Sorry to hear that. The first 10 minutes of the video is a painful waste of time. 2:44 "I am running on Windows right now, so I don't think I can run a .vbs..." But right under: "Programs that can open VBE files". It runs on Windows. I was so sorry for Mr. Hammond.
Realising that entire ascii value-ish blob of nonsense was the actual malware, which was executed as string joins, has been a truly astonishing upload. I've never expected this'd be my morning
Haha my thoughts exactly. Malicious programmer: and let's send them on various tangents , then declare a bunch of functionas, redefine them and never call them.
Thank god im not the only one what looks up these functions, reads the documentation, and the first words out of my mouth are "but wtf does that even mean"
I'm having to relearn trigonometry related stuff, because I'm studying computer graphics. Man, i forgot how I hated this part of geometry at school. Gotta stay on top of it though
interesting way to throw off virus detection... var random_int = 344; var tangent_of_random_int = Tan(random_int); var cotangent_of_random_int = 1 / Tan(random_int); over and over...
All of that was nonsense though... the real script was just stored as a string of ascII characters separated by a "@@@@@" delimiter.. and then that string was executed.. Once again a vulnerability exists where a script allows execution of string data as code... Mainly an issue for interpreted languages.. But I guess compiled languages could have this too but the compiler would also need to be included with the runtime, right?
So in VB, you can have arrays that can indexed in anyway you choose, and this can be chosen per array. If you wanted, you could have an array that's valid indices were 5-10. The purpose of LBound and UBound is to determine what that range is for a given array. LBound(array) returns the lowest index while UBound(array) returns the highest index. This allows for a generic loop structure of For i = LBound(array) to UBound(array) stuff using array(i) Next
@@0xwhoami No, they where like "hey, lets give the programmer the flexibility of using whatever index they like, instead of creating an unnecessary problem of mapping the lower boundry to 0".
Those random, doing nothing functions such as the excessive amount of sleeps and tangent functions are to evade from anti virus sw, that checks for hashes and heuristics. Those are added progressively with each version of the virus.
That is really cool to learn. My thoughts were also to induce human error. Ex he’s deleting tangent function code and then accidentally deletes essential code but doesn’t realize it after deleting them so many times
Just when I was saying "he is wasting his time, this code is just a troll joke" you made the @@@@@ magic and BOOM! you found the cake! ^_^ Thanks for sharing your skills John! Really appreciated
I thought the guy was a fool who didn't know what he was doing and some how made a virus. But the blob_of_nonsense was decided and BAM I instantly gained +100 respect for who wrote the code. I don't know how common this trick is but it is smart anyway.
If i remember correctly, those tangets were called 'sandpiles', random piles of odd maths with completly randomized variables, was used to hide the first steps to decode stuff.
What lifeOverflow has taught me: if you see a long string, there must be some decoding going on. So ignore the junk code and go straight to the decoding loop. Then you can get the return value of that decoding loop (or just the value you end up with when the decoding is done) and go around with it. Removing all of those /Tan functions is time wasteful
Agreed, seems this is providing beginners a general approach to understanding and breaking down code. Indeed once you’ve done an exercise like this a few times, there’s no additional benefit and in fact is slower.
This reminds me of a situation that happened at a client I was consulting at in the late 90s (it might have been ILoveYou, but I can't remember). An e-mail with an attached .vbs file was running rampant on user's machines. They finally stopped it, but they had no idea what it was doing. Since I had VB experience, I was asked to dive in and see if I could figure it out. The code was obfuscated in many ways similar to what Hammond runs into in this video, but I finally figured out what the code was doing....and it was pretty nasty.
@@headblockheadIIRC, basically deleting images from every directory it could find on the user's machines, including mapped network folders....which included corporate product images....that weren't backed up either 😮.
Hearing him say "do I need that to be greedy?" and replacing * with + just hurts... Cant blame him for not comprehending regex. I followed a minor where I learned parsing (and with it regex) and it was *brutal*. Totally worth my time to learn though.
Theres even more insane stuff out there, look up the NSO Group iMessage GIF zero click vulnerability. These guys used the GIF preloader of iMessage to load a GIF that in turn loaded a PDF which in turn used a broken decompression algorithm that has a classic integer overflow, which in turn they used to program virtual logic gates into the RAM, which then was used to build NAND gates (which are the basic building blocks of modern processors) and then build a VIRTUAL SOC with it, that could search the RAM for keywords and relay the information back to their servers, without you noticing. EDIT: The GoogleProjectZero Blog has the most thorough analysis about it.
