Basic Static Analysis Part 6
Video Activity
In this module, we'll discuss and enumerate the capabilities of IllusionBot that we've used during this course. We'll demonstrate how to find commanding processing subroutines or the configuration processing subroutines. Important tip to remember is to document everything while reverse engineering and test the software using dynamic analysis. You c...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description
In this module, we'll discuss and enumerate the capabilities of IllusionBot that we've used during this course. We'll demonstrate how to find commanding processing subroutines or the configuration processing subroutines. Important tip to remember is to document everything while reverse engineering and test the software using dynamic analysis. You can read the following resources to learn more:
-
The IDA Pro Book: The Unofficial Guide by Chris Eagle
-
Professional Assembly Language by Richard Blum
-
Reversing: Secrets of Reverse Engineering by Eldad Eilam
-
Corkami
Video Transcription
00:03
>> Welcome to Cybrary. My name is Sean Pierce.
00:03
I'm a subject matter expert
00:03
for introduction to malware analysis.
00:03
Today we are going to be covering
00:03
more stack analysis, particularly Part 6,
00:03
where we're going to enumerate the capabilities of
00:03
the illusion bot that we were looking
00:03
at the last few videos.
00:03
When we were doing this capability enumeration earlier,
00:03
we were looking at
00:03
only the dynamic analysis and saying, okay,
00:03
well we see it's modifying
00:03
the registry and opening up the firewall rules,
00:03
we know it has that capability.
00:03
We know it's going to the IRC.
00:03
We know it can take commands from there.
00:03
We opened up the illusion Bot Builder.
00:03
We saw some other capabilities there.
00:03
But none of that actually means what it says it means.
00:03
I might sound a little silly,
00:03
but I've dealt with plenty of malware,
00:03
plenty of builders and controllers where there's
00:03
unimplemented functionality either in
00:03
the sample or in the builder or the controller,
00:03
where it may say it can communicate over HTTP or it may
00:03
say it can funnel traffic over DNS,
00:03
but it can't actually.
00:03
Maybe the malware author forgot to load
00:03
it in or he wanted to
00:03
say it had that capability but it actually didn't,
00:03
so he can sell it at a higher price.
00:03
Whatever the deal is, you really can't trust what
00:03
an interface says or
00:03
what it might even look like it's doing.
00:03
I've seen samples out there
00:03
that'll try to communicate over
00:03
HTTP or some other method and
00:03
the controller can't actually understand it.
00:03
It looks like it could do it,
00:03
but you can't take the word for it
00:03
or you can't count on that actually being there.
00:03
As malware analysts, we think, well,
00:03
we're not often going to get to the controller.
00:03
We're not often going to get the source code
00:03
or the builder,
00:03
so that's a moot point.
00:03
It's not because we do have the sample.
00:03
Earlier we were looking at
00:03
what functions it was calling
00:03
to guess at the functionality.
00:03
But we can actually dig down into the code and
00:03
see what the malware author has actually put in there.
00:03
We can say, okay, definitely for sure,
00:03
it makes a POST request,
00:03
but it doesn't do
00:03
anything with the response it gets back.
00:03
It just immediately moves on.
00:03
We know it can't
00:03
actually receive information from a GET request.
00:03
We can say that for sure.
00:03
Having said that, it
00:03
can be a little tricky sometimes especially
00:03
with the sophisticated actor
00:03
because assembly can be very tricky.
00:03
It can be hard to read and with a lot
00:03
of junk code in there because some malware authors will
00:03
fill their malware with
00:03
useless assembly that won't do
00:03
anything and it gets a little confusing to look at.
00:03
They can hide some clever instructions
00:03
strung together that
00:03
will dynamically call something that doesn't
00:03
look like code and do something you may not expect.
00:03
For instance, there was a piece of
00:03
malware that would download
00:03
a web page do a standard
00:03
HTTP GET request and it would
00:03
look for certain strings on
00:03
the web page and go on its business.
00:03
But a lot of malware analysts miss the fact
00:03
that it would go and find
00:03
an image later on that web page,
00:03
I think in the temporary Internet files and then it
00:03
would decrypt a hidden configuration inside an image.
00:03
They were using a form of stenography,
00:03
which means that they hide an image or that they hide
00:03
information as opposed to cryptography,
00:03
which just scrambles the information.
