How To Defeat Anti-VM and Anti-Debug Packers With IDA Pro

Поділитися
Вставка
  • Опубліковано 4 гру 2024

КОМЕНТАРІ • 142

  • @ahndeux
    @ahndeux 3 роки тому +13

    19:08: Believe it or not, there is a lot of value in stepping through and showing us, because it lets us know your thinking process in decoding all those different sections and why you think they should be labeled in a certain way. That type of process is critical to understanding how to look at the code and make sense out of it. I'm glad that you are great a explaining what you are doing throughout the process. The ability to get into your mindset and the thinking process is very important.
    Its almost like solving a complex difficult Sudoku problem that once you figure out a key the rest unlocks itself. Getting to that key moment is the magic. Some of these complex Sudoku problems can take hours to solve and only a few key areas block the entire process. The crazy part is the answer was always in front of you.

    • @tcc1234
      @tcc1234 3 роки тому

      Yeah. You should've included that and then put in a timestamp in case somebody wanted to skip that part.

    • @ahndeux
      @ahndeux 3 роки тому

      @@tcc1234 You did a great job. I learned a lot from watching what you were doing. Three weeks ago I never programmed in C and now I'm trying to figure out IDA... LOL. It was a shock to have to learn some basic assembly and C to understand how to reverse engineer. Your videos were very helpful.

    • @tcc1234
      @tcc1234 3 роки тому

      @@ahndeux When I said "should've included that I meant you should've included that". XDDDDD
      You meaning the OALabs xDD

  • @georgekatakouzinos
    @georgekatakouzinos 7 років тому +58

    Awesome. Can't believe I requested this a week ago and it's done already. You guys rock. Excellent video, easy to follow and understand and fills in some gaps I was struggling with. Keep up the excellent work.

    • @EnduranceT
      @EnduranceT 7 років тому +4

      Pretty sure I requested it too. Thanks for also requesting it, :P I'm super happy to find other ppl out there who care about learning this stuff and even happier that Sergei and Sean are willing to take the time to explain it. OALabs, some day, I'm going to have to send you a giant meaningful thank-you, perhaps at a conference ;)

  • @marcelgraf5520
    @marcelgraf5520 2 роки тому +6

    I cannot fathom how much this video helped me. The documentation, life example etc.
    Thank you so much.

  • @SourceCodeDeleted
    @SourceCodeDeleted 5 років тому +8

    Really well done! I am surprised to see in such details, things that I had to suffer through early in my career.

  • @EnduranceT
    @EnduranceT 7 років тому +2

    I love this because not only do I learn from these videos, but they also show that the reality is, RE does take a lot of time and WORK and there aren't a ton of shortcuts except for stepping around problems like you did at the end of the vid with the memory dump. But I love that you took the time to explain the actual analysis of the anti-debug because most ppl just bring the subject up but don't actually show wtf they mean with anti-debug. Thank you VERY MUCH! Also I loved the old school part. Keep rockin you guys are awesome!

    • @klarnorbert
      @klarnorbert 6 років тому

      Yep, really nice video, I'm more of a visual guy, so these videos help a lot. Keep up the good work!

    • @aykfc
      @aykfc 6 років тому

      Who thinks reverse engineering is easy and takes little work?

  • @rahuldorai6628
    @rahuldorai6628 4 роки тому +1

    Very good for anyone just starting

  • @ricardonacif5426
    @ricardonacif5426 4 роки тому +2

    Seriously, this is gold. Congratz!

  • @Kaplan0644
    @Kaplan0644 5 років тому +2

    Awesome, very informative and fun to watch at the same time. I always welcome the extra reading material for studying/reading, definitely will get a copy of those 2 pdfs. Thanks for your efforts..

  • @casualgamer1791
    @casualgamer1791 2 роки тому +1

    Great Video!
    Some question regarding 36:20. So You took a snapshot of the VM? When exactly? When that first break-point triggered? Is this an IDA feature/plugin? Maybe You have a video explaining Your setup?
    Edit: nvm it is explained in the IDA Pro Malware analysis tips video at 40:00

  • @СергейКузнецов-в8ю7ш
    @СергейКузнецов-в8ю7ш 5 років тому +3

    Great video, guys!
    I was also surprised, that they compared processes names directly instead of using strings md5 hashes compare or something, so it would be hard to guess what name actually triggered processExit.