I mean, to be fair, John actually explains why they have so many of these tangent operations, which is to fool any external system trying to analyze the code or predict any specific behavior, they'll just think the code is doing random math stuff, while in practice the math stuff is completely useless, it's just used as a "mask"
@@LaughingShinoo I was referring to the constant declarations of the same functions with exactly the same variable names, content and operations below the actual code.
It may sound a bit weird, but I love seeing you struggle with some things. Thanks for recording the whole thing. What matters the most to me is to understand your thought pattern and how you resolve the problems you encounter.
Same. I have only done a minimal amount of programming, mostly JS+CSS but I loved watching John dismantle and assess the code. The way he explained his methodology helped me better understand what I was seeing, and as soon as I saw the clear human coding, I knew exactly what I was looking at! Thanks for posting the whole thing!
This was a great work-through! I loved watching your process! As a soon-to-graduate CS student, this brought a lot of stuff into focus, especially on how to work through these kinds of problems!
I'm only about 20 minutes in, but it's interesting to see this idea of a program obfuscating it's own code, then during it, possibly rebuilding it so that it can bypass virus detection. If that's what this thing is doing it's kind of brilliant if that's even possible. It seems like it has strings of characters that it's joining together, recursively. If, after all of that it used that newly made string for something devious, that's pretty interesting.
the main reason to obfuscate is to make it unreadable and hard to approach. even renaming all your variables and functions to random strings and base64 encoding everything will make quite a lot of people trying to read your code go "nah, this mess isn't worth my time"
I don't think anything would have done it. If you read the status line it says the regexp is running out of stack space trying to pattern match the enormous file.
I've seen these obfuscated vbscipts before, even deconstructed them a bit (but not to it's conclusion like you did ). Never thought I would see parsing a vbscript on UA-cam, this was fun!
this is so satisfying to watch I was like I'm going to go watch an episode of a serie and than change my mind like nah I'm just going to watch a short UA-cam video and sleep but here I'm at the end of the video.
I prefer to let the code decode itself and then just pulling out what you need from hooking API calls or memory, but manual deobfuscation can be fun every so often.
I just got into learning IT and im very interested in coding. As I search more about coding, youtube recommends me videos like this. So You really got my attention by that caption. You got me even more hyped up about this all and you just earned another follower!
Oh, Houdini! I remember having to deal with some variants of it before! It wasn't prevented by AVs back then. Luckily, they *did* block the extra downloads, so the infection wasn't too serious, but every USB drive ended with all files hidden and links to the VBE added, posing as the files. They did open your files after reinfecting your machine, so did not know anything was happening at all. The first couple times I had to deal with it I did manual cleanups of the systems and the drives, then more variants started coming in so I exploited the infection check and local update mechanism to make my own fake infection for our machines. The script thought it was running and that my version was newer than the ones it knew, so it did not replace it. EDIT: And most new "re-releases" of Houdini or Dunihi are pretty much the exact same script with a different hostname and a different packing added to mess with its signature.
I have a cursory understanding of programming. Not enough to write a program myself, but enough to sort of follow along. I'm 20 minutes in, and this is great. Why is this so interesting?!
At 29:56 you can see it's using windows new line which is 2 characters and (CR & LF) (Linux is only ), so in your regular expression you should have used . Also, in vb you can declare arrays from any index to any index, so you can make an array like "Dim my_array(10 to 20) As Integer". LBound will return the lower bound = 10, and UBound returns upper bound = 20
I reverse engineered a malicious PowerShell script I found somewhere in almost the exact same way. There even was a 2000+ lines blob of nonsense (divided string whose parts were being added to a variable one after the other) that was literally a malicious executable encoded in Base64 format. Who knew that YT would recommend me an actually useful video today? Pretty neat stuff! As a beginner programmer I'm really proud of myself for the process and thankful that I came across your video. Have a nice day, John.
Saw this as a random recommendation and midway through I already knew where it would go (eval + garbage code) but stayed for the whole thing. Thanks for making this.
Man I laughed so hard when you were trying to beautify the VB code. My company still maintains some VB6 code , its like a blast from the past. VB studio does not even allow wheel scrolling.
There is a little program you can download for free called "VBScroll.exe". If you run it before running vb6 you can use the mouse wheel to scroll the editor window.
I don't think anything would have done it. If you read the status line it says the regexp is running out of stack space trying to pattern match the enormous file.