00:03
Inside this configuration, inside this image,
00:03
there was more information
00:03
that a lot of analysts were missing.
00:03
It can be tricky unless you have
00:03
a whole and complete understanding of the code,
00:03
which you really can't all the time.
00:03
There's even more functionality that may be
00:03
hidden in say a downloadable component.
00:03
We will look at this malware and we will find
00:03
that there is a download and execute command.
00:03
If you go to your
00:03
superior or if your superior comes to you and says,
00:03
"Hey, I know you analyzed this piece of malware.
00:03
Can it do something like wipe the master boot record?"
00:03
Having analyzed it, you can say no,
00:03
it doesn't have that capability,
00:03
and then turn around and
00:03
a few days later your boss comes back and says, "Hey,
00:03
that malware infected one of
00:03
our machines and the master boot record got wiped."
00:03
WTF. Well, in this executable,
00:03
in this piece of malware
00:03
like most other pieces of malware,
00:03
there's the ability to
00:03
>> download and execute other files.
00:03
>> While you can't say it doesn't
00:03
have that capability someone else
00:03
can easily add more capability
00:03
by downloading more malware.
00:03
Even if it's not, just download and execute the swiper,
00:03
which you can easily download
00:03
from all over the Internet,
00:03
several newer malware families
00:03
out there that are more sophisticated.
00:03
They're really malware platforms.
00:03
I've even done proof-of-concept stuff where basically,
00:03
it's just a platform
00:03
for going to a command and control server and
00:03
downloading an encrypted module
00:03
which has a persistence mechanism
00:03
or downloads another module after that,
00:03
which has a command
00:03
and control server functionality mechanism
00:03
or downloads another
00:03
>> component and that's an FTP server.
00:03
>> If a malware analyst were to
00:03
ever find my executable on disk,
00:03
they would just find this platform.
00:03
They would just find only a small amount of code which
00:03
would just go out to
00:03
an IP address and download
00:03
>> some things and decrypt them.
00:03
>> They would need my command and control server to
00:03
be up in order to get those components.
00:03
With luck, a lot of this malware tends to be more
00:03
targeted and the command and control servers
00:03
are quickly taken down.
00:03
The malware author thinks
00:03
that their operation was burned.
00:03
This is not uncommon,
00:03
especially with malware that has
00:03
been infecting a particular company.
00:03
If a malware author wants to
00:03
just do POS infections where point-of-sale
00:03
systems are only going to be within
00:03
a certain IP address range and he
00:03
restricts downloads of his malware
00:03
or component tree to that.
00:03
Then as soon as he sees another IP address,
00:03
try to get those components, he thinks,
00:03
well, they've put in my malware in a sandbox.
00:03
I'm bringing down the whole operation
00:03
and moving to another command
00:03
and control server and etc, etc.
00:03
That actually does happen.
00:03
If you ever do any botnet tracking,
00:03
where you get a piece of
00:03
spam and you say I wonder what this is.
00:03
You popped into a malware analysis machine.
00:03
You'll notice that the command and
00:03
control server is already
00:03
dead especially if you get
00:03
the piece of spam a few days
00:03
late or even a few hours late
00:03
sometimes because the malware authors
00:03
don't want to burn
00:03
their command and control infrastructure.
00:03
We can use both static and
00:03
>> dynamic analysis to enumerate
00:03
>> capabilities but you really shouldn't
00:03
say this malware only has these capabilities.
00:03
If you do, you should say,
00:03
hey, it can download and execute things.
00:03
It's a common function
00:03
and a high sophistication actor could be using
00:03
this lower sophistication tool as initial beachhead
00:03
to then download and execute
00:03
something else that's much more dangerous.
00:03
It's much more capable.
00:03
Determining intent is important and
00:03
people behind this but
00:03
when you're doing your malware analysis,
00:03
it's easy to say, look,
00:03
this code definitely won't
00:03
do this or it definitely does do this.
00:03
Having said that, let's jump right in to where we
00:03
last were which was,
00:03
we were decrypting the strings.
00:03
I'm going to pause this VM
00:03
right when it was decrypting the machine.
00:03
I'm going to put it away and
00:03
>> jump back to my either here.
00:03
>> As I said in my previous slide, document everything.