    • @OALABS
      @OALABS  5 років тому +1

      Thank you : ) Yes this is a pretty straight forward sample to analyze, some other more complex malware like Dridex use hashes instead of strings as you suggested, it really makes RE a lot slower. There is a nice blog on this by our friend r3mrum r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control/

  • @belialblack3182
    @belialblack3182 6 років тому +1

    Great video again! Thanks for the time and effort invested!!! :) I do not agree with one thing though... You're saying that going through code and labeling functions is boring, but showing us such things is pretty useful to reverse stuff. :)

  • @DEF3NDME
    @DEF3NDME Рік тому +1

    5 year ago, but still valuable.

  • @f_x9771
    @f_x9771 6 років тому +3

    Wow!! I'm truly just a newbie, barely finished reading the Ida Pro Book 2nd Edition & this video has truly helped me clear up some gaps! Great video!! Definitely recommending this to others who are learning! You guys are doing an amazing job, keep it up :)

    • @OALABS
      @OALABS  6 років тому +1

      Thank you very much : ))

  • @Pernat1y
    @Pernat1y 6 років тому +2

    Awesome tutorial. Thank you.

  • @breadbaconcheese
    @breadbaconcheese 6 років тому +1

    if only i can like this 1000x, solid info again. awesome.

  • @andreiscutariu1035
    @andreiscutariu1035 5 років тому +1

    this was freaking awesome, thank you!

  • @santossantos2928
    @santossantos2928 2 роки тому

    Hey man, thanks again for the amazing video! Could you make a video on how to unpack enigma 5xxx or later ? There isn't much or any information at all available on that. Keep up with the good work!

  • @Jajajajjajakakakakkakakakakak
    @Jajajajjajakakakakkakakakakak 6 років тому +5

    You mention that the `get_str_len` function for the 64 byte string is a silly mistake [20:41] because it doesn't test for the file extension, but isn't this correct because it's a JB instruction not a JNZ? So if the file was greater than or equal to 64 bytes the unpacking process would exit? Thanks for the videos!

    • @OALABS
      @OALABS  6 років тому +1

      Yeh! Totally a mistake on my part lol! Nice catch!

    • @drgowen
      @drgowen 5 років тому

      Watched this twice trying to figure out what I was missing :) was just about to comment too

  • @KaliLearner
    @KaliLearner Місяць тому

    Immensely helpful, Thank you.

  • @user-pg9te8ug1j
    @user-pg9te8ug1j 3 роки тому

    Great content - thanks a lot for this contribution!

  • @katanakal
    @katanakal 5 років тому +1

    Very informative thanks

  • @zahidadeel25
    @zahidadeel25 6 років тому +1

    That's really helpful dear. Thanks a lot.

  • @luizvaz
    @luizvaz 3 роки тому

    This helped me a lot!
    Some protected Apps refuses to work under Terminal Services.

  • @ganeshkumargopinathan6375
    @ganeshkumargopinathan6375 7 років тому +1

    Awesome video...your videos always more informative and detailed ...thanks for that!!! can you do video on how malware uses exception handler to find debugger?

    • @OALABS
      @OALABS  7 років тому

      Absolutely! That's a great idea. I'll try to find a sample that uses that trick so we can demonstrate it in a video.

    • @ganeshkumargopinathan6375
      @ganeshkumargopinathan6375 7 років тому

      Thank you so much!!! Waiting for it!!!

  • @johnseed9260
    @johnseed9260 7 років тому +3

    I find it interesting that you place the breakpoint at the first instruction of the WinAPI functions because I've learned that protection mechanisms can simply scan (usually) the first byte for 0xCC before it is called. Is this method common enough such that it should always be taken into account? Is it safer to place the breakpoint a bit further below? Hardware breakpoints are limited so this isn't an optimal solution. Using a PAGE_GUARD memory breakpoint might not also be an efficient solution?

