auStack_4f + 3 should equal ESP+0x34 auStack_4f+3 should actually be auStack_44 because when we make that change, the math works: ESP == EBP-0x78 auStack_44 == ESP+0x34 == EBP-0x44== EBP-0x78+34 == EBP-0x44 == EBP-0x44 So why did the decompiler misinterpret the disassembly? Again, could be a number of reasons based on the decompiler logic/optimizations. I know that was a long answer to a short question, but please let me know if that helps, and I will add this to the correction pinned comment as well - Thank you again for calling out some great clarifying points!

Thanks for providing this and the other comments (I'll post replies to those on their own threads so others can see) - It's really nice to have someone actually take the time to call out confusing or erroneous stuff, because I can get in tunnel vision when filming, or biased by experience, so I appreciate you calling these out. 50:09 - Yeah you're right, that's misleading as written/said. I based a lot of this portion off of 3 older x86 references, so I wonder if I read something wrong or just messed it up myself, but regardless, you're correct about other flags being impacted, and I'm going to go back and change the chart (and I'll post a correction in the pinned comment) and simplify this to: CMP is identical to SUB, but it only sets status flags (several of them, as you mentioned), as opposed to storing a result, or something to that effect. 1:00:28: Yeah I should not have said "the stack grows up" here, as that goes against how most people will learn about stack and heap - In the case of the graphic I'm using, the stack does technically grow "up", but you're right that it's confusing and only applicable in this diagram. The reason I oriented the graphic like this - which is the inverse of what most texts about stack and heap do - is I wanted it to look visually identical to how we would view it in the debugger, and I think I will keep it that way. But I will also add another clarification in the pinned comment on this. I am planning on pushing some changes to the repo this week at some point, so I'll make a note to update the diagram with the changes above. Thanks and I'll go reply to your other comments here shortly!

Working on it, I promise! Got derailed over some dayjob and personal matters but I’m grinding to get this next one done! Thanks so much for the kind words!

I think it may still be helpful in that it may help you work on an agnostic “workflow” for reverse engineering, e.g. how to use tools to home in on patterns. PowerPC assembly has some different syntax, but will be fairly similar to looking at x86 or really any assembly language. But, that said, I know it’s also a time investment with the course - maybe you can bounce around a few chapters, and see if they help you in your goals? I’d recommend looking at some PowerPC disassembly first so you can compare and see how much this x86 content will help you in analyzing it. Best of luck regardless!

@@jeFF0Falltrades Wow, thank you so much for the quik response. I have already some knowledge of powerpc assembly. I looked into the start of your video where you talked about the language processing system. I don't know for sure but it looks a lot like the assembly/disassembly of powerpc asm. The linking proces seems the same because powerpc asm also works with object files and elf files but I don't know if that means that the disassembly is the same for both x86 and powerpc asm. Is it the same?

@@KoenPol123 No problem! And no they are not the same - PowerPC assembly has some differences in the language (things like the number and name of registers, and just general instructions), but the toolchain for building EXEs and ELFs using a PowerPC compiler is very, very similar to using gcc or other C compilers. So, the higher-level you are, the more similar they will seem, but at the lower levels of assembly and machine code, PowerPC and x86 start getting very different :-)

@@jeFF0Falltrades Oh sorry, I meant that the disassembly proces of powerpc and x86 seems the same if I look at the start of the video. I have luckily enough knowledge to know that all assembly languages are very different.

@@KoenPol123 Ah! Yes, you are correct on all accounts then - the disassembly process is fairly similar, which is why I hope this series might still be useful to you :-)

Congratulations! Not only is finishing the series itself an accomplishment, but that understanding throughout the crackme is incredible. You should be proud and I hope you continue to practice and - most of all - have fun with it!

❤️

You are so kind! I hope you continue to enjoy and I appreciate you being here!

That’s awesome! If you document that work anywhere, please send it to me! Thank you for watching!

As they say: “Everything is open source if you are patient enough to learn assembly” 😂

@jeFF0Falltrades indeed. 🤣 Had to do x86 assembly once. Wouldn't recommend it.

You are too kind, this comment made my day! I’m just happy to have as many that are in this community today :-) Getting prepped to record another video this month! Hope you enjoy that one as well. Thanks so much for watching.

What the heck?! Thank you for telling me because I thought I had it enabled! Should be working now - not that I ever expect it, but I also have a BMAC link on the channel. Thank you so much for watching and so glad to hear you enjoyed! We actually have another one of these coming up this month, focused on malware analysis, with another challenge!

@@jeFF0Falltrades Done. I ended up using buy me a coffee instead since I saw that the cut for that is 5% whereas youtube's is 30%. Thanks again!

@@Gaspa79 You didn’t have to do that but not only do I appreciate the donation, but the extra step of looking at the cut percentage is truly kind. Thank you so much and I hope you continue to enjoy the content!

Another one coming up next month! Slightly different topic but very excited to get the next one going 😁 So, so happy to hear you enjoyed!

@@jeFF0Falltrades I have only nearly finished the first episode but I am stoked that there are more coming. Thank you so much for these videos!

@@christianlijs1346 So happy to hear this!!! I’m working on a second master0Fnone course now and comments like this motivate me so much. Thanks for watching and I hope you enjoy the rest!

@@jeFF0Falltrades I had a feeling it would motivate you or at the very least make you happy, but just know that's exactly how I feel when I come across a video like this! Thank you, and I might just let you know how the other videos go for me.

@@christianlijs1346 Thank you so much!

👁️👄👁️

Yeah I think I get what you’re saying - we didn’t do that as much in this video/script, but if you check out my RollerCoaster Tycoon videos, those scripts do exactly that - take patches and apply them to a copy of the original EXE while leaving the original intact. This one just happened to be more focused on the DLL injection. Thanks for the feedback and for watching!

Thank you so much! ❤️

Thank you!🙏

Take frequent breaks and drink water, haha. Thank you so much - that is such high praise.

Bring it in 🤗

Thank you so much on all accounts! Hope you enjoyed

Thank you 🙏

Thanks for releasing these. Helping me skill up from Software Engineer to Reverse Engineer :).

@@wilfridtaylor I hope you find them helpful man! Good luck in your journey!

Depends on the environment, but more often on analyst workstations than enterprise users.

VBS or powershell would work better in general windows enterprise. since it comes with all windows, and can even utilize dotnet :)

@@dots5641 was thinking either c++ or .net, python seems a stretch, but it always depends on target

first

🥇

🥈