00:03
If I was being a good reverse engineer
00:03
and I had all day to work on this
00:03
and I wasn't just making a video,
00:03
I would say this would be my next step is to
00:03
go through these and label
00:03
them and properly document them.
00:03
One method to determine
00:03
capabilities of a piece of malware is to follow
00:03
each of these functions and see where they're
00:03
called and classify all of the function calls.
00:03
You could burn through each of
00:03
these subroutine calls and you can say this is this,
00:03
this is this, this is maybe this,
00:03
I'll come back to this if I have time, etc, etc.
00:03
But a better way to determine
00:03
capability is by going to
00:03
where the command processing happens,
00:03
where the configuration processing happens.
00:03
The malware author wants to control
00:03
a machine with this piece of malware or steal
00:03
data or whatever his goal is that you usually
00:03
will be able to determine after analyzing the malware.
00:03
He or she will want to
00:03
just be able to command this bot usually.
00:03
I'm going to go over here to Open
00:03
Subviews and then Strings
00:03
>> and I'm going to look for help.
00:03
>> I figure that this malware author has built-in
00:03
some help menu and
00:03
they will be controlling it from the IRC,
00:03
so they can just give it some commands
00:03
and that hasn't turned up anything.
00:03
I'm just going to look for,
00:03
expand this, go back Open the Subview to Strings.
00:03
>> I'm going to go through. I'm going to say,
00:03
they don't have a help menu or maybe it's encrypted or
00:03
whatever but I do know that it has some capabilities.
00:03
It can open something called a DCC shell.
00:03
It can download and execute something.
00:03
That's probably a command that
00:03
a malware author would want to remotely execute.
00:03
I'm going to double-click and jump
00:03
to where the string is.
00:03
I can see that it is referenced.
00:03
By pressing X, I can see that the string is
00:03
referenced at this location and only this location.
00:03
It looks like in this subroutine in this function,
00:03
there's the option to download and execute something.
00:03
Looks like KB is showing you
00:03
a meter of how
00:03
fast it's downloading and executing something.
00:03
We could dig into that and see exactly what's going on.
00:03
I'm going to say
00:03
>> download and execute subroutine.
00:03
>> Say display. Download and execute is fine.
00:03
I know this has to be called from somewhere because
00:03
this probably isn't the command processing subroutine
00:03
or the configuration process subroutine.
00:03
I'm going to say, it's probably called from
00:03
that or something it's calling
00:03
it that will call this eventually.
00:03
I'm going to climb on up this ladder and say,
00:03
this is calling a few things.
00:03
I can scroll over.
00:03
It's another function I haven't resolved yet,
00:03
but I could in fact,
00:03
looks like it's called a lot.
00:03
I'm just going to go ahead and help myself and say,
00:03
press "X" and say, want
00:03
to just go ahead and figure this out.
00:03
Was moved into by EAX.
00:03
EAX was last modified by GetProcAddress,
00:03
which was the perimeter
00:03
to get this GetProcAddress was wsprintf.
00:03
Going back to that logic.
00:03
Wsprintf is pushed onto
00:03
the stack where GetProcAddress was
00:03
called and modified EAX.
00:03
This is wsprintf. Jumping back.
00:03
We don't know, this is a good way to document.
00:03
Download and execute print.
00:03
You see where this is called from and Bingo.
00:03
Over in the lower left-hand side,
00:03
we can see that there's a lot of code here.
00:03
We can hit our Control key
00:03
and scroll wheel and we can zoom out.
00:03
We can get a much larger
00:03
>> picture of what's going on here.
00:03
>> We can see that there's a lot of stuff going on here.
00:03
We can Zoom in and see
00:03
a lot of error messages about socks,
00:03
proxies, FTP, all this other stuff.
00:03
That's cool. That's useful.
00:03
If we wanted to see usage HTTP flood,
00:03
we can just click where this code came from,
00:03
where this control flow came from.
00:03
We can just double-click the arrow.
00:03
It'll jump straight to where that line was leading,
00:03
that jump was coming from.
00:03
But I'm interested in
00:03
the capabilities of this malware, if you'll remember.
00:03
I want to quickly to be able to say, it can do this.
00:03
I want to look at the commands
00:03
that a malware author could give
00:03
it or the botnet herder or the controller.
00:03
If I look at this,
00:03
I take this broad view,
00:03
I can see that there's an interesting set of
00:03
instruction or an interesting
00:03
control flow happening here.
