3 hours 41 minutes
hi, everyone and welcome to numbering systems. In this session, we're going to learn about relevant numbering systems as it relates to malware analysis and learn to convert between these systems simply and efficiently.
In previous sessions, we've stated that any type of data that resides on a computer is stored in binary format. This is a numbering system that uses zero and one or called base to.
However, as we've been performing some analysis tasks already, we've been presented with data not in binary but in hex. So the questions we may ask are, Well, why is data stored in this way? And how do we convert data into something meaningful during our analysis? Now, to answer the first question completely,
we'd have to spend some time talking about the history of computer architecture in mathematics.
Now those are outside the scope of this course, but in summary, we use binary because the circuits and a computer are made up of billions of transistors. A transistor is a tiny switch that's activated by the Elektronik signals that it receives, and the binary numbering system is best suited for these signals because the digits of binary
one and zero
reflect the on and off states of a transistor. Now in computers, these ones and zero states, or signals thes air structured together to create larger and more complex sets of information,
these are the building blocks of X 32 X 64 architectures. Now, to best understand binary, we really should use an example. So in X 32 architecture er, a piece of data is grouped into 32 blocks.
Each block is called a bit. This is a unit which can, on Lee be one of two possible values. Zero or one.
When you combine these 32 bits, you have a piece of data.
Now, with those concepts reviewed,
all we have to say is that data is just a sequence of ones and zeros that have been combined to represent a piece of information in X 64 architectures. Data is grouped into 64 blocks
Now To make it easier for humans to measure data, we've created a system that groups thes blocks of data into collections. Thes air probably terms you've heard before, such as four bits is a nibble. Eight bits is won by 32 bits, equals four bites and so on and so forth. However, as I have explained this to, you're probably thinking Okay, well, one, that's a lot of bids.
And two, how do we translate these bits into something that resembles the structure of the human
language English something that we as humans understand?
Well, back when we were inventing these systems, what we found is that we needed to translation system. We needed a way to convert our English language and decimal numbering system into a way that computers could understand,
as well as a way of making all the data that a system was storing for us and that we were looking at more reasonable for us as humans to comprehend.
Now how we get the English language down to bits I'm going to save for later. But to make chunks of data more manageable, we use the hacks numbering system.
Now hex. That's a base 16 number system composed of 16 values. It's comprised of the digits zero through nine, and the letters A to F, where a is equal to 10 b is 11. C is 12 D s, 13 e s 14 and FS 15. But before I move on to converting these numbers.
Let me answer your second question.
That was how we convert data into something meaningful for our humans to analyze.
Well, computers remember they only understand numbers. So all the letters in the English language and all the characters were used on the web, etcetera. These need to be translated into numbers.
Now, we used a numbering system that was easy for us to use. We used decimal.
So to convert letters and characters, we came up with a standardized way to exchange letters and make them numbers. This is called an asking table. So basically, ask e code is the decimal numeric representation of a character.
And so when we're analyzing Mauer, we want to be able to convert data into all of these numbers systems
decimals for humans, binary for computers and hex, which allows us to comprehend binary easier
now because we use the hex number systems so often as we're analyzing malware, I'm gonna give you a few quick formulas that you can use to convert decimal numbers to binary and then convert them to hex. Now, unfortunately, we don't have enough time to go into more complex examples. But these formulas should be able to get you by
and should be able to help you convert numbers pretty quickly.
So let's start with a decimal number of 15 to convert the decimal number 2 15 or any other number really, to binary. We simply divide by two.
Then, if the result of the vision yields a remainder, we keep track of this by setting a binary bit to a value of one. Here we're tracking it and our remainder column.
If the results of division has no remainder, we set a bit value to zero.
We then continue dividing by two by using the same formula.
However, as we continue dividing, we're using the quotient from our previous result as the dividend in our new formula.
As you can see here, seven is now the new dividend,
and so we continue with this pattern of dividing the quotient until we arrive to a result that's below zero.
Once we are below zero, that's it. We're done. Then we just organize the bits that we've been tracking into a binary format to organize the remainder bits into a binary number. I tend to organize them from right to left,
meaning that the first bit in our list Here. This is the last number we would right. So, in binary 15 is equal to 1111 Now you may ask yourself. Okay, Well, why are we running the binary number from right to left? What? We do this Because if you write it in this manner, you'll better understand how we convert this
binary number. Tow hacks.
So let's go ahead and do that now
to convert our binary number, hex, we should keep in mind a couple of principles.
The first is that are binary number. It's just a piece of a larger, 32 bit or 64 bit structure that we could break that structure down into smaller pieces. Now, in this instance, we're gonna break our 32 bit structure into four bit chunks.
The chunks air called nibbles.
Now, as you can see, this is what I've done here, right? I'm displaying decimal number 15 in binary form.
As you can see dealing with the structures, 32 bit structures are rather in cumbersome.
Now, we wrote our binary number from left to right because we'll be converting our number from left to right now. This is just my personal preference. But maybe you choose to do it another way. Or simply use a calculator to convert to binary. We'll start by assigning each position in the *** of value.
Value will start at one, and it will increase exponentially by two.
Now, once we hit eight, we stop. We reset it and we start again at one.
We continue this assignment for each nibble until we reach the end on the left of our 32 bit structure.
So our nibble positions here are 12481248 and so on and so forth. To find the hex number, we add up all the positions where there's a one in your binary number. In our case, every position in this nibble has a one.
So we add together one
plus two plus four, plus a for value of 15, which is equal to F and hacks
to illustrate this technique. Once again, let's take another example.
So in this instance, we've got a 32 bit data structure. However, to make it simple, we've taken the last three bites and we've summarized it in hex. It's all zeros. If we look at the last three bites. We've got six nibbles, all of which at 20 Okay, so let's Onley work with the first bite.
So here we've got a random binary number.
So to convert this to Hex, we add up all the labeled positions of the nibbles.
Two plus eight is 10, which is equal to a that's our first nibble.
And in our second nibble, we've got two plus eight, which is 10 again and that is also equal to a So when we add these values to our zeros, this gives us a hex number of 000000 A. Okay, so having a number in converting it from binary to hex is great, right?
But typically as malware analysts were looking at the data and hacks.
So how do we get our hex number into a decimal number rather quickly? Well, what I like to typically dio is just reverse this process, right? If I already know my hex number, I can easily converted to binary. And then I could take my binary number and converted to decimal by using a similar process of assigning values to each bit position.
Now the only difference is that when converting to a decimal instead of stopping and a value of eight and resetting, I continue increasing the values exponentially by two. Until I've assigned all the bits that have a value of one here, you can see that I've assigned my bit positions from 1 to 1 28.
So to convert the decimal, all I do is add the positions. If it has a value of one, I add them up. So 1 28 plus 32 plus eight plus two equals 170 in decimal.
All right, everyone. And now that we've got a good handle on converting numbers between bases, let's take a look at computer architecture, er.
Advanced Malware Analysis: Redux
In this course, we introduce new techniques to help speed up analysis and transition students from malware analyst to reverse engineer. We skip the malware analysis lab set up and put participants hands on with malware analysis.