    • @OALABS
      @OALABS  7 років тому +1

      That's a great point! There are lots of ways malware can avoid inline API hooks, and API breakpoints. The two most common methods that I have seen are:
      1) the technique you mentioned where the breakpoint is scanned for, or a hash of first few bytes is used to ensure they haven't been modified, and
      2) where the first few bytes of the API code are replicated in the malware and the malware calls into the middle of the API code. Also worth mentioning is the real tricky stuff that just calls the kernel interrupt directly.
      However, the being said, when it comes to debugging my approach is always use a VM with a snapshot, and try the easiest thing first : )
      This is only my experience, but probably 80%+ of packers I have seen don't use any API checking so I rarely have to do anything special. My experience could be non-representative though since I usually use a hooking engine with no debugger to unpack stuff. So maybe I have missed some of these tricks. But this is a great point to keep in mind when troubleshooting! Also, I should mention, this technique is a bit more common in malware payloads but generally you would see this and know to work around it once the sample was unpacked.
      Thanks for the excellent comment!

    • @johnseed9260
      @johnseed9260 7 років тому +1

      Thanks for the reply! This is the first I've heard of hooking engines. Do you have any resources on what it is and how they work?

    • @OALABS
      @OALABS  7 років тому

      Ah that's probably just me making up words : )
      I tend to call any inline API hook framework a "hooking engine", but I'm not sure how widely used that term is. For example, the monitor dll for cuckoo github.com/cuckoosandbox/monitor.

    • @johnseed9260
      @johnseed9260 7 років тому +1

      Oh, okay. I was kinda expecting something like that anyway, hah. Thanks for the link, I'll look further into myself.

  • @ISquishWorms
    @ISquishWorms 6 років тому +1

    Really enjoying your videos.
    I was trying to obtain the sample from Hybrid Analysis so that I could follow along but they require vetting which involves submitting research / blog links etc but I do not have any of those as I am new to malware analysis. I only do Reverse Engineering to satisfy my own inquisitiveness during my own time and have never blogged or uploaded any of my own material in support of this.

    • @OALABS
      @OALABS  6 років тому +1

      We have recently moved away from sharing samples on Hybrid Analysis for this reason, we now use Malshare. You will need to create a free account on Malshare to download samples but they don't require any extra vetting or any intrusive information. Once you have an account you can download the packed sample here: malshare.com/sample.php?action=detail&hash=16eb2d73377fbc5dd00c93fcd604bfd5 and the unpacked sample here: malshare.com/sample.php?action=detail&hash=037b874a119a7cd0e00a3c971dd3298a
      I should also note that we got the original sample from Brad's awesome Malware Traffic Analysis blog. He always includes links to the samples at the end of this posts so you can download the packed sample there too www.malware-traffic-analysis.net/2017/11/16/index.html
      Thanks for the support : )

    • @ISquishWorms
      @ISquishWorms 6 років тому +1

      Could not have asked for a more helpful reply.
      Thank you for the detailed and informative videos, enjoying the content.

  • @melissali1571
    @melissali1571 Рік тому +1

    :D omg, I remember all the oldschool Ollydbg techniques! ollydbg scripts like morphine (I still have all the old plugin source code for olly in my old Harddrive drawer lamo!)... I remember ImpREC with the simpson icon... It was so much fun back in the day!
    Did they ever release ollydbg 64 lmao? I know with IDA who needs ollydbg but... Ohhhhh, I just had goozebombs from back in the day making mmorpg's private servers from scratch like Dekaron and stuff.

  • @lausanfoster776
    @lausanfoster776 6 років тому +1

    thanks for the vid!!! Very informative and learned a few things Thanks!!!

  • @poroponchito
    @poroponchito 4 роки тому +1

    hey, thanks. Kind of new in this world and this information is valuable. Thanks for real

    • @strugglingforlifesodouble7046
      @strugglingforlifesodouble7046 4 роки тому

      j u s t b a s e 64 d e c o d e this: IzhjMzRiYTAzNSBJIGhhdmUgYSBwcm9ibGVtIHVucGFja2luZyB0aGlzIHByb2dyYW0uIElmIHlvdSBjYW4gdW5wYWNrIHRoaXMgaSBjYW4gZ2l2ZSB5b3UgNTAgZG9sbGFycyEgSGVyZSB0aGUgcHJvZ3JhbTogaHR0cDovL3d3dy5tZWRpYWZpcmUuY29tL2ZpbGUvMjlzZm9uNXJuMWljdHkzL3RhcmdldC43ei9maWxlICM4YzM0YmEwMzU=

  • @michalturlik7309
    @michalturlik7309 2 роки тому +1

    Hi, thanks for the great work! Is there any chance to have a guide for ida pro and scylla hide plugin? Thanks!

