WEBVTT

1
00:01.400 --> 00:02.840
Hello and welcome back.

2
00:02.990 --> 00:07.520
The first thing we are going to do is to defeat the anti-debug.

3
00:07.730 --> 00:12.830
So we run this now, reload the program.

4
00:12.830 --> 00:14.870
I've already done this before, so I just reload.

5
00:15.860 --> 00:22.160
So now we are going to kill the debugger, the anti-debug, by clicking Debug.

6
00:22.550 --> 00:26.780
Go to Advanced and under here, click Hide Debugger.

7
00:28.190 --> 00:33.140
So once you hide debugger, it doesn't know that it is attached to the debugger.

8
00:33.140 --> 00:36.920
So if you run it now, you see the first nag.

9
00:37.880 --> 00:38.750
Wait for a while.

10
00:40.220 --> 00:42.470
It should show the second message box, which is here.

11
00:43.370 --> 00:48.440
Click OK, then it should show the main window.

12
00:48.440 --> 00:50.360
In a while, you should see the main window.

13
00:50.360 --> 00:54.740
There you go, the main window, and when you click OK, it quits the program.

14
00:54.980 --> 00:58.010
So this is how we can easily defeat the anti-debug.

15
00:58.730 --> 01:01.130
So now we are going to kill the first nag.

16
01:01.130 --> 01:03.230
So the first nag is this one.

17
01:03.230 --> 01:04.520
We want to kill this nag.

18
01:05.030 --> 01:06.680
So let's reload again.

19
01:06.680 --> 01:12.380
Remember to click on Advanced and hide the debugger.

20
01:13.580 --> 01:18.770
And then now we want to search for all the strings in this program.

21
01:18.770 --> 01:24.050
So you right-click here and click Search For, Current Module, String References.

22
01:24.530 --> 01:26.630
And there you have a list of all the strings.

23
01:26.630 --> 01:28.400
And we are looking for this string.

24
01:29.060 --> 01:32.540
"And we hope that you will enjoy our software" is here.

25
01:32.540 --> 01:35.030
So we click on that and we find it there.

26
01:35.570 --> 01:39.950
So let us now scroll up to the start of this function, which is here.

27
01:40.460 --> 01:45.620
And you see I already put a comment there to indicate this is probably the main function.

28
01:45.860 --> 01:50.990
So I'll right-click and enable a breakpoint there, toggle the breakpoint and run.

29
01:52.430 --> 01:54.920
Now I will come here, right-click and graph it.

30
01:55.940 --> 02:00.950
And then I will turn on the tracing to both.

31
02:00.950 --> 02:06.140
And then I click on Step Over until the first nag window shows.

32
02:09.510 --> 02:14.940
So just click Step Over and wait for the first nag to show.

33
02:28.020 --> 02:29.790
So Step Over.

34
02:31.930 --> 02:34.480
And after this call, see what happens.

35
02:35.380 --> 02:36.790
The first nag shows.

36
02:37.810 --> 02:39.700
So I put a comment there:

37
02:39.700 --> 02:40.720
"Show first nag."

38
02:40.870 --> 02:42.580
So let's click OK now.

39
02:42.730 --> 02:44.980
And now it continues to the next line.

40
02:47.600 --> 02:52.640
So now we know that this is the first nag. We can defeat it by NOPing

41
02:53.150 --> 02:53.840
one,

42
02:53.840 --> 02:54.140
two,

43
02:54.140 --> 02:54.440
three,

44
02:54.440 --> 02:54.680
four,

45
02:54.710 --> 02:55.700
these four lines.

46
02:56.480 --> 02:57.500
NOP these four lines.

47
02:57.500 --> 02:59.960
So right-click, go back to disassembler.

48
03:01.610 --> 03:03.410
We are going to NOP these four lines.

49
03:03.650 --> 03:09.530
The first two lines is the push for the parameters for this call.

50
03:09.530 --> 03:11.090
So we need to NOP them.

51
03:11.930 --> 03:15.260
And then the last, then the call itself.

52
03:15.260 --> 03:19.940
And then the last line here is "add -, eight" is to clean the stack.

53
03:20.420 --> 03:22.010
So we need NOP as well.

54
03:22.010 --> 03:29.420
So remember when we have a call to a function, the, if the called function doesn't clean the stack,

55
03:29.510 --> 03:32.210
then it will clean it after the call.

56
03:32.210 --> 03:34.220
Sometimes you see, sometimes you don't.

