Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In this module, we'll discuss and enumerate the capabilities of IllusionBot that we've used during this course. We'll demonstrate how to find commanding processing subroutines or the configuration processing subroutines. Important tip to remember is to document everything while reverse engineering and test the software using dynamic analysis. You can read the following resources to learn more:

  • The IDA Pro Book: The Unofficial Guide by Chris Eagle
  • Professional Assembly Language by Richard Blum
  • Reversing: Secrets of Reverse Engineering by Eldad Eilam
  • Corkami

Video Transcription

00:04
Welcome to Sigh Bury. My name is Sean Pierce on the subject matter expert for introduction to malware analysis. Today we're gonna be covering mortar
00:12
Stack announces, particularly part six, where we're gonna enumerate the capabilities of the illusion bought that we were looking at the last few videos.
00:23
So
00:24
when we were doing this
00:27
capability in numerous Shin earlier, we were kind of looking at
00:32
only the dynamic analysis and saying, OK, well, we see its might find the registry and opening up a firewall rules we know has that capability. We know it's going to the i. R. C. We know it's can take commands from there we opened up theologian bought builder. We saw some other capabilities there, but none of that
00:51
actually means
00:53
what it says. It means
00:55
I might sound a little silly, but I've dealt with playing our plenty of builders and controllers where there's unimplemented functionality either in the sample or in the builder or the controller where it may say it can communicate over http or may say can, uh,
01:15
funnel traffic over D. N s.
01:17
But it can't actually maybe, uh,
01:21
the mile author for have to put it in or he wanted to say had that capability, but it actually didn't so he could sell it at a higher price. Whatever the deal is who really can't trust,
01:30
uh, what an interface says or what it might even look like it's doing. I've seen samples out there that will try to communicate over
01:41
http or some other method, and the controller can't actually understand it, so it looks like it could do it. But you can't take the word
01:51
for it or you can't
01:53
count on that. Uh, actually being there. And as our analysts, we think,
02:00
Well, we're not often going to
02:02
get the controller. We're not often going to get the source code or,
02:07
you know, the builder. So that's compa moot point. And it's not because we do have the sample. And earlier we were looking at
02:16
what functions was calling to guess at the functionality.
02:21
But we can actually dig down into the code and see
02:25
what the Mauer author has actually put in there.
02:29
And we can say OK, definitely for sure.
02:32
It makes a post request,
02:35
but,
02:36
uh, it doesn't do anything with the response. It gets back. It just mean it moves on so we know it can't actually receive information from from a get request. We can say that for sure.
02:51
Having said that,
02:53
it can be a little tricky sometimes, especially with the sophisticated actor,
02:58
because
03:00
assembly
03:01
can be very tricky. It could be hard to read and with a lot of junk code in there because some our authors will fill their their malware with
03:12
useless assembly That won't do anything. And it gets a little confusing to look at.
03:16
Um,
03:17
they can hide some clever
03:21
Mmm,
03:22
some clever instructions strung together that will
03:25
dynamically call something that doesn't look like code And do something you may not expect.
03:34
For instance, there was a piece of malware that
03:36
would download, uh,
03:38
I'm
03:39
a webpage. Do like in a standard. Http, get request. And it would look for certain strings on the Web page and go on his business. But a lot of our analysts missed the fact that it would go and find an image later on that Web page. I think, in the
03:58
the temporary Internet files,
04:00
and then it would
04:01
decrypt a hidden configuration
04:04
inside an image, and they're using a form of steganography, which means that they hide an image or that they hide information
04:13
A supposed toe cryptography which scrambles the information.
04:18
And inside this configuration, inside this image
04:24
there was Maurin Formacion that
04:26
a lot of analysts were missing.
04:28
So
04:29
it can be tricky unless you have, like, a whole and complete understanding the code, which you really can't all the time.
04:38
And
04:39
there's even Maur functionality that may be hidden
04:42
and say, Ah, downloadable component. So
04:46
we will look at this malware and we will find that there is a download and execute command.
04:54
So if you
04:55
go to your superior or if you're superior, comes to you and says,
05:00
Hey, I know you analyze this piece, um, our can it do something like
05:04
wiped the master boot record
05:06
in having analyzed that you can say no, doesn't have that capability and then turn around.