    • @OALABS
      @OALABS  2 роки тому +1

      No, I pretty much just use x64dbg now, this tutorial was from a very long time ago. We have a Patreon post on setting up ScyllaHide for x64dbg though www.patreon.com/posts/installing-to-57091901

  • @christoffertoftpersson895
    @christoffertoftpersson895 5 років тому +1

    Great, trying to catch up on all these how-to videos. I've a question though, how come the sample ran when you renamed it to "auto.exe" ? Was that part of it being packed by autoit, or a fluke, or did you see it somewhere in the assembly? I don't understand why the sample ran once you renamed it (apart from not matching the strings it specifically looks for)

    • @OALABS
      @OALABS  5 років тому +2

      So originally the binary had the word "sample" in its name that is why it wasn't running. I just changed the name to remove "sample", I could have chosen any name there is nothing special about "auto". I just chose it since I was thinking of autoit but it makes no difference to the unpacking : )

  • @breakingtwitting
    @breakingtwitting 28 днів тому +1

    so easist starting option just hookup process exit method then keep hunting for places where it's called ?

    • @OALABS
      @OALABS  25 днів тому

      It depends, but this is the approach if you are really stuck.This video was made long before time travel debugging or any of the other nice modern tools that really help in these situations.

    • @breakingtwitting
      @breakingtwitting 25 днів тому

      @@OALABS ThaNKS for reply. i jumped into re of vb6 natively compiled 20MB application(commercial app :D). It's really fun challenge because if do manual debugging the IDA often gets stuck in loop. basically spent probably 50 hours already on trying to figure out things,

  • @АлександрКиселев-ъ5ю8ф

    Thank you! You are beautiful man and excellent teacher! Hi from Russia 😊

  • @銅化金-l4e
    @銅化金-l4e 2 роки тому +1

    HI,I have a question,at "13:10"
    What is DDD mean?

    • @OALABS
      @OALABS  2 роки тому

      The "d" hot key changes the data type under the cursor. In this case pressing "d" three times converts the data type into a DWORD which IDA then recognizes as a pointer to another memory address.

  • @AlexSiviero
    @AlexSiviero 3 роки тому

    Well this is awkward. I recently analyzed a 2021 Loki sample via memory analysis. After watching your video I spent hours trying to apply this to the new sample. All APIs were there: QueryInformationProcess, Createtoolhelp32snapahot... Yet the process always exited without ever stopping on toolhelp32. After hours, I eventually debugged enough to understand that it was ignoring any anti-vm/debug checks, injecting the unpacked sample on MSBuild.exe and exiting after it was done. I guess they just abandoned the checks you showed on newer samples 😅

  • @איתימגדל
    @איתימגדל 4 роки тому +1

    great vid - thanks :)
    how did you convert dw to dd?

    • @OALABS
      @OALABS  4 роки тому +1

      Select the value and press the "d" key. This will change the data type for the immediate.

  • @nachisundaram9737
    @nachisundaram9737 6 років тому +1

    Hi. Your videos are awesome. One quick question. How to identify garbage in the code and ignore it

    • @OALABS
      @OALABS  6 років тому +1

      Thanks! Glad you are enjoying the tutorials : )
      Identifying garbage is more of an art than a science unfortunately. After a while you can start to spot patterns of stuff that looks out of place but when you are just starting out a trick you can use is to follow the execution path for a bit and see if there is code that repeats itself. So for example, if you see a bunch of APIs being called but the returned data is never used, or if you see some jump statements that you follow only to be redirected back to near where you started. I know that's not a great answer... it's definitely not an easy task... maybe some of our viewers have better suggestions?

  • @niranjanjayanand2876
    @niranjanjayanand2876 6 років тому +1

    Thank you so much for this video - one question, so once malicious thread is injected into a legitimate process, how can we clean ? Thanks

    • @OALABS
      @OALABS  6 років тому +2

      Hey glad you are enjoying the tutorial. So the reason we focus on injection is more as a way to quickly unpack the malware not as a way to "clean" the infected process. Since it is only the process that the malware is injected into, and not the actual PE on disk, as soon as the process is terminated the injected code will cease to run and the next time the process is started it will be clean (until something else is injected into it). So to "clean" it you just need to kill the process and restart it. But this won't clean the malware off the system, injection into processes is just the symptom of the malware not the root cause.