That would be fantastic! I'm trying to get into a security job, and knowing what malware looks like and how it works would be super super helpful, even if I don't use that knowledge in my interview or internship
I didn't think I could watch the entire video, but following your thought process was just super fascinating. Would be super interesting if you did a video about your workflow. Tools,Extensions and maybe some neat resources.
It's just crazy how many people stay here because they relate to what you're doing :D. I love your content and I'm actually amused by watching something close to what I do every day.
The premiere is perfect for this format of video. Feels live, but I think you as the creator can concentrate on chat + the hacking at the same time 👍🏻👨💻
Those tan functions and the weird functions at the end did just what they were supposed to; you spent twice as long messing around with those puzzles than it took to figure out the core code! :D
To quiet a few annoying trolls, in this video I mistakenly said "I can't run a VBScript file because I'm running Windows right now". If I were on Windows, I could certainly execute the VBScript. I should have said "I'm running Linux" because I am clearly using Linux for this showcase. (You can still partially run VBScript code with Wine on Linux, but your mileage may vary)
Someone pointing out you made a mistake without first reading each and every comment is not a "troll" my dude. Don't go diluting the meaning of the word by applying it to everything.
@@Asdayasman People tend to call everyone they disagree with, especially their political opponents, trolls nowadays. Just accuse whoever you don't like of being disingenuous and you have a _valid reason_ to not argue the point anymore.
Fascinating stuff - thank you. Makes me realise now why I switched my brain off to learning coding when I was young. Just crossing my fingers that my yearly purchase of Bitdefender can cope, or that I remember to back up my drive very often!
Yes, one of the key components of good obfuscation is "red herrings" which make reverse engineering much more time consuming. Obfuscation is not about hiding functionality (can still be disassembled with static analysis for example) but making it not worthwhile to determine how it does it, and thus identifying ahead of time if it is a threat/how to counteract it. "You" predominantly being heuristic AV software; AV software usually has a limited window of opportunity within which to give something a red flag or a green flag, otherwise it slows down performance and people leave it Norton 1 star reviews. If you can survive the gauntlet, you're through one of hopefully many secure doors in a multi-layered security solution, onto the next level.
This is what I strive to do in cybersecurity. I am fascinated by IT and security, even working in IT right now, but I also love software development. Once I finally finish my Comp Sci degree, I’m going to keep achieving certs and hopefully can end up in a position like John is in.
The author was basically calling either himself or his code evil. Look at the numbers under those symbols. 32~6 you don't go from 32 to 6 you step up by one so 33~6 or in other words three sixes 666 ha ha ha, or twice as evil given the two instances of 3. There is also a secondary joke here in that ~^ is a euphemism for dangling a carrot on a stick. Presumably for downloaded additional coding that makes the end user think everything's been fixed only to pop up again and again and again. It's actually kind of clever really.
Me, randomly finding this video and have been learning C# for the past four months, staring at the end of every line: "... Where is it? Does this world know no law and order?"
Having the video that inspired me to pursue cybersecurity on my recomended at news years is an incredible coincidence. Which i'll try to decode in the next hours, after a drunk sleep.
Lol. That’s a simple staged based malware sample. There are more complex and more nefarious kinds out in the wild. I think this would make a great series for you John.
Cool reverse engineering. We've had a variant of this come in as phishing, but code was obfuscated using macro_pack..we were able to extract IoCs using wildfire though..
Hey i have this malware on my pc, and everytime i reinstall windows it slowly fucks my PC up. What can i do? Thanks, ive been trying for weeks. What is wildfire? I’m not a programmer
This video is bit old but if you by any chance read this comment i have to let you know, this was amazing, i watched the whole thing twice, i love your personality. At first I tought the script was nothing but nonsense but somehow you got a readable output. Like i said it was really interesting and i hope you keep doing this kind of videos. And lastly, thank you for the amazing content
I came to see what this was. Was going to watch for 5mins... stayed till the end and wanted more 😄
lol! same
Same, I even drug my wife in about 15 mins in and had to restart. Lol
Same, i clicked midway and watched a few seconds, then ran it to the beginning and watched it all thoroughly! Good content, John!
Lol! same. I thought it was just a boring schinzel about a code.
Sorry to hear that. The first 10 minutes of the video is a painful waste of time.
2:44 "I am running on Windows right now, so I don't think I can run a .vbs..." But right under: "Programs that can open VBE files". It runs on Windows.