00:03
Where if it's not one thing,
00:03
then it'll do another little thing.
00:03
All these jumps, will
00:03
jump off into their own respective columns.
00:03
I'm willing to bet that
00:03
each one of these little boxes is simply just testing it.
00:03
You can see here by hovering over it.
00:03
Each of these little columns is testing to see if
00:03
a certain string is in a certain memory location.
00:03
Probably it gets in a string from the IRC program.
00:03
This is probably wild true or
00:03
wild not kill yourself command loop is going on.
00:03
It is constantly checking to see
00:03
which command it received on the command line.
00:03
I can quickly zoom in and see if that's the case.
00:03
We can say, beep it's like,
00:03
that might sound like a command.
00:03
Jump over here and say FTP stop.
00:03
That does sound like a command.
00:03
Jump over here, FTD sounds like a command.
00:03
Stop all, that definitely sounds like
00:03
a command and do another jumps, socks 5 stopped.
00:03
This seems like this command tree.
00:03
If I were a betting man I would say,
00:03
this is probably a switch statement.
00:03
But then again, I usually
00:03
catches switch statements pretty easily.
00:03
Maybe it's just if else,
00:03
situation. It doesn't really matter.
00:03
We have a list of functions here.
00:03
If I were documenting everything,
00:03
I would keep a notepad open.
00:03
I'm following these functions down to the end.
00:03
I can hit "Escape" and jump back to where I was.
00:03
I can see here web admin,
00:03
just above it is IRC admin and just above that
00:03
is IRC admin again.
00:03
That seems to be all
00:03
for the commands, at least right here.
00:03
I would open up
00:03
notepad and I just start copy and pasting.
00:03
Another thing I would do, I would see where
00:03
the string is kept and see
00:03
if all the other commands
00:03
strings were there so it means we just copy paste.
00:03
It looks like a lot of them were there,
00:03
but I can't guarantee you that they're going to be
00:03
in the proper order. See that?
00:03
>> IGMP exploit. That sounds interesting.
00:03
Config, that sounds interesting in case
00:03
we got onto the IRC channel where this bot is hiding.
00:03
Maybe we can reconfigure the bots.
00:03
I think technically that would be illegal
00:03
because you are still running
00:03
instructions on a machine which you have
00:03
not been authorized to run instructions on.
00:03
But some security researchers do it anyway.
00:03
Some people like from
00:03
Microsoft go and when they take down a botnet,
00:03
they will get law enforcement
00:03
on their side and walk into a data center and say,
00:03
"Hey, this is used for criminal use.
00:03
We are going to help shut it down."
00:03
But I'm not one of those people.
00:03
Even if you have good intentions,
00:03
I would not suggest going onto
00:03
a IRC channel bot and trying to take down the botnet.
00:03
Even if you have the best intentions in mind
00:03
and you're seeing bad stuff
00:03
happen all the time with his botnet,
00:03
there could be security researchers or
00:03
law enforcement also doing what you're doing.
00:03
But they're listening on the channel to see if they
00:03
can get to the author or
00:03
the botnet herder or whatever
00:03
else because they will do that as well.
00:03
I can do this for a while.
00:03
It looks like this bot supports a lot of commands.
00:03
After I'm done with this,
00:03
I could tell someone or do it
00:03
myself for verification purposes.
00:03
I could tell someone to run
00:03
>> these commands and make sure
00:03
>> they actually do what you would think they do this.
00:03
Ftpd command might start an FTP server,
00:03
but it might only do it on Linux.
00:03
D is usually daemon or daemon.
00:03
Maybe it runs better on Linux.
00:03
You might think, "Well,
00:03
it's a PE file an EXE file.
00:03
What makes you think you would run
00:03
an FTP server on Linux?"
00:03
It's like, well,
00:03
with a source code, you can recompile
00:03
a piece of malware like in the other program.
00:03
Author made it so
00:03
that you can just easily recompile for Linux
00:03
and that functionality doesn't exist on Windows because
00:03
it may just call
00:03
the command-line equivalent to start an FTP server,
00:03
which may not exist on newer version of Windows.
00:03
Like I said, we can do this for a while
00:03
and it would be a much better indicator
00:03
of capabilities than just
00:03
looking at the functions and guessing.