  • @shreyaswaghmode5870
    @shreyaswaghmode5870 11 місяців тому +1

    7:33 Sir, What do you mean by hooking engine can any body please explain

    • @OALABS
      @OALABS  11 місяців тому

      a framework that allows you to place hooks on API calls to monitor and intercept them... minhook is a good example github.com/TsudaKageyu/minhook

  • @中国青年
    @中国青年 4 роки тому

    Can I ask you a question? what's the thread? and if some threads all will running(or execute) codes at same time?

  • @Ahmed_Mtr
    @Ahmed_Mtr 5 років тому +1

    What is the different between dynamically resolved and import API ? import, Is it when you include the header that has the API ? I do not know how dynamically resolving work? Is it related to DLL files?

    • @OALABS
      @OALABS  5 років тому

      Dynamically resolved just refers to resolving the imports at runtime in the actual code rather than using the PE import table (which relies on the windows loader to resolve the APIs). There is a pretty good explanation in this blog blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/

  • @Cygnus0lor
    @Cygnus0lor 5 років тому +1

    Haha LordPE! OALabs you're awesome :)

    • @OALABS
      @OALABS  5 років тому

      😎😂

  • @Dead4Light
    @Dead4Light 7 років тому

    Walter at it again. Thanks!

  • @danusminimus9557
    @danusminimus9557 7 років тому +1

    Can you make a video about catching the malware? Honey pot usage or network analysis

    • @OALABS
      @OALABS  7 років тому

      I'm not quite sure if you mean how do you collect samples or if you mean how do you detect if you are infected with malware?
      If you are looking for malware samples to practice your analysis we grab a lot of our samples from this excellent blog: www.malware-traffic-analysis.net/. Karsten also had a great video about collecting free samples which might be of interest to you: ua-cam.com/video/SCJVW1E8dFA/v-deo.html
      If you are interested in determining if you are infected with malware this is more in the realm of incident response or enterprise security and it's not really our focus with this channel. That being said I can highly recommend the memory forensics content from volatility-labs.blogspot.ca/. Also if you interested in doing detection at scale you can checkout the following projects:
      thehive-project.org/
      github.com/tomchop/malcom
      malpedia.caad.fkie.fraunhofer.de/
      We also have a few free workshops that provide an overview of the incident response process linked from our website: www.openanalysis.net/#training
      I hope that is enough to get started. We may make some videos about how to use the output from the malware analysis process to detect malware. Or how to integrate IOCs into your incident response process. But I don't think we will focus specifically on implementing the controls.

  • @sandrolibero9207
    @sandrolibero9207 6 років тому

    Very interesting video!!
    But since (we presume) there are no checksum checks, a "code beautify" with ida-python to convert the "db 0E4h" dirty stuffs into 0x90 (nop) and then start the autoanalysis once again, wouldnt it be useful to get a faster functions reading?
    Thanks for sharing!

  • @prashantkadam6578
    @prashantkadam6578 5 років тому

    Awesome. thank you "THANOS"

  • @maroofi
    @maroofi 7 років тому

    Super cool awesome tutorial.

  • @DZBLKS
    @DZBLKS 6 років тому +1

    LordPE doesn't work for Win 10 (1709 64bit).
    It could not dump any process and also did not see any ImageBase.

    • @tiopeperino9501
      @tiopeperino9501 6 років тому +1

      Serhii Dziublyk you can use Scylla Import Reconstructor, available at devhub.io/repos/x64dbg-Scylla

    • @OALABS
      @OALABS  6 років тому +3

      Haha yeh it's an old tool and showing its age but it still has a place in our hearts 💕 Moving forward I think it will mostly be replaced with Scylla as Tio Peprino points out. However, I strongly recommend using Windows 7 SP1 x86 for x86 malware (or even XP if you can still get it). It greatly simplifies the environment and makes debugging etc. more straight forward. It also has the side benefit that all the fun old tools still work. We are planning to do some basic lab setup videos at some point and I will cover this.

    • @tiopeperino9501
      @tiopeperino9501 6 років тому

      OALabs will be waiting thise vids dawg 👍

  • @AndyRoidEU
    @AndyRoidEU Рік тому +1

    I suppose I am doomed. I cannot even figure out how ti open the threads / modules window.
    08:50.