I was so sorry for Mr. Hammond.
Realising that entire ascii value-ish blob of nonsense was the actual malware, which was executed as string joins, has been a truly astonishing upload.
I've never expected this'd be my morning
That's very common with malware, most of everything else in this one was just to try not to be flagged by antivirus.
That's not astonishing at all.
That's how they escape getting detected by anti virus software. Becz the code is executed by another code all in the memory.
Probably the tangent stuff was intended to send a malicious person on a tangent. This was fascinating to watch.
Haha my thoughts exactly.
Malicious programmer: and let's send them on various tangents , then declare a bunch of functionas, redefine them and never call them.
i was expecting the eval function to reference those variables for calculation
Thank god im not the only one what looks up these functions, reads the documentation, and the first words out of my mouth are "but wtf does that even mean"
This video is just an artistic description of how much John hates tangent functions
I'm having to relearn trigonometry related stuff, because I'm studying computer graphics. Man, i forgot how I hated this part of geometry at school. Gotta stay on top of it though
I guess you could say this code kept going off on tangents...
interesting way to throw off virus detection... var random_int = 344; var tangent_of_random_int = Tan(random_int); var cotangent_of_random_int = 1 / Tan(random_int); over and over...
All of that was nonsense though... the real script was just stored as a string of ascII characters separated by a "@@@@@" delimiter.. and then that string was executed.. Once again a vulnerability exists where a script allows execution of string data as code... Mainly an issue for interpreted languages.. But I guess compiled languages could have this too but the compiler would also need to be included with the runtime, right?
@@tibettenballs4962 What is wrong with you?
So in VB, you can have arrays that can indexed in anyway you choose, and this can be chosen per array. If you wanted, you could have an array that's valid indices were 5-10. The purpose of LBound and UBound is to determine what that range is for a given array. LBound(array) returns the lowest index while UBound(array) returns the highest index. This allows for a generic loop structure of
For i = LBound(array) to UBound(array)
stuff using array(i)
Next
Thanks, I hate it
@@actualFix at least they don’t start at 1.. not necessarily that is....
So basically VB Dev were like, hey let's creat this problem call it a feature and supply the solution by creating two functions
@@0xwhoami No, they where like "hey, lets give the programmer the flexibility of using whatever index they like, instead of creating an unnecessary problem of mapping the lower boundry to 0".
@@sanguchito7381
how is that a problem in any other lang like rust, python, c or java....etc
When he sad "Now we're getting to the real malware", that's when I started not understanding anything anymore
when he sad 😔
@@AkariInsko LOL
😂😂
Lol this kid still won't fix it XD
Yeah I was having fun watching him decode it, until he was actually reading the malware, then I was like oof I have no idea what's going on haha
Those random, doing nothing functions such as the excessive amount of sleeps and tangent functions are to evade from anti virus sw, that checks for hashes and heuristics. Those are added progressively with each version of the virus.
That is really cool to learn. My thoughts were also to induce human error.
Ex he’s deleting tangent function code and then accidentally deletes essential code but doesn’t realize it after deleting them so many times
"I'll secure my malware by obscurity". Nice
New variation on "security by obscurity" - sending the reader off on tangents...
That switch to dark mode killed me 😂 Google was like "HACKER MODE ENABLED"
That's big brother algorithm
“To the dark side”
I was actually hyped when I saw that. I've been waiting for that for years.
Bennyhack_ on IG just made my day,
All my files back like magic.. Thanks
"They're trying to save my eyeballs."
No, friend. They are trying to save THEIR eyeballs.
Just when I was saying "he is wasting his time, this code is just a troll joke" you made the @@@@@ magic and BOOM! you found the cake! ^_^
Thanks for sharing your skills John! Really appreciated
As soon as i saw @@@@@ with numbers In between i knew that was were the virus was
@@nothingnothing1799 Yeah, blob of nonsense almost made John fool...
I thought the guy was a fool who didn't know what he was doing and some how made a virus. But the blob_of_nonsense was decided and BAM I instantly gained +100 respect for who wrote the code. I don't know how common this trick is but it is smart anyway.
If i remember correctly, those tangets were called 'sandpiles', random piles of odd maths with completly randomized variables, was used to hide the first steps to decode stuff.
why did I just watch all of this and enjoy all of it...
I'm really realizing how little I know about computers now
I really enjoy these kinds of videos; fast-paced unnedited breakdown of malware
ur a legened
If the hacking action in hollywood movies are "real" like this, those movies would take hours before finish
Imagine an episode of Mr Robot - 44 minutes of coding and 1 minute of action/plot.
