WEBVTT

1
00:01.550 --> 00:02.900
Hello and welcome back.

2
00:03.200 --> 00:06.410
Now I will introduce you to our next project.

3
00:06.800 --> 00:10.160
And this is the project we are going to do.

4
00:11.060 --> 00:13.670
So it is known as Patch Me.

5
00:13.880 --> 00:16.880
That means the objective is to patch the file.

6
00:18.050 --> 00:24.830
Now this is a program which will show many message boxes including recurring message boxes.

7
00:24.830 --> 00:30.800
So we have to identify where to patch those message boxes in order to prevent them from showing up.

8
00:31.910 --> 00:36.830
So as usual, go and download the version I provided for you.

9
00:37.730 --> 00:43.340
After you unzip it, you will find these two files, this file and this file.

10
00:43.670 --> 00:50.660
Immediately make a copy of it and put it here so that you have a backup in case something goes wrong.

11
00:51.500 --> 00:55.190
So in this lesson, we are going to analyze the behavior.

12
00:55.280 --> 00:59.360
So before we analyze the behavior, scan it with Detect It Easy

13
00:59.360 --> 01:04.460
first to determine if it is a, whether it is a 32-bit or 64-bit.

14
01:04.820 --> 01:08.930
I've already done that and determined that it is a 32-bit program.

15
01:09.260 --> 01:12.230
So let us run the program now and see its behavior.

16
01:12.380 --> 01:17.000
But before we run the program, I want you to fire up your Process Hacker.

17
01:17.000 --> 01:24.620
So for me, my Process Hacker is over here and I will now run the Process Hacker.

18
01:25.010 --> 01:26.750
Do the same thing for yourself.

19
01:30.030 --> 01:33.060
So run the Process Hacker now and then,

20
01:33.060 --> 01:36.000
now run your Patch

21
01:36.000 --> 01:36.300
Me.

22
01:36.660 --> 01:39.660
So double-click on this to start it.

23
01:39.960 --> 01:42.300
And immediately you will see the first message box.

24
01:42.870 --> 01:49.860
And then open up a Notepad folder and copy down the message box that you see.

25
01:50.700 --> 01:51.330
Welcome

26
01:51.330 --> 01:55.020
to Nag Mania 2009 is the title.

27
01:56.040 --> 01:57.900
And then the string,

28
01:57.900 --> 02:02.430
the message is "We hope that you enjoy our software" over here.

29
02:02.910 --> 02:04.650
So that is the first message box.

30
02:05.010 --> 02:11.640
Then click OK and wait for a few seconds for the next one to show.

31
02:11.880 --> 02:19.290
Then now it shows the second message box. "Nag Mania would like to introduce" is a title and I copy down here.

32
02:19.290 --> 02:21.150
So you do the same for yourself.

33
02:21.330 --> 02:24.060
And then the message: "Its third nag window.

34
02:24.060 --> 02:25.560
They just keep coming and coming."

35
02:25.560 --> 02:27.090
So put it here as well.

36
02:27.270 --> 02:29.670
So this is the second message box, although it's written here

37
02:29.670 --> 02:30.180
third nag.

38
02:30.180 --> 02:32.130
It's actually the second message box to show.

39
02:32.760 --> 02:38.100
And then now click OK and wait for another few seconds to see what happens.

40
02:39.380 --> 02:42.950
After a few seconds, you should be able to see the main window.

41
02:42.980 --> 02:44.450
This is the main window.

42
02:44.450 --> 02:49.070
There's a title there, so copy it down as well in your Notepad.

43
02:49.730 --> 02:51.500
Then the message itself:

44
02:51.500 --> 02:56.660
"If you manage to eliminate the nags before and after this window, congratulations, you did it."

45
02:56.660 --> 02:58.850
So just copy that down as well and put it here.

46
02:58.850 --> 03:03.050
So now we have copied down all the three message boxes: one, two, and three.

47
03:03.380 --> 03:07.310
And there will be another, the fourth message box, which is this message box here.

48
03:07.460 --> 03:11.720
So this message box will only show when you attach your debugger to it.

49
03:11.930 --> 03:13.520
So now you click OK.

50
03:14.210 --> 03:22.940
And then when you click OK, you will notice in here, if you scroll and look for the program name,

51
03:22.940 --> 03:24.650
you should be able to find it here as well.

52
03:26.760 --> 03:27.120
OK.

53
03:27.120 --> 03:29.370
In this case, it has exited.

54
03:30.270 --> 03:34.740
Sometimes it doesn't exit, so you need to close it using Process Hacker.

55
03:35.010 --> 03:39.450
So for example, when you are running it like this, it will show up here.

56
03:40.470 --> 03:40.980
See that?

57
03:40.980 --> 03:41.730
Patch Me.