05:14
You know, a few days later, you're Boston's back says, Hey, you know that malware infected one of our machines and the master book record got wiped
05:21
TTF
05:23
Well,
05:25
you know, in this
05:26
execute herbal in this piece of malware, like most other pieces of malware, there's the ability to download and execute
05:32
other files. So you
05:35
well, you can't say Okay, it doesn't have that capability. Someone else can easily
05:43
add more capability by downloading
05:46
Maur malware.
05:48
And even if it's not,
05:49
just download and execute this wiper, which you can easily download from all over the Internet.
05:56
Uh,
05:57
several newer
06:00
malware families out there that are more sophisticated,
06:03
the really maoren Elsa. They're really malware platforms. So
06:09
and I've even
06:12
done proof of concept stuff where you basically it's just
06:16
ah, platform for going to a committed control server and downloaded in an encrypted module, which is
06:24
has a persistence mechanism or downloads. Another module after that, which has a commanding control server,
06:32
functionality mechanism or down was another component. And that's an FTP server function out or
06:39
an FTP server.
06:42
So if a malware analysts were to ever find my execute a ble on disk,
06:46
they would just find this kind of platform. They would just find, like on Lee a small amount of code, which would just go out to an I p address and download some things in decrypt. Um, and so they would need my commanding control, sir, to be up in order to get those components and with a lot of
07:05
a lot of this malware
07:06
tends to be more targeted, and the commanding control servers are quickly taken down from our author thinks that their operation was burned.
07:15
Um,
07:17
and this is not uncommon, especially with
07:21
malware that has been infecting
07:26
uh,
07:26
a particular company.
07:28
Like if a our author wants to
07:31
just do pos infections where point of sale systems are only gonna be within a certain i p r i p address range. And he restricts that, too. Uh,
07:46
the restricts downloads of his malware or component tree
07:50
to that. And then as soon as he sees another I p address tryingto get those components, he thinks, oh, well, they've put it in my mouth, were in the sandbox. Uh, I'm bringing down the whole operation and moving to another command and control server and
08:07
et cetera, et cetera. And that actually does happen. And if you ever do any botnet tracking
08:13
where you get a piece of spam and you say, Oh, I wonder what this is you popped into about where analysis machine,
08:18
um,
08:20
you'll notice that the command and control server is already dead, if especially if you get the piece of spam
08:26
a few days late or even a few hours late sometimes
08:31
because in our authors don't want to burn their commanding control infrastructure
08:35
so
08:37
we can use
08:39
well, static and dynamic analysis toe enumerates capabilities. But you really shouldn't say
08:46
this power on Lee has his capabilities
08:48
you. And if you do, you should say, Hey, it can download and execute things. It's a common function,
08:56
and
08:58
a high sophistication actor could be using
09:03
this lower sophistication tool as initial beachhead
09:07
two,
09:09
then download and execute something else that's much more
09:13
dangerous. It's much more capable. So determining,
09:20
you know, intent is important and people behind this. But, uh, when you're doing your mouth or analysis,
09:28
that's easy to say. Oh, look, this code
09:31
definitely won't do this, or it definitely does do this.
09:35
Having said that, let's jump right in
09:37
twill your last word,
09:43
which was we were decrypting these strings,
09:48
so I'm gonna pause this Veum
09:50
right when it was decrypting the machines, I'm gonna put it away
09:54
and jump back to my either here.
09:58
So,
10:00
as I said in my period slide,
10:03
uh, document everything and if I was being a good
10:07
reverse engineer and I had all day to work on this. And I wasn't just making a video. I would say
10:13
this would be My next step is to go through these and label them and properly document them.
10:18
And one method to determine capabilities of a piece of malware is to follow each of these
10:24
functions on dhe, see where they're cold and classify
10:31
all of the function calls. And you could burn through each of these subroutine calls and you could say, OK, this is this. This is this. This is maybe this. I'll come back to this if I have time, etcetera, etcetera,
10:45
but
10:46
a better way to do that. A better way to determine capability
10:50
is by going toe where the command processing happens where the configuration processing happens. So the Mauer author wants to control a machine with this piece of malware
11:03
or steal data or whatever his goal is that you usually will be able to determine
11:09
after analyzing the malware.
