 We are going now to take a look at the shellcode we extracted in the previous video, now we are not going to take too much details a look in this shellcode, but know that this is in the same file 64-bit and 32-bit shellcode and this shellcode does the following when it is called with an argument and that is the name of the work document, the full name and then it will extract an encoded exe from that work document right into disk and execute, so let's try to analyze this, first of all we have several empty lines here again we will remove them, so let's go to hex view and here you can see zero D zero A zero D, so that's carrier return new line carrier return and we will replace this, first we want to be in hex here, so we will replace this with carrier return new line like this, so now we have here our shellcode, if we search for XOR, so text XOR, we will find many XOR operations on registers and here there is one on register with a constant, a constant D, so here is actually the decoding loop for the exe, so if you look here you have an egg hunt in the file for this value and this is the value POLA, if this is found then we add C to the position so that's 12 bytes and then for every byte in that payload we add a tree to the byte and we do an XOR with D and this is here the size of the payload, so let's take a look at our executable here, sorry the dog file, this is the dog file, we search for text POLA POLA, it occurs only once, here you have it and from here we move 12 bytes, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 and here we have our payload that starts, now we will copy that payload and decode it, so select range, this is where we want to start on our position of the cursor and then here the size, so that is what we read in the shellcode 162 AC exodysmal, like this, okay and this selects our complete payload, we will copy this into a new file like this and then we can do the binary operations on it, so adding tree and XORing with D and we can do that from tools, X operations, add, make sure you work on unsigned bytes, the value we want to add is a 3 decimal and also here make sure that it works on the entire file and that this is empty, like this, so now we have added tree to every byte in the file and now next step is to binary XOR this, on an unsigned byte value D exodysmal, like this and what we obtain here now looks like base 64, so we select this all, we copy it and we will decode it in a new file, so a new file, edit, paste from base 64 and it decoded with other errors and here you can see mz, so this is unexecutable, if we run the template for executables, so exist for pe files we can indeed see that we are dealing with an executable here, mz, here this program cannot be run in DOS mode here the pe other and here you have the different sections