@@Auriflamme I love writing tools to make more tools just to watch them all do the work.
Wolverine could do it. “NEED MORE TIME!!!!”
Oh shit
Definitely 😅
What lifeOverflow has taught me: if you see a long string, there must be some decoding going on. So ignore the junk code and go straight to the decoding loop. Then you can get the return value of that decoding loop (or just the value you end up with when the decoding is done) and go around with it. Removing all of those /Tan functions is time wasteful
Agreed, seems this is providing beginners a general approach to understanding and breaking down code. Indeed once you’ve done an exercise like this a few times, there’s no additional benefit and in fact is slower.
@@EliotLu ⁷
This reminds me of a situation that happened at a client I was consulting at in the late 90s (it might have been ILoveYou, but I can't remember). An e-mail with an attached .vbs file was running rampant on user's machines. They finally stopped it, but they had no idea what it was doing. Since I had VB experience, I was asked to dive in and see if I could figure it out. The code was obfuscated in many ways similar to what Hammond runs into in this video, but I finally figured out what the code was doing....and it was pretty nasty.
What was it doing?
@@headblockheadIIRC, basically deleting images from every directory it could find on the user's machines, including mapped network folders....which included corporate product images....that weren't backed up either 😮.
@@JasonBock Did people in the 90s already think about backing up stuff?
@@JasonBock Wow. That’s horrible!
Oh I remember that virus
"I swear I've done this before."
- Famous last words
every programmer ever when the computer is angry at them
Him fighting the ragex is literally me, tears roll down my face everytime.
regex = "rage x", am I right? :D
Hearing him say "do I need that to be greedy?" and replacing * with + just hurts...
Cant blame him for not comprehending regex. I followed a minor where I learned parsing (and with it regex) and it was *brutal*.
Totally worth my time to learn though.
@@NostraDavid2 The worst offender is that different programs and languages uses regex differently so you must learn it all over again every time.
That first tag said "HAAAAA" because it was mocking you. It realized that it actually managed to stop you from reading the file
As someone starting to work in the coding/IT field, it blows my mind that someone made something this thorough.
Theres even more insane stuff out there, look up the NSO Group iMessage GIF zero click vulnerability. These guys used the GIF preloader of iMessage to load a GIF that in turn loaded a PDF which in turn used a broken decompression algorithm that has a classic integer overflow, which in turn they used to program virtual logic gates into the RAM, which then was used to build NAND gates (which are the basic building blocks of modern processors) and then build a VIRTUAL SOC with it, that could search the RAM for keywords and relay the information back to their servers, without you noticing.
EDIT: The GoogleProjectZero Blog has the most thorough analysis about it.
Just here to say you should definitely do more of these
"Lol. Let's just copy paste some random function a couple hundred times. There. Obfuscated. I'm a genius."
-some bad guy, probably
HAHAHAAHHA accurate
I mean, to be fair, John actually explains why they have so many of these tangent operations, which is to fool any external system trying to analyze the code or predict any specific behavior, they'll just think the code is doing random math stuff, while in practice the math stuff is completely useless, it's just used as a "mask"
@@LaughingShinoo I was referring to the constant declarations of the same functions with exactly the same variable names, content and operations below the actual code.
Not copy pasted, they clearly had some form of generator for this
Or he used alrread known by antyviruses script and did that to change its pattern and avoid detection.
Me: Uh wow that's a long video. Let's watch it for 10 minutes and save it later.
40 minutes later -
*subscribes*
It may sound a bit weird, but I love seeing you struggle with some things. Thanks for recording the whole thing. What matters the most to me is to understand your thought pattern and how you resolve the problems you encounter.
Same. I have only done a minimal amount of programming, mostly JS+CSS but I loved watching John dismantle and assess the code. The way he explained his methodology helped me better understand what I was seeing, and as soon as I saw the clear human coding, I knew exactly what I was looking at! Thanks for posting the whole thing!
In education terms, we call what he's doing a "think-aloud protocol." It makes one's thinking audible, which is very handy.
The way you un-obfuscated that code was inspiring.
This was a great work-through! I loved watching your process! As a soon-to-graduate CS student, this brought a lot of stuff into focus, especially on how to work through these kinds of problems!