58
03:43.330 --> 03:47.710
So this is the program that is showing up that is in the memory now.

59
03:48.160 --> 03:49.210
You click OK.

60
03:49.210 --> 03:50.230
It is still there.

61
03:53.230 --> 03:53.470
OK?

62
03:53.470 --> 03:54.130
OK.

63
03:54.130 --> 03:54.940
It is still there.

64
04:00.740 --> 04:02.930
Then you click OK.

65
04:03.800 --> 04:05.540
Sometimes it doesn't go away, OK.

66
04:05.540 --> 04:06.560
But this time it goes away.

67
04:06.560 --> 04:11.990
So in those situations where it doesn't go away, it refuses to quit.

68
04:11.990 --> 04:15.170
You can use Process Hacker to monitor and kill it.

69
04:15.170 --> 04:17.180
So let's say, let's say you want to kill it.

70
04:17.870 --> 04:20.270
Let's say this is running now and it won't go away.

71
04:20.270 --> 04:23.660
After you've clicked all the OK buttons, it still refused to quit.

72
04:23.660 --> 04:29.180
You can come over to your Process Hacker, scroll and look for the name of the process.

73
04:29.180 --> 04:30.980
Patch Me to Revamped.

74
04:31.310 --> 04:37.070
Right-click on this, right-click on this and then click Terminate Tree.

75
04:37.610 --> 04:39.890
And then click on the Terminate button.

76
04:40.070 --> 04:42.620
And it should be, it should be gone.

77
04:42.620 --> 04:47.930
So this is how you use Process Hacker to terminate the program, OK.

78
04:47.930 --> 04:54.110
So if you were to run this with x64dbg...

79
04:56.610 --> 04:58.260
So I've already done it before.

80
04:58.260 --> 04:59.640
So I'm just going to refresh.

81
05:00.030 --> 05:02.340
I'm going to remove all my breakpoints,

82
05:02.340 --> 05:04.080
disable all my breakpoints.

83
05:05.640 --> 05:06.000
OK.

84
05:06.000 --> 05:10.440
If I run it now, it will show you here as well. I click OK.

85
05:12.030 --> 05:13.380
Wait for a few seconds.

86
05:14.550 --> 05:15.870
Then you show the second message box.

87
05:16.440 --> 05:17.430
Click OK.

88
05:17.970 --> 05:21.120
And after a few seconds, it will show the main window.

89
05:21.840 --> 05:23.220
Just wait for it to show.

90
05:23.220 --> 05:24.360
And this is the main window.

91
05:24.390 --> 05:25.140
Click OK.

92
05:26.070 --> 05:26.940
And there is,

93
05:26.940 --> 05:27.660
you see this?

94
05:27.660 --> 05:34.860
This is the other message box, which will only show up if it is attached to a debugger.

95
05:35.550 --> 05:35.880
You see that?

96
05:35.880 --> 05:38.610
So this is the message box which won't go away.

97
05:38.760 --> 05:41.220
So you click this message box here.

98
05:41.220 --> 05:44.190
Make sure you also record it down here.

99
05:44.880 --> 05:50.820
This is the one which will only show up if you are attached to a debugger.

100
05:51.480 --> 05:55.860
So if you click OK now, wait for a few seconds.

101
05:57.410 --> 05:58.820
It keeps on showing.

102
05:59.270 --> 05:59.660
You see that?

103
05:59.660 --> 06:00.410
It's the same message box.

104
06:00.410 --> 06:04.700
It keeps on showing because it detected that you are attached to a debugger.

105
06:05.720 --> 06:06.860
So click OK.

106
06:06.860 --> 06:08.780
Still, still won't go away.

107
06:10.040 --> 06:10.640
Click OK.

108
06:10.640 --> 06:11.960
It still won't go away.

109
06:12.800 --> 06:13.670
It keeps on coming.

110
06:13.670 --> 06:16.790
The same nag: "Removal Attempt Alert."

111
06:16.790 --> 06:21.080
So in such a case, that's where, this is how you can kill it.

112
06:21.080 --> 06:24.050
You can either kill it by closing this button here.

113
06:24.710 --> 06:27.230
You can go to this button here and you will kill it.

114
06:27.260 --> 06:30.260
The other way to kill it is, of course, to use Process Hacker.

115
06:31.010 --> 06:33.980
All right, so this is how we can kill it.

116
06:34.460 --> 06:37.370
This lesson, we already looked at the behavior.

117
06:37.370 --> 06:40.160
We have studied the behavior and we made some notes.

118
06:40.160 --> 06:46.880
So make sure you also make the notes like this so that you will know what to expect when you are doing

119
06:46.880 --> 06:50.150
your patching or doing your tracing.

120
06:50.600 --> 06:52.520
So that's all for this video.

121
06:52.520 --> 06:53.960
Thank you for watching.