11:11
And
11:13
he he or she
11:18
will want to just
11:18
be able to command this pot usually.
11:24
So I'm gonna go over here,
11:28
toe open sub views and then strings,
11:31
and I'm gonna look for
11:33
help. I figure that this smaller author has built in some kind of help menu,
11:39
and they will be controlling it from the IRC so they could just give it some commands
11:45
and that hasn't turned up anything.
11:48
So I'm just gonna look for
11:52
except this
11:54
Go back open sub you
11:56
strings.
11:58
So I'm gonna go through. I'm gonna say, Okay, they don't have a help menu. Or maybe maybe it's encrypted or whatever. Um,
12:07
but I do know that it has some capabilities. Like they can open up some something called a D C. C. Show. I can download and executes download something, download and execute something.
12:20
Ah,
12:22
and that's probably a command that ah, mouth would want toe remotely execute. So I'm gonna double click and jump to where the string is.
12:31
I can see that is referenced
12:35
by pressing X. I can see that the string is referenced at this location and only this location.
12:41
So looks like, uh, in this subroutine and dysfunction,
12:46
there's the option to download and execute something.
12:48
Looks like K B is showing you a meter
12:52
of how fast it's downloading executing something.
12:56
And we could dig into that and see exactly what's going on.
13:01
I'm gonna say down mood
13:03
execute
13:09
subroutine
13:11
Say display Dunnellon. Excuse mine.
13:13
So I know this has to be called from somewhere. That's probably
13:20
because this probably isn't
13:20
the command processing subroutine with configuration process of the team that I'm gonna say. Okay, it's probably called from that or something is calling it that will call this eventually.
13:31
So I'm gonna climb on up this ladder and say, OK,
13:33
this, uh,
13:37
is calling a few things
13:39
I could scroll over.
13:41
It's another function I haven't resolved yet, But I could, in fact,
13:46
looks like it's called a lot. So I'm just gonna go ahead and help myself and say
13:50
press X and say, OK, it's one. I just go ahead and figure this out.
13:56
So I moved into by T x T X is last modified by get Prock address, which was the parameter to get the Skip Prague address was ws print f
14:07
going back to that logic to be a sprint up was pushed onto the stack where
14:11
get Prague addresses called and
14:16
modified GX. So this is
14:18
the U. S. Print us
14:22
jumping back,
14:26
so
14:26
we don't know this is
14:30
another. This is a good way to document
14:31
download at execute
14:35
um,
14:39
print.
14:41
You see where this is called from and being out. So over in the lower left hand side,
14:48
we can see
14:50
that
14:50
there's a lot of code here. We can even hit our control key
14:56
and scroll wheel, and we can zoom out.
14:58
We can get a much larger picture of what's going on here
15:01
so we can see that there's a lot of stuff going on here. We can zoom in and see uh,
15:09
a lot of error messages about socks, proxies, FTP,
15:13
all this other stuff.
15:16
So that's cool. That's useful on. If we wanted to see,
15:18
you know, usage is she be flood. We can just click where this, uh,
15:24
code came from where this control flow came from. We could just double click the Arab. It'll jump a straight toe where that line was leading. That jump was coming from.
15:35
But I'm interested in the capabilities of this malware if you'll remember, and I want to quickly be able to say OK, can do this. This this this. So I want to look at the commands that, um, our author could give it
15:50
or the botnet herder or the controller.
15:54
So if I look at
15:56
this. I take this kind of broad sort of you.
16:00
I can see that there's an interesting set of instruction
16:04
or on interesting control flow happening here,
16:10
where if it's not one thing, then it'll do another little thing,
16:14
and all these jumps will jump off into their own respective columns.
16:21
So I'm willing to bet that
16:23
each one of these little boxes is simply just testing it. And you can see here by hovering over it.
16:30
Uh,
16:30
issue these little columns is testing.
16:33
Ah, to see if a certain string is, uh,
16:37
in a certain memory location, probably,
16:41
You know, it gets in Ah,
16:42
a string from the IRC
16:45
uh,
16:47
program. This is probably ah, while true.