00:03
If we had help, we
00:03
could pass these things over to someone and say,
00:03
"Hey, while I'm doing this,
00:03
fire up the bot,
00:03
make a fake IRC channel, connect to it,
00:03
and just start running
00:03
these commands and see what happens."
00:03
A lot of the stuff
00:03
is pretty common malware functionality.
00:03
I might dig into it a little
00:03
bit like this inversion function.
00:03
I would say, so
00:03
this function gets called immediately after it.
00:03
What happens there? Is there anything important?
00:03
Does it just set some flags?
00:03
Does it check to see if there's some information?
00:03
Does it just return the version?
00:03
What happens on it's
00:03
not zero loop if it doesn't take that condition?
00:03
It looks like it just prints something.
00:03
It's like this condition
00:03
probably will print the version
00:03
>> number out to the screen.
00:03
>> If it takes this path, it tries to see if this
00:03
variable which I'm going to just name right
00:03
here as input command.
00:03
Say nick, I'll filter out
00:03
the quotes later, reconnect. That's interesting.
00:03
Shut down. That's interesting.
00:03
I can see it has nowhere to go.
00:03
I'll just name this with the N key,
00:03
shut down, command.
00:03
Whether that shuts down the bot or if it shuts down
00:03
the computer, I don't know.
00:03
Icmpfloodstop, Icmpflood.
00:03
I'm going to stop for
00:03
now and we can see where we are on this graph.
00:03
We can see that we're probably right about there or
00:03
probably right about here.
00:03
I'm going to say 10, 15
00:03
other commands that we could enumerate.
00:03
We've got quite a ways to go.
00:03
The important part is that we can do it.
00:03
Furthermore, we can verify
00:03
that the code actually exist to implement
00:03
that functionality or the implemented code
00:03
is there to fulfill that capability.
00:03
If you're looking at this, if you're
00:03
reading this all day,
00:03
it's a very detailed view and it's
00:03
easy to get lost and forget things.
00:03
IDA provides a pretty cool tool.
00:03
Let's take this column for instance.
00:03
It says kill.
00:03
Test the input command against the string
00:03
kill and it'll call this function,
00:03
which looks very simple.
00:03
We can dive into it for just a second.
00:03
It seems to test something,
00:03
two arguments that are passed into it which
00:03
is an ECX and EDX.
00:03
It's probably testing for validity.
00:03
It's probably testing to
00:03
make sure they're not just empty strings.
00:03
If we do x, it seems like it's
00:03
called all over the place.
00:03
It's probably important that we get
00:03
this analysis out of the way.
00:03
It takes in two strings which were EAX,
00:03
the input command, and a kill.
00:03
I'm going to call this string compare.
00:03
It does a pop do you see that?
00:03
If we look at string compare, if we google that,
00:03
I'm willing to bet if we return zero,
00:03
it's the same string.
00:03
Or the strings have
00:03
the equivalent characters until the first null byte.
00:03
I just happen to know that's
00:03
>> true because I've done this
00:03
>> before and the output is put into EAX.
00:03
Test instruction, test to see if EAX is
00:03
zero by saying EAX pop.
00:03
It jumps if it's not zero.
00:03
It continues on it's path of checking against
00:03
other commands if it is not zero.
00:03
If it is zero, it is that command,
00:03
so this logic makes a bit more sense here.
00:03
The functionality that I was telling you
00:03
that IDA does that's really cool is,
00:03
we know that this code eventually will
00:03
have a process killing
00:03
functionality built into it.
00:03
We can see here that I'm able
00:03
to kill the process with the process ID.
00:03
Process has been killed.
00:03
We can see that there's a positive and a negative to
00:03
this outcome so we know
00:03
>> what this code does. Fairly sure.
00:03
>> Something cool that we can do to get out of
00:03
the way while we're still reversing these other things,
00:03
is we hold down control and we
00:03
can select these boxes here.
00:03
We can right-click and say group nodes.
00:03
We can label it for kill process.
00:03
All these are code blocks.
00:03
Let's include this here.
00:03
Same name, kill process.
00:03
That looks pretty clean.
00:03
We can continue the same effort here.
00:03
We can look at this command above it, kill all.
00:03
We can keep going down that path.
00:03
>> Obviously, we're not catching
00:03
all the related blocks because
00:03
>> if you'll look down here,
00:03
>> there's some error conditions like,
00:03
"Oh, you didn't pass in the parameter."