I'm only about 20 minutes in, but it's interesting to see this idea of a program obfuscating it's own code, then during it, possibly rebuilding it so that it can bypass virus detection. If that's what this thing is doing it's kind of brilliant if that's even possible. It seems like it has strings of characters that it's joining together, recursively. If, after all of that it used that newly made string for something devious, that's pretty interesting.
Yes, it's a clever idea, however that idea is (one year) older than the first computer virus (1948 vs 1949)
Interesting how the code was hidden behind some random garbage.
Even the tangent functions make some sense now
@TruCrime interesting !
the main reason to obfuscate is to make it unreadable and hard to approach. even renaming all your variables and functions to random strings and base64 encoding everything will make quite a lot of people trying to read your code go "nah, this mess isn't worth my time"
As soon as you stopped yourself to go back and explain the keyboard shortcut, I subscribed. Keep up the good work.
I almost died of pain in the RegEx part.
Function .+[\s\S]*End Function
Would do it
i kept yelling "use square brackets!" at the screen
I don't think anything would have done it. If you read the status line it says the regexp is running out of stack space trying to pattern match the enormous file.
yeah, but this regex will not select each function separately like that ^Function.+(
.*?)+End Function$
@@dieregierung9388 ok now I can't even read it with my eyes anymore
In regards to the stack one, possesive quantifiers could've fixed it: So, "^Function(?:.*
)*+End Function$"
I've seen these obfuscated vbscipts before, even deconstructed them a bit (but not to it's conclusion like you did ). Never thought I would see parsing a vbscript on UA-cam, this was fun!
Houdini, he's the creator of H-worm an Arabic developer specifically from Algeria
Or en.wikipedia.org/wiki/Harry_Houdini - an escape artist !
yes i know the real houdini but we are talking about the hacker behind this worm his nickname is houdini
www.dev-point.com/vb/threads/411850/
The website is registered in Paris, France
@@AhmetMurati sounds about right for france lmao
this is so satisfying to watch I was like I'm going to go watch an episode of a serie and than change my mind like nah I'm just going to watch a short UA-cam video and sleep but here I'm at the end of the video.
I prefer to let the code decode itself and then just pulling out what you need from hooking API calls or memory, but manual deobfuscation can be fun every so often.
@@deidara_8598 same xd that's a lot faster
@@deidara_8598 As root ;-)
@@deidara_8598 That is definitely one way to get the payload. :)
Tools like any.run are really useful to analyse network/system calls without decoding the payload!
This works if you know what you're doing and have the dedicated infrastructure for it.
I just got into learning IT and im very interested in coding. As I search more about coding, youtube recommends me videos like this. So You really got my attention by that caption. You got me even more hyped up about this all and you just earned another follower!
Oh, Houdini! I remember having to deal with some variants of it before! It wasn't prevented by AVs back then. Luckily, they *did* block the extra downloads, so the infection wasn't too serious, but every USB drive ended with all files hidden and links to the VBE added, posing as the files. They did open your files after reinfecting your machine, so did not know anything was happening at all. The first couple times I had to deal with it I did manual cleanups of the systems and the drives, then more variants started coming in so I exploited the infection check and local update mechanism to make my own fake infection for our machines. The script thought it was running and that my version was newer than the ones it knew, so it did not replace it.
EDIT: And most new "re-releases" of Houdini or Dunihi are pretty much the exact same script with a different hostname and a different packing added to mess with its signature.
I have a cursory understanding of programming. Not enough to write a program myself, but enough to sort of follow along. I'm 20 minutes in, and this is great. Why is this so interesting?!
I love how @25:00 he is the embodiment of "if you have a problem you are trying to solve with a regex you now have 2 problems"
I like that you explain How to Think instead of just giving us the answer
At 29:56 you can see it's using windows new line which is 2 characters
and
(CR & LF) (Linux is only
), so in your regular expression you should have used
. Also, in vb you can declare arrays from any index to any index, so you can make an array like "Dim my_array(10 to 20) As Integer". LBound will return the lower bound = 10, and UBound returns upper bound = 20
Always use
?
and you're never wrong.
I was in physical pain watching him struggle lol
Watching this video brought me back to my days of studying for the OSCP. I enjoyed this a lot more than I thought I would.
You're like if Seth Rogen was a computer guy instead of an actor
So he scams his workers and spergs out on twitter on a regular basis saying hateful comments about whites?
I can see that
@@DMalenfant1 can you be a troll somewhere else?!
@@DemonDante1000 I am pointing out a fact. Don't be such a sensitive tnuc.
