so I'm gonna show you. Ah, little demo off the difference we can see in the code.
So over on the left, here we have the original bought by an eerie from,
the illusion bought that we downloaded from the get help, Paige,
I'm gonna copy it over on the right side and over here of download this program called Cantor Dust,
uh, made by a researcher, works in the national labs, and he has talked at Black Hat where he releases tools, Actually. Really, really good. Uh, but he said he'd release
more than just this demo, and he never did. I don't know what his deal is, but it makes really pretty pictures and allows us to quickly see what's going on so
we can take our original binary, are bought, weaken dragged over here, and we can say OK, so this thing,
you can view it in different coordinate systems. Um,
It definitely has some patterns. Some lines in it that you can see.
It definitely has, um,
some data, like right over here
you can see the smaller cubes,
and that is asking that those are the strings that we typically see.
And over on the left
these two columns of green,
and that's all fine and good.
And it gives us some kind of clear
idea of the type of data that's in there.
It's basically showing us the bites.
we have our original, but by near here,
I'm gonna make a copy of it.
I'm gonna pull up a command, prompt
It's in this directory
and I'm going to download
a program. U P X. Like I said, the
one of the oldest Packers
I'm just going down. What for Windows here.
And I've put the program right here.
and I'm going to pack
the baht binary copy.
So it does its little banner, and then it says it edited this file. It compressed the size by 41%
so that's nearly half of the size it was before.
Just rename this file too
Run cantor dust again.
So this was our original
and this is our pact version.
You can see there's really no
It's a lot of randomness. There is really nothing there that weaken point and say, Oh, I can see that there's some structure, this file, that there tends to be a cluster of bites that are very similar over here.
you know, we we can't really make much of it. It's because it's compressed. It's high entropy
I'll show this in the future.
But if we run strings on our original binary,
that there are plenty. The user agents. Ah, the obfuscated strings, the pass or encoded pass. You know, the function calls. And if we
run the same strings command on
ah, the pact binary,
we see that there are hardly any.
There's a few functions that it needs to resolve the other functions dynamically.
There's probably a reference to you. PX in there somewhere.
u PX explanation point u P x zero u P x one PX to these air actually the names of the sections,
well, we'll take a look at that in a bit.
look at the hash is no shot, one
and they are indeed different.
All it takes is one bit to be flipped
toe, generate a new hash or two to derive. Ah NIU hash
visual reverse engineering might
take hold in the future,
I I don't see it happening just yet. The tools aren't quite there, but
I definitely recommend this talk.
Even if he didn't really release his tool that he said he was going to. It's still pretty inspiring toe to see what what's possible
with just visually inspecting