16:51
You know, a while,
16:52
um,
16:53
not
16:55
kill yourself. Command
16:56
Luke is going on.
16:59
It is constantly checking to see which command it received on the command line.
17:06
And
17:07
I can quickly zoom in and see if that's the case.
17:10
You can say beep is like, Okay, that might sound like a command. Jump over here and say ftp stop. That does sound like command. Jump over here. Uh, t p d. It's or it sounds like a command.
17:22
Stop. All that definitely sounds like a command.
17:25
And do another chump socks. Five stopped. Yeah, this seems like this command tree.
17:30
So if if I were a betting man, I would say, OK, this is probably a switch statement,
17:37
But then again, I know usually catches switch statements pretty easily. So
17:42
maybe it's just,
17:44
if
17:45
else if else if else kind of situation,
17:49
because it doesn't really matter. We have a list of functions here.
17:56
So, uh,
17:57
if I
18:00
we're documenting everything
18:03
I would
18:03
keep, like a note pad open. I'm following these functions down to the end.
18:10
Okay, So in his escape and go back to where it was
18:17
so I can see here. Web admin, just boat is higher. CME in just above that is higher. See admin Guinan
18:27
with admin. So that seems to be the That seems to be all for
18:32
the commands, at least right here.
18:34
So I was open up. No pad.
18:40
And
18:41
and I just start copying and pasting.
18:52
So
18:55
another thing I would do I'll see where this string is kept
18:57
and see if
19:00
all the other commands strings were there. So I can easily just copy paste.
19:03
Looks like a lot of them were there,
19:04
but
19:07
I can't guarantee that they're gonna be in the proper order.
19:14
Siepmann
19:15
i g
19:17
mp exploits.
19:18
That sounds interesting.
19:22
Config. That sounds interesting. In case we, uh,
19:26
got onto the IRC channel where the spot is hiding,
19:29
maybe we can reconfigure the bots.
19:30
Um,
19:33
I think technically, that would be illegal because you are still running
19:37
instructions on a machine which you have not been authorized
19:42
to instructions on.
19:47
But some security researchers do it anyway. And some people, like from Microsoft,
19:52
go. And when they take down a botnet, they will, ah,
19:59
get law enforcement on their side and walk into a data center and say, Hey, uh,
20:04
this is used for criminal use. We're going to help shut down.
20:10
But, uh,
20:11
I am not one of those people. And so I do not suggest
20:15
even if you have good
20:17
intentions, I would not suggest,
20:19
uh, going on to a, uh,
20:23
IRC channel.
20:26
No, but
20:26
and trying to, like, take down the botnet.
20:30
Um,
20:30
and even if you
20:33
even if you have the best intentions in mind and
20:37
you're seeing bad stuff happens all the time
20:41
with this botnet,
20:41
there could be security researchers or law enforcement
20:45
also doing what you're doing.
20:48
But they're listening on the channel to see if they can
20:51
get to the author or the lot that hurt her or whatever else, because they will do that as well.
20:59
So
21:00
I can do this for a while. It looks like this is, uh
21:07
this baht supports a lot of commands.
21:11
And after
21:14
I'm done with this,
21:15
I, uh
21:17
I could
21:18
tell someone or do it myself
21:22
for
21:22
verification purposes. I could tell someone to run these commands and make sure they actually do what? What you would think they do this ftp ftp d
21:34
uh, command
21:37
might start an FTP server, but it might only do it on on Lennox.
21:41
Um,
21:42
he's usually demon or Damon.
21:47
So, uh,
21:48
maybe it runs better
21:51
on Lennox, You might think. OK, what? It's a p ete or it's ah P file in the XY file.
21:57
What makes you think you would,
22:00
you know,
22:00
running ftp server on Lennox? And it's like
22:03
Well,
22:03
um,
22:04
you can,
22:06
you know, with the source code, you can re compile a piece of malware like any other program and made the author made it so that, uh, you could just easily re compile for Lennox.
22:17
And, um,
22:19
that from Shelly doesn't exist. Someone does, because it may just call the command line equivalent to start an FTP server
22:27
which may not exist on your version of windows.
22:33
So, like I said, we can We can do this for a while,
22:36
and it would be a much better indicator of capabilities,
22:42
then just looking at the functions and guessing.