    • @OALABS
      @OALABS  Рік тому

      Yeh you are f-ed, give up now, go to chef school.

  • @guitarstel
    @guitarstel 6 років тому +1

    Hello sir. Great video. Can you show the same process using a malware that was written in .Net ? I have been trying to learn using one, but it is also obfuscated with custom obfuscator (confuserex custom), so i can't proceed. Thank you

    • @OALABS
      @OALABS  6 років тому

      Thank you! I think the two best .NET analysis and deobfuscation videos have been done by Karsten over on the MalwareAnalysisForHedgehogs channel:
      ua-cam.com/video/0DV1bhnnOyM/v-deo.html
      ua-cam.com/video/1RNcZpBLZHs/v-deo.html

  • @jordanjevan1076
    @jordanjevan1076 3 роки тому

    Bro I want to ask is similar virtual protect and anti vm?

  • @ducphanduy534
    @ducphanduy534 7 років тому +2

    Can this be done with IDA Free 5.0?

    • @EnduranceT
      @EnduranceT 7 років тому +1

      You should be able to use IDA Free with most of that as long as the binary is a 32 bit one. HE didn't use the decompiler or any special plugins to do that.

    • @OALABS
      @OALABS  7 років тому

      Yes you can replicate the process using the IDA 5.0 freeware version. The main difference is that IDA 5.0 doesn't have a remote debugger only a local one so you will have to install IDA on the same VM that you are doing the debugging on. This isn't an issue though since it's a free version of IDA you don't need to worry about the license being stolen : )

  • @Jadovran
    @Jadovran 3 роки тому +2

    Track from intro pls

    • @OALABS
      @OALABS  3 роки тому

      ua-cam.com/video/Ln-cBFanW9I/v-deo.html ;)

    • @Jadovran
      @Jadovran 3 роки тому +1

      @@OALABS thx bro

  • @nicoladellino8124
    @nicoladellino8124 6 років тому +1

    Nice video

  • @Jouss3ph
    @Jouss3ph Місяць тому

    Thanks for you helpful video!
    Is there a way to fake cpu temperature, I'm analyzing a malware that detect a VM by the CPU temperature.

    • @OALABS
      @OALABS  Місяць тому

      Probably, depends on how they are checking. If it's just an API call you can hook the call and fake the response.

    • @Jouss3ph
      @Jouss3ph Місяць тому +1

      @@OALABS Could you please guide me or provide a tutorial or something, it just an API call

    • @OALABS
      @OALABS  Місяць тому +1

      it's just a hook, there are hundreds of tutorials on this already? MinHook is one of the simpler frameworks github.com/TsudaKageyu/minhook. I not gonna be pasting code into UA-cam comments but if you join the discord and share the sample you are working on someone can prob help you

  • @adithyanaresh
    @adithyanaresh 6 років тому +1

    Can you please make a video for IDA Pro with suggested plugins as well and how to connect to various debuggers. It would be helpful for beginners.

    • @OALABS
      @OALABS  6 років тому

      We covered some of these topics in an earlier video ua-cam.com/video/qCQRKLaz2nQ/v-deo.html
      You can expand the description of that video to see a list of the different topics we covered. As for plugins I think IDA is pretty complete without anything extra until you begin doing more advanced reversing. For more advanced users I would recommend the hex-rays decompiler (which is expensive) and BinDiff. Maybe we will make a video on some more advanced analysis techniques in the future. Thanks for the suggestion : )

  • @eduardmart1237
    @eduardmart1237 4 роки тому

    Is there a way to install ScyllaHide to ida pro?
    I can't get it working...
    It works fine in ollydebug, but ida pro is so much better...
    or maybe somethign similar

  • @Mezzosd
    @Mezzosd 5 років тому +2

    How to crack ida pro?

  • @Ma_X64
    @Ma_X64 4 роки тому

    I see TApplication. It's definitely Borland.)

  • @mucomplex9115
    @mucomplex9115 4 роки тому

    Hi is there any alternative link that I can download the sample?.. thanks

    • @mucomplex9115
      @mucomplex9115 4 роки тому

      2nd question, most anti debug detect IDA and Ollydbg,if we do remote debugger it still detected?