Well I'm glad I wasn't the only one to immediately think this!
I reverse engineered a malicious PowerShell script I found somewhere in almost the exact same way. There even was a 2000+ lines blob of nonsense (divided string whose parts were being added to a variable one after the other) that was literally a malicious executable encoded in Base64 format. Who knew that YT would recommend me an actually useful video today? Pretty neat stuff! As a beginner programmer I'm really proud of myself for the process and thankful that I came across your video. Have a nice day, John.
I love learning with you! It’s always interesting and I feel like I’m learning along side you rather than being taught.
I found it very cool that you were figuring it out as you recorded the video and showed all the troubleshooting though processes.
The last man using sublime text
Saw this as a random recommendation and midway through I already knew where it would go (eval + garbage code) but stayed for the whole thing. Thanks for making this.
Man I laughed so hard when you were trying to beautify the VB code. My company still maintains some VB6 code , its like a blast from the past. VB studio does not even allow wheel scrolling.
There is a little program you can download for free called "VBScroll.exe". If you run it before running vb6 you can use the mouse wheel to scroll the editor window.
@@Saboteur709 Yeah, I know. I just wanted to point out how terrible an experience the "old" VB languages and IDEs are.(Vb.net is ok)
i think i remember having to that issue trying to scroll in vb6
Please John. Be doing more of this religiously. You inspire programmers, cybersecurity enthusiasts in ways you can not understand. Keep up!
The regex for getting the line to work would've been [\s.]* ([] For characters to recognize, \s for any space character, . For any other char)
I don't think anything would have done it. If you read the status line it says the regexp is running out of stack space trying to pattern match the enormous file.
But . already includes whitespaces? After his initial
(which was fine) he just needed a "(.+
)+End Function"
Oh wait. Does
count as whitespace?
@@NostraDavid2
does count as whitespace. `.` usually doesn't include
unless you set the flag for it
@@ericvandertoorn6178 right. Thanks!
Honestly, this is impressive both ways...Both that someone was smart enough to hide code in such a way, and that people are smart enough to find it.
Will you be making more Malware Analysis videos?
It would be awesome! I like it
That would be fantastic! I'm trying to get into a security job, and knowing what malware looks like and how it works would be super super helpful, even if I don't use that knowledge in my interview or internship
This is my favourite john Hammond video so far ;) Dude you definitely need to do more of this stuff 👍
I agree, this teaches a lot about how mental people can get.
More please :)
I saw this right before going to bed at 11PM, stayed up watching pretty much the whole video, thank you xD
Doing UA-cam algorithm 'things' and expanding it.
Straight up hero. Finds a random script then cleans it up and updates to publish
I just love how he stares into the void for a bit before he starts talking
I didn't think I could watch the entire video, but following your thought process was just super fascinating.
Would be super interesting if you did a video about your workflow.
Tools,Extensions and maybe some neat resources.
It's just crazy how many people stay here because they relate to what you're doing :D. I love your content and I'm actually amused by watching something close to what I do every day.
The best content about hacking. I'm Brazilian, but I learned English just by watching your videos.
That is impressive.🙌
The premiere is perfect for this format of video. Feels live, but I think you as the creator can concentrate on chat + the hacking at the same time 👍🏻👨💻
I may steal this for my let's hacks instead of editing them for 8 hours 🤣
So satisfying when you 'broke open' the real code and could see it all in plain sight. Like Neo learning to see the matrix
Those tan functions and the weird functions at the end did just what they were supposed to; you spent twice as long messing around with those puzzles than it took to figure out the core code! :D
very good walk-through, please do more video like this. Very informative
To quiet a few annoying trolls, in this video I mistakenly said "I can't run a VBScript file because I'm running Windows right now". If I were on Windows, I could certainly execute the VBScript. I should have said "I'm running Linux" because I am clearly using Linux for this showcase. (You can still partially run VBScript code with Wine on Linux, but your mileage may vary)
trolls be clueless lollll
Someone pointing out you made a mistake without first reading each and every comment is not a "troll" my dude. Don't go diluting the meaning of the word by applying it to everything.
does that mean you dislike trolls? realy? why? are they not cute?
@@Asdayasman People tend to call everyone they disagree with, especially their political opponents, trolls nowadays. Just accuse whoever you don't like of being disingenuous and you have a _valid reason_ to not argue the point anymore.
im so annoyed you havent google that regexpression yet
Fascinating stuff - thank you. Makes me realise now why I switched my brain off to learning coding when I was young. Just crossing my fingers that my yearly purchase of Bitdefender can cope, or that I remember to back up my drive very often!