00:03
This is the usage for that thing and "Oh,
00:03
unable to do it, " or "Oh, it worked."
00:03
We could group these in as well.
00:03
We can continue on this path until we
00:03
have all of these trees,
00:03
these command functionality columns, accounted for.
00:03
If we find something that's out of the
00:03
ordinary or something that doesn't make a lot of sense,
00:03
we can investigate that further.
00:03
But we can effectively group things and we don't have
00:03
such a detailed view
00:03
of what every little instruction is doing.
00:03
That's really the rabbit hole that you'll get into
00:03
when you're doing reverse engineering,
00:03
since you have such a detailed view and you can say,
00:03
"Oh, yeah, I can jump into this function.
00:03
I can completely figure
00:03
out what it's supposed to be doing and it's
00:03
really important because it's called
00:03
by all these other things.
00:03
Oh look, I can go and resolve it
00:03
again and see exactly what's going on."
00:03
It's great, but for now, determining capability.
00:03
Capability will lead to risk to your organization,
00:03
it will lead to impact,
00:03
and maybe if you're good,
00:03
it'll lead to attribution to intent,
00:03
and it will lead to you being
00:03
>> very valuable to your team.
00:03
>> Because if you have an incident,
00:03
unless your IR guy is really clever,
00:03
the malware guy is the person
00:03
that really understands what's
00:03
going on behind the scenes.
00:03
There is a trend that a lot of
00:03
bad guys are trying to avoid malware because of this.
00:03
They try to do what's called living
00:03
off the land and only doing
00:03
things that don't leave any forensic evidence,
00:03
like they drop a piece of malware
00:03
that just launches a reverse command shell.
00:03
Then they can execute
00:03
>> commands without anyone seen that.
00:03
>> But, most hackers still use
00:03
malwares and all of the
00:03
>> breaches 97 percent of the time.
00:03
>> I believe the rise in breach report
00:03
said malware was present.
00:03
Malware analysts definitely have
00:03
a job and they are definitely needed.
00:03
We went over finding
00:03
the command processing subroutines and/or
00:03
the configuration processing subroutines
00:03
because that's where you're going to find
00:03
a lot of how you can enumerate
00:03
a lot of the capabilities of a piece of malware.
00:03
While reversing, I would
00:03
>> suggest documenting everything.
00:03
>> Use good variable names,
00:03
just like as if you're writing software.
00:03
Because you're taking it apart, you're discovering it.
00:03
To fully enumerate capabilities,
00:03
I would say test the software afterwards.
00:03
As I mentioned, there are plenty
00:03
of times where malware has
00:03
had bugs or compatibility issues,
00:03
or they simply just
00:03
do not implement the functionality as they say they do.
00:03
Keep in mind, when you're enumerating functionality,
00:03
malware can extend its own
00:03
>> functionality by downloading,
00:03
>> executing new code,
00:03
or having some hidden feature in it that you might miss.
00:03
All those function call
00:03
all hundreds or thousands of function calls.
00:03
There could be just some instructions in there that
00:03
jump into what appears to be
00:03
data but is actually shellcode.
00:03
Even strings. Strings can be shellcode,
00:03
they can be executable x86 machine code.
00:03
I know a guy who published a black hat paper
00:03
over generating his program would write
00:03
English language shellcode so
00:03
>> that string that look like
00:03
>> a normal English string could
00:03
be executable x86 shellcode.
00:03
While you can enumerate
00:03
functionality in malware a lot of times,
00:03
keep in mind, that it can extend
00:03
its functionality and it's not a for sure thing.
00:03
Keep in mind, there's no undo in IDA.
00:03
You might be flabbergasted by that.
00:03
But seriously, if I were
00:03
to tell IDA to analyze something as data and step code,
00:03
it would break a lot of things.
00:03
In the newer versions of IDA,
00:03
you can do a snapshot of your current IDA database.
00:03
That might save you from something catastrophic,
00:03
but you might have to redo a lot of analysis.
00:03
I have messed up. My house is pretty good sometimes.
00:03
I just had to start over
00:03
because it would have been too much of a pain
00:03
to try to fix the damage I had done.