  • @lougvar
    @lougvar 3 роки тому +1

    hours of debugging and one minute for dumping xD

  • @xXGamerGrantXx
    @xXGamerGrantXx 6 років тому +1

    Does this work on a dll? Cuz im a noobie

    • @OALABS
      @OALABS  6 років тому +2

      Haha we are all noobs in our own way... to answer your question, yes these techniques will work for any type of PE. If you want an example of how to debug a DLL with IDA you can check out our tutorial here ua-cam.com/video/qCQRKLaz2nQ/v-deo.htmlm32s

  • @maorvmail
    @maorvmail 6 років тому +1

    why not to hook all this functions? it's not easier?

    • @OALABS
      @OALABS  6 років тому

      Yes in a lot of cases it would be much faster to either try to kill these checks by hardening the environment and hiding our debugger or attempting to kill the checks with some API hooks. We made this video to show how these checks actually work, and how you can identify them individually as an exercise to learn more about these techniques. Our friend Lasha Khasaia (@_qaz_qaz) has actually created an amazing project that detects these checks via hooks! You can check it out here github.com/secrary/makin

  • @ApexArtistX
    @ApexArtistX 5 років тому +1

    Can I request specific tutorial ..

    • @OALABS
      @OALABS  5 років тому

      Yes for sure! Let us know what you would like to see, just keep in mind it has to be malware analysis related : )

    • @ApexArtistX
      @ApexArtistX 5 років тому

      @@OALABS oh I was thinking to crack game cheats

    • @OALABS
      @OALABS  5 років тому

      We get asked that a lot : ) We are only really interested in analyzing malware though.

  • @tangraelectricpower8754
    @tangraelectricpower8754 Рік тому

    👏👏👏

  • @КоламбияПикчерз-с6т
    @КоламбияПикчерз-с6т 2 місяці тому

    Привет. Как в 2024 году обойди защиту виртуальной машины?

  • @Ma_X64
    @Ma_X64 4 роки тому

    But ProcessExplorer allows you to create dumps.

  • @1hitkissfloor976
    @1hitkissfloor976 Рік тому

    can i beat vm detection of gameguard anti cheat with this tutorial?

    • @OALABS
      @OALABS  Рік тому

      yes

    • @1hitkissfloor976
      @1hitkissfloor976 Рік тому

      @@OALABS can u plz tell me which minute should i start watch from for bypass the gameguard vm detection?

    • @OALABS
      @OALABS  Рік тому

      yes

  • @tcc1234
    @tcc1234 3 роки тому +1

    30:12 "Avast AV check"
    Who even uses Avast
    Edit: nvm 2017 video. malware sample probably even older.

  • @anuragkashyap8026
    @anuragkashyap8026 3 роки тому +1

    What is your primary OS ?

    • @OALABS
      @OALABS  3 роки тому +1

      macOS with two Windows VMs : )

    • @anuragkashyap8026
      @anuragkashyap8026 3 роки тому

      @@OALABS Waiting for your video on WarZone 🙂

    • @OALABS
      @OALABS  3 роки тому +2

      It's in the works!

  • @KreshnaDwipayana
    @KreshnaDwipayana 3 роки тому

    Fravia did he still alive I can't solve the puzzle but now I see it

  • @glsoft
    @glsoft 4 роки тому

    Hello! good job! I would be interested in cracking on a type of PDFEditor protection. I am not interested in the program but only in its protection scheme. can you help me? Thanks a lot!

  • @sscryptomasters4505
    @sscryptomasters4505 5 років тому

    Sir Please make latest Tutorials cracking

    • @OALABS
      @OALABS  5 років тому +1

      Sorry we only do malware analysis, no cracking.

    • @sscryptomasters4505
      @sscryptomasters4505 5 років тому

      @@OALABS ok sir thank you

  • @aparnapal9942
    @aparnapal9942 2 роки тому

    I following this , but i could not get how did you come to the call get_str_len, i converted to code , but i could not get call get_str_len, please help

  • @Scalpel69SGandmore
    @Scalpel69SGandmore 6 років тому +1

    I've blocked as many of these debugger checks that I can find except it still detects the debugger,very frustrating - I am a complete newbie so following your tutorials have definitely made life a lot easier

    • @OALABS
      @OALABS  5 років тому +2

      Yeh sometimes it can be very tricky. You could try out this neat tool from @_qaz_qaz if you get really stuck. It will basically profile the malware and identify most potential anti-dbg checks github.com/secrary/makin