57
03:34.460 --> 03:38.960
If you don't see this, that means the call itself has cleaned the stack.

58
03:39.260 --> 03:42.170
But if the call did not clean the stack, then you see it out here.

59
03:42.170 --> 03:44.210
So that's why we need to NOP it as well.

60
03:44.780 --> 03:50.870
So we select all these four, right-click, Binary, Fill with NOPs, click OK.

61
03:51.560 --> 03:53.690
So you have now NOPed those.

62
03:53.690 --> 03:56.390
Now we can patch it. Click File, Patch File.

63
03:57.110 --> 03:59.390
See, everything is black in color.

64
03:59.390 --> 04:02.000
If you see any blue in here, then you have problems.

65
04:02.000 --> 04:03.530
But all is, all is black.

66
04:03.530 --> 04:10.640
So click on Patch File and give it a name with dash one at the back to indicate the first patch.

67
04:12.270 --> 04:14.370
Dash one and click Save.

68
04:16.560 --> 04:22.530
OK, so now we can close this and test our patch one to see whether we have killed the first nag.

69
04:22.890 --> 04:28.140
Now remember, the first nag is this string here and this title here.

70
04:28.320 --> 04:30.030
So let's run it and see.

71
04:31.080 --> 04:32.700
Make sure you run Process Hacker.

72
04:34.170 --> 04:34.470
All right.

73
04:34.470 --> 04:35.700
So I'm running Process Hacker.

74
04:35.700 --> 04:37.260
And I'm seeing it's running now.

75
04:37.260 --> 04:40.500
And now my first nag has, has, has disappeared.

76
04:40.530 --> 04:41.880
It goes to the second nag.

77
04:42.180 --> 04:43.800
See that? There is no more first nag.

78
04:44.490 --> 04:44.820
All right.

79
04:44.820 --> 04:46.410
So that means we have killed the first nag.

80
04:46.440 --> 04:47.910
Now we got the second nag.

81
04:48.570 --> 04:49.500
Click OK.

82
04:49.890 --> 04:53.220
And it should be showing the main window in a short while.

83
04:53.910 --> 04:54.780
Anytime now.

84
04:54.780 --> 04:56.130
It should show the main window.

85
04:56.130 --> 04:56.580
There you go.

86
04:56.610 --> 04:57.450
The main window.

87
04:58.020 --> 05:01.860
Then when you click OK to the main window, it shows you the third nag.

88
05:02.850 --> 05:06.630
But this third nag won't go away because you have already patched the file.

89
05:06.630 --> 05:10.800
So it detected the patch, and that's why it keeps popping up this third nag.

90
05:10.800 --> 05:13.080
If you click OK, it keeps coming back again.

91
05:14.220 --> 05:14.610
Just wait.

92
05:14.610 --> 05:14.820
Wait.

93
05:14.850 --> 05:15.360
There you go.

94
05:15.360 --> 05:19.920
It comes back again, and you can see that it keeps showing up in the process.

95
05:19.920 --> 05:20.460
In memory.

96
05:20.460 --> 05:21.240
It doesn't go away.

97
05:21.240 --> 05:22.320
It doesn't, it doesn't end.

98
05:22.350 --> 05:23.310
It doesn't exit.

99
05:24.180 --> 05:24.720
It's still there.

100
05:24.720 --> 05:28.560
So the only way to kill it is to right-click here and Terminate Tree.

101
05:28.560 --> 05:30.690
That's why you need Process Hacker.

102
05:32.250 --> 05:32.850
OK.

103
05:32.850 --> 05:36.990
So now our next target is to kill the second nag,

104
05:36.990 --> 05:37.830
this one.

105
05:38.070 --> 05:45.300
So in order to do that, we have to remove this file and rename this file to become this file.

106
05:45.300 --> 05:52.650
The reason is because we want to preserve the database for x64dbg so that we can use back all the breakpoints

107
05:52.650 --> 05:54.150
and comments that we have set.

108
05:54.870 --> 05:59.040
So in order to rename the file, we are just going to make a copy of this first.

109
05:59.130 --> 06:07.380
We delete this first, and then we make a copy of this and rename this back to the original name.

110
06:12.730 --> 06:13.270
That's it.

111
06:13.270 --> 06:21.070
So now we are ready to go to the next lesson where we will patch the second nag, which is this nag.

112
06:21.070 --> 06:22.630
So which is this nag.

113
06:22.630 --> 06:24.160
So I'll see you in the next lesson.

114
06:24.160 --> 06:25.330
Thank you for watching.