22:48
And if we had help,
22:49
uh, we could pass these things over to someone and say, Hey,
22:53
while I'm doing this, fire up the
22:56
the baht connect to make a fake Arthur C channel, connect to it and just start running these commands and see what happens.
23:07
So
23:07
a lot of this stuff
23:10
eyes pretty common Mauer functionality,
23:14
and I might dig into it
23:15
a little bit
23:18
like, uh, this version function,
23:22
and I would say, Okay, so
23:25
this function gets called immediately after it,
23:27
uh, what happens there? Is there anything important? Does it just set some flags? It checked to see if there's some information that's just return the version on. And what happens
23:40
on its, uh,
23:41
jump, not zero loop. If it that doesn't take that
23:45
condition
23:47
looks like it just prints something. So it's like, OK, so probably
23:51
this condition probably will print the version number out to the strength out to the screen.
23:56
And if it takes this path, it tries to see if it's, um
24:02
if this variable
24:03
which I'm gonna just name right here, is, uh, input
24:07
command
24:18
Filter out the quotes later,
24:22
reconnect.
24:22
That's interesting.
24:26
Shut down. That's interesting.
24:30
So I can see it has
24:33
no where to go. I'm just named. This
24:36
was split in key.
24:38
Shut down
24:41
Command. Whether that *** that shuts down the baht or if it shuts down the, uh,
24:48
computer, I don't know.
24:52
I see Impey floods stop.
25:00
I see a flood.
25:08
So I'm gonna
25:11
stop for now
25:15
and we can see where we are
25:18
on this graph.
25:23
We can see that we're probably right about there, so there's probably, ah, number of other command or probably right about here. There's probably
25:33
I don't know.
25:33
I want to say 10 15 other commands that we could have new Marie.
25:37
Um
25:38
but the important part is
25:41
yeah, so we got quite a ways to go. Important part is
25:47
that we can do it,
25:48
and furthermore, we can verify that the code actually exists to implement that functionality.
25:59
For that,
26:00
the implemented code is there to fulfill that capability.
26:06
And if you're looking at this, if you're reading this all day, it's a very detailed view, and it's easy to get lost and forget things. So I don't provides a pretty cool tool.
26:17
And let's take this column, for instance.
26:21
So it says kill
26:23
tests the input command against the string kill. And it'll call this function,
26:33
which looks very simple so we can dive into it for just a second.
26:37
And it seems to test something to arguments that are passed into it on E. C X and E T X.
26:45
And
26:47
it's probably testing for validity is probably testing to see to make sure they're not just empty strings
26:59
and acts. It seems like it's called all over the place.
27:04
It was probably important that we get out of the way this analysis, how the way
27:10
So it takes in two strings,
27:12
which were e x e x, the input command
27:17
and, uh,
27:19
a kill.
27:22
So I'm gonna call this string compare.
27:30
That doesn't party.
27:32
So if we look at string, compare if we Google that
27:37
I'm willing to bet if we return zero, it's, uh,
27:41
the same string
27:42
or the strings have
27:45
Theo equivalent
27:48
characters until the first knoll bite.
27:52
I just happen to know that's true, because I've done this before.
27:56
Uh, and the output is putting t a X So test instruction test to see if the X is zero
28:06
by saying he actually ex pop and jumps if it's not zero. So it continues on its path of checking
28:14
against other commands. If it is,
28:18
if it is not zero. So if it is zero, it is that command. So this logic makes a bit more sense here. And
28:26
the functionality I was telling you that I did does that's really cools. We know that this code
28:32
eventually
28:33
will have some kind of kill
28:37
functionally built into it.
28:40
And if we
28:41
or process killing functionality and built into it, we can see here that unable to kill process with process i d process has been killed. We can see that there's, ah, positive and a negative tow this outcome.
28:56
And so we know what this coat does fairly Sure. So
29:03
something cool that we can do to can't get out the way while we're still reversing these other things is we hold down control and we can select
29:11
these boxes here.
29:12
And we can right click and say group nodes.
29:15
We can say we can label it for kill process.
29:25
So here is grouped always all these, uh,
29:29
code blocks.