00:03
As a recap in general,
00:03
static reverse engineering, I showed this before,
00:03
but I highly suggest the IDA Pro book,
00:03
that's the unofficial version because
00:03
the developers of IDA they're
00:03
good and brilliant and they'll
00:03
respond to email very quickly.
00:03
Because they're the only,
00:03
IDA that's all they do.
00:03
If you email, they email right back,
00:03
and they're really nice and good.
00:03
They never wrote a book about how to use it.
00:03
Someone did and it's actually
00:03
>> a really good introduction
00:03
>> to not just IDA but reverse engineering in general.
00:03
Because IDA is an extremely powerful tool
00:03
and we've barely scratched the surface
00:03
of what it's capable of.
00:03
If you get the, I will want to say
00:03
>> professional version,
00:03
>> but it's actually the paid-for version
00:03
because IDA Pro is this free by default,
00:03
you can't save your analysis unless you use
00:03
an older version IDA 5 point something,
00:03
you can actually save your analysis, your IDB file.
00:03
In the newer version, you cannot
00:03
save your analysis unless you pay for it.
00:03
That's like $6,700 or something.
00:03
Do not try to crack it or torrent it.
00:03
You will be put on
00:03
a blacklist and they will never
00:03
>> sell your software again.
00:03
>> Or I think when you work for IDA,
00:03
I don't remember the rules on that,
00:03
but it's a big no. Don't do that.
00:03
Don't crack IDA,
00:03
or download, or use cracked copies.
00:03
Because the IDB files are
00:03
actually signed/encrypted, I think.
00:03
If you get a version,
00:03
a cracked version of IDA,
00:03
and you save your analysis,
00:03
your disassembly of a file,
00:03
no one else with IDA can even open that.
00:03
Because that cracked version will be
00:03
blacklisted and no other version of IDA can open it.
00:03
There are ways around it, but I wouldn't suggest it.
00:03
Another really good book for
00:03
reverse engineering is Reversing
00:03
Secrets of Reverse Engineering,
00:03
is a bit old, but it's really good. I like it a lot.
00:03
There's plenty of tutorials online out
00:03
there for reverse engineering,
00:03
a lot of tutorials and
00:03
little things are mainly built around the crack means,
00:03
which are little programs written
00:03
by reverse engineer enthusiasts to stump each other.
00:03
Those are pretty good and I also would suggest
00:03
going to past CTF websites,
00:03
Capture the Flag websites,
00:03
usually they're hacker competitions, jeopardy style,
00:03
where they choose a category and
00:03
a level and they go and try to solve the problem.
00:03
There's usually reverse
00:03
>> engineering challenges in there.
00:03
>> Where you're trying to
00:03
get a program to do something or find a vulnerability,
00:03
your decrypted string,
00:03
or whatever the case is.
00:03
Those can be excellent learning experiences.
00:03
Corkami, this website
00:03
is fantastic for explaining PE headers.
00:03
It really takes it apart and goes through the binary.
00:03
If you really want to understand
00:03
how the code is organized,
00:03
when you're looking at it, I
00:03
would definitely suggest that.
00:03
But honestly, it's not very
00:03
necessary until you get
00:03
into some of the more tricky stuff.
00:03
I would also suggest
00:03
opensecuritytraining.info from my miter.
00:03
They have an intro to x86.
00:03
They also dive into
00:03
other architectures like ARM and x64,
00:03
which if you get the paid-for version of IDA,
00:03
will actually not just do x86
00:03
but they'll do tons of architectures.
00:03
The most popular one being x64 and ARM,
00:03
because a lot of reverse engineers don't just
00:03
reverse engineer Windows executables.
00:03
Reverse engineer firmware from routers, from toys,
00:03
from cell phones, switches,
00:03
lots of computers that
00:03
most people don't think of as computers.
00:03
Also just say, it's good to read
00:03
the Wikipedia entries for
00:03
the x86 assembly language and
00:03
the x86 calling conventions.
00:03
They're very approachable,
00:03
they're very easy to read,
00:03
and have lots of examples.
00:03
If you really want to get into
00:03
>> writing assembly language,
00:03
>> I would suggest the Art of Assembly Language.
00:03
Other than that, that's
00:03
plenty of information for you to get started.
00:03
Hope you watch the next video.
00:03
Again, my name is Sean, and I'll catch you later.
Up Next
Instructed By
Similar Content