Could the tangent lines be written to literally send you on a tangent as sort of a play on words
Yes, one of the key components of good obfuscation is "red herrings" which make reverse engineering much more time consuming. Obfuscation is not about hiding functionality (can still be disassembled with static analysis for example) but making it not worthwhile to determine how it does it, and thus identifying ahead of time if it is a threat/how to counteract it. "You" predominantly being heuristic AV software; AV software usually has a limited window of opportunity within which to give something a red flag or a green flag, otherwise it slows down performance and people leave it Norton 1 star reviews. If you can survive the gauntlet, you're through one of hopefully many secure doors in a multi-layered security solution, onto the next level.
Gosh I love this youtuber's enthusiasm and speaking skills
9:09 It's always satisfying to find some actually humanly readable source code stuff 😅
This is what I strive to do in cybersecurity. I am fascinated by IT and security, even working in IT right now, but I also love software development. Once I finally finish my Comp Sci degree, I’m going to keep achieving certs and hopefully can end up in a position like John is in.
comment: "nice vid"
purpose: "algorithm"
Finally Learn few NewTechniques how to short code ,Please do More this types of videos,Thank you..
This is surprisingly fun for me
I didn't think I was going to stay for the whole video
Ended up staying for the whole channel
I love how he describes his interaction with this vbs script as if he and it danced together.
I liked the way the author changed the source code text to ASCII numbers. Nice puzzle.
this is more interesting than a suspense thriller movie
I'm actually really impressed that I was able to watch and understand most of what was going on.
More malware analysis please!!!
Its refreshing watching a professional break down a malware code into understandable code ; Great content man
"Hashtag, at sign, tilde, karat, *haaaa*"
why is this so funny
The author was basically calling either himself or his code evil. Look at the numbers under those symbols. 32~6 you don't go from 32 to 6 you step up by one so 33~6 or in other words three sixes 666 ha ha ha, or twice as evil given the two instances of 3. There is also a secondary joke here in that ~^ is a euphemism for dangling a carrot on a stick. Presumably for downloaded additional coding that makes the end user think everything's been fixed only to pop up again and again and again. It's actually kind of clever really.
I don’t know how do I get here but I really enjoyed the process behind the reverse engineering a malware. Great video! Cheers
this was somehow even funnier than every meme channel combined
I love that Firfeox recognized your venture into the darkness that is VBScript.
That was interesting! Thank you, I had a lot of fun
Good job following the logic. Find and replace is your friend. I like how they obfuscated the code.
Learned a lot from this video. Please do more of these videos!
yeah more of these, this video I really enjoyed and it was suspenseful, funny. Great workflow how you rename the functions to map a picture
Me, randomly finding this video and have been learning C# for the past four months, staring at the end of every line:
"... Where is it? Does this world know no law and order?"
;
This was fun to watch and I enjoyed seeing your process of "un-obfuscating" the code
Google: "You are now using Dark Theme"
No shit, Captain Obvious!
Having the video that inspired me to pursue cybersecurity on my recomended at news years is an incredible coincidence. Which i'll try to decode in the next hours, after a drunk sleep.
25:19 was my every regex experience ever.
It got real juicy after second stage. I loved this video way more than I thought I would. Keep up the good work man!
Lol. That’s a simple staged based malware sample. There are more complex and more nefarious kinds out in the wild. I think this would make a great series for you John.
Where was this sample found ?
Fuking brilliant. Order of ops is where I'm SO slow and you have a serious polish. Fun to watch.
100% no bs I wrote that comment at 29ish min. So befor the payoff.
Looks to me like stage one was just a lot of "weight" to try and hide the actual program's signature.
Omfg this is like the gamer and/or techie version of solving sudoku puzzles and I love it!
Cool reverse engineering. We've had a variant of this come in as phishing, but code was obfuscated using macro_pack..we were able to extract IoCs using wildfire though..
Hey i have this malware on my pc, and everytime i reinstall windows it slowly fucks my PC up. What can i do? Thanks, ive been trying for weeks. What is wildfire? I’m not a programmer
This video is bit old but if you by any chance read this comment i have to let you know, this was amazing, i watched the whole thing twice, i love your personality. At first I tought the script was nothing but nonsense but somehow you got a readable output. Like i said it was really interesting and i hope you keep doing this kind of videos. And lastly, thank you for the amazing content