29:33
And let's include this here.
29:41
No Oneto, same name, kill
29:45
process.
29:52
So that looks pretty clean.
29:53
And we can continue the same effort here. We can look at this command above it. Kill all
30:19
we can keep going down that path. And obviously we're not catching all all the related blocks because if you look down here, there's some error conditions. Like, uh, it's like, Oh, you didn't
30:33
pass in the parameter. So this is the usage for that thing on oh, unable to do it or oh, it worked. We could group the's in as well.
30:45
And we can continue on this path until we have all of these
30:51
trees. These columns of command functionality.
30:56
But command functionality Combs, I guess, uh,
31:00
accounted for. And if we find something that's out of the ordinary or something that doesn't make a whole lot of sense, we can investigate that further,
31:11
but we can effectively group things, and we don't have such a detailed view of
31:18
what every little instruction is doing. And that's really the rabbit hole that you'll get into when you're doing reverse. Engineering is,
31:26
uh, since you have such a detailed view and you can say, Oh
31:30
yeah, I can I can jump in tow this function I can completely figure out what it's supposed to be doing and it's really important because it's called by all these other things and like, Oh, look, I can go and resolve it again and see exactly what's going on and,
31:45
yeah, that's great. But
31:47
for now, determining capability and capability only to, uh,
31:52
capability will lead to risk to your organization elite impact. And
31:59
maybe if you're good, it'll lead to attribution to intent, and it will lead to you being, you know, very valuable to your team.
32:13
Because
32:14
if you have an incident,
32:15
uh,
32:16
unless your I r. Guys really clever.
32:19
The Mount where Kai is the person that really understands was going on behind the scenes.
32:25
And there is a trend
32:29
that ah, lot of bad guys
32:30
are trying to avoid mount work. Because of this, they try to do what's called living off the land and only doing things that, uh,
32:39
that don't leave any forensic evidence. Like, you know,
32:44
they dropped a piece of malware that does a, uh, just launches a reverse command shell. So then they could execute man's without
32:52
anyone seeing that. Um, but,
32:54
you know, um, most Mauer most most hackers still use malware. It's a
33:01
no and all of the breaches, you know,
33:05
97% of time of leaves of rising breach report said malware was present, So
33:12
our analysts definitely have, ah,
33:15
a job,
33:15
and they're definitely needed.
33:21
So
33:22
Oh,
33:22
we went over,
33:24
uh, finding the command processing subroutines on door the configuration processing separate teens because that's where you're gonna find a lot of, uh,
33:36
how you can enumerate a lot of the capabilities of a piece of malware.
33:40
Um,
33:43
while reversing out just documenting everything. Use good variable names, just like it's as if you're writing software because you almost argue you're taking it apart. You're discovering it,
33:57
um,
33:58
and to fully enumerates capabilities, I would say tests the software. Afterwards, a zay mentioned they're playing times where malware has had bugs or compatibility issues.
34:07
They simply just do not implement the functionality. If they say they do. And special note, there's there's no undo. And Ida Oh, I'm sorry.
34:17
Before that,
34:19
um,
34:22
and keep in mind when you're in humoring functionality, Mauer can extend its own functionality by downloading, executing new code or having some hidden feature in it that you might miss and all those function called lala Hundreds or thousands of function calls. There could be just some instruction in there that
34:40
that jump into what appears to be data but is actually shell code.
34:45
Um,
34:45
even strings strings candy Shell Co. They can be executed ble exit a *** machine code. I know a guy who published a black hat paper
34:55
over,
34:57
um,
34:58
generating his program would write
35:00
English language show code so that ah, string that looked like a normal English string could be executed.
35:08
Exit E six shell code. So
35:12
oh,
35:14
well, you
35:15
can enumerate functionality in malware a lot of times. Keep in mind that it can extend its functionality, and it's not a for sure thing.
35:25
And keep in mind there's no undo in Ida
35:29
anyway.
35:30
Might be flabbergasted by that. But seriously, if I,
35:37
uh, we're too
35:38
tell Ida to analyze something as data and stuck code.
35:44
It would break a lot of things on the newer versions of Ida. You can kind of do a snapshot of
35:51
your current IDA database, and that might save you from something catastrophic. But you might have to redo a lot of analysis on I have messed up.
36:00
My house is pretty good. Sometimes I just had to start over because it would have been too much of a pain, too,
36:07
um,
36:08
to try to fix the damage I had done.
36:12
So a za recap for in general static Reverse Engineering showed this
36:20
before, but I highly suggest the Ida Pro Book. That's the unofficial version, because the developers of Ida, uh, other good and brilliant and will respond the emails very quickly because,
36:35
you know, they only sell Ida. That's all they do. And, ah,
36:39
the female mayday Malone right back there. They're really nice and good. They never wrote a book about how to use it, and someone did. And it is actually a really good introduction to not just idle but reverse engineering general, because I does an extremely powerful tool
36:57
and we've barely scratched the surface of what it's capable of If you get the official. If you get the
37:05
I want to stay professional version But it's actually the pay for version because I do pro is free by default. You can't save your analysis unless you use a kn older version like Ida five point something you can actually save your analysis. Your i. D b file in the newer version can't unless you pay for it
37:24
or in the in the newer version, you cannot save your analysis unless you pay for it. Um, that's, like
37:30
6 $700 or something. Uh,
37:34
do not
37:35
try to crack it or torrent it.
37:37
You will be put on a blacklist and they will never sell yourself to her again.
37:42
Or I think when you work for you there, uh, I don't remember the rules on that, but it's a big No, no, don't do that.
37:49
Don't crack Ida
37:51
and, uh, or download or use crack copies
37:54
because the i d be files are actually signed Flush,
38:00
encrypted. I think so. Uh,
38:02
if you even make if you if you get a version a cracked version of Ida Ah, and you save
38:09
your analysis, you're disassembly
38:12
of a file no one else with Ida can even open that because that
38:16
cracked version will be blacklisted
38:20
and no other version of Ida can open it.
38:22
There are ways around it, but I wouldn't suggest it.
38:25
Um, another really good book for reverse engineering is reversing Secrets of reverse Engineering is a bit old, but it's it's really good. I like it a lot,
38:37
and there's plenty of tutorials online out there for reverse engineering. A lot of
38:43
tutorials and, ah,
38:45
little things
38:46
are
38:47
mainly built around a crack means which are
38:52
little programs written by re foreseen. Reverse engineer enthusiasts
38:58
toe kind of stump each other.
39:00
And those are pretty good. And I
39:01
also would suggest going to past C TF websites, capital fly websites, usually their hacker competitions, Jeopardy style, where they choose a category and a level, and they go and try to solve the problem. There's usually reverse engineering challenges in there where
39:20
you're trying to get a program to do something or find a vulnerability, you're decrypt a string or or whatever the case is, and those could be excellent. Excellent learning experiences.
39:31
Um,
39:32
cork, am I or quirky me?
39:35
His website, um,
39:37
is fantastic for explain like P E headers because he really takes the part and goes through the binary.
39:43
And, uh,
39:45
if you really want to understand
39:46
how, uh,
39:49
the code is organized
39:51
when you're looking at it,
39:52
uh, I would definitely suggest that,
39:55
but honestly, it's not very necessary until you get into some of the more tricky stuff.
40:02
Um,
40:04
I would also suggest open security training info on my miter. They haven't intro to X a six. They also dive into other
40:14
architectures like arm and X 64 which, if you get the pay for version of Ida well, actually not just do Exit E six, but it'll do tons of architectures, the main one most popular, one being x 64
40:30
and armed. Because a lot of reverse engineers don't just reverse engineer windows executed ALS. Also in reverse. Engine your firm where
40:37
from, uh, routers from
40:40
toys from cell phones. Switch is lots of
40:46
computers that most people don't think of as computers
40:50
on. Also, just say, you know, it's it's good to read the Wikipedia entries for the X 86 assembly language and the X 86 calling conventions. They're very approachable. They're very easy to read and have lots of examples.
41:06
And if you really want to get into writing a simply love assembly language, I would suggest the art of assembly language.
41:12
Um,
41:14
and other than that, that's that's plenty of information for you to get started. I hope you
41:21
watch the next video again. My name is Shawn,
41:23
and, uh, catch you later.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor