00:03
>> Typically, I have a slide for notes for the paranoid.
00:03
Well, there are more advanced Packers out there.
00:03
I've seen some that have multiple layers,
00:03
where it will unfold
00:03
one layer and then that layer will just in
00:03
turn unfold another layer and then
00:03
that will in turn unfold another layer.
00:03
there's some built-in defenses,
00:03
like anti-analysis code or anti-debugging code,
00:03
to make sure a debugger isn't
00:03
being used to take it apart.
00:03
Between here and there and between the layers,
00:03
there's lots and lots of junk code.
00:03
Just meaningless instructions or
00:03
meaningless function calls,
00:03
stuff to distract you, annoy you.
00:03
If you look at a Packer for a while,
00:03
you typically are able
00:03
to eye the junk code. You can figure it out.
00:03
That might sound strange,
00:03
but honestly the person who wrote
00:03
the Packer isn't going to go to
00:03
a huge amount of effort to deter you
00:03
them might be an hour for you to overcome.
00:03
I remember one Packer,
00:03
it did a weird jump call move combination,
00:03
where it would move a value from
00:03
EAX to ECS and then a few instructions later,
00:03
move ECS back into EAX.
00:03
It was pretty easy to pick out where it was
00:03
saving these registers and where it was restoring them.
00:03
It was pretty easy to see that the function calls
00:03
another Packer was using
00:03
didn't even check the return values
00:03
of those function calls.
00:03
It was easy to see which function calls
00:03
it actually was paying attention
00:03
to and the other ones that were just throw away values.
00:03
A lot of Packers have custom encryption.
00:03
When you get into more reverse engineering,
00:03
you'll see that there are
00:03
crypto APIs in the operating system
00:03
that some Packers will call,
00:03
some Packers will implement its own crypto,
00:03
we go for open source and AES,
00:03
Advanced Encryption Standard,
00:03
or open source RC4, or whatever else.
00:03
They copy paste because it's easy,
00:03
it's fast. It works.
00:03
Maybe they might tweak it a little so you can't
00:03
just use a tool out there
00:03
you found out there that they were using.
00:03
There might be custom encryption,
00:03
but it's nothing you can't
00:03
overcome because with a debugger,
00:03
we can easily step through
00:03
every step of every part of it.
00:03
As you saw in the demo, we could easily just step
00:03
over stuff or just run straight through things.
00:03
Some of the most advanced Packers out
00:03
there will actually convert
00:03
>> all of the original code that
00:03
>> it was told to pack and it will convert it into
00:03
another language pretty much
00:03
and then execute that language
00:03
in its own virtual machine.
00:03
You might think about that and be like, what?
00:03
Well, if you think about Java,
00:03
you can take a dot Java file,
00:03
which is English readable strings and it compiles it
00:03
so that the Java virtual machine can then execute it.
00:03
Java is a well-understood virtual machine.
00:03
It's not that big of
00:03
a deal to make a disassembler for it.
00:03
But Packers that create
00:03
their own virtual machines each time,
00:03
it's very difficult to
00:03
disassemble that code because even then it might be
00:03
obfuscated or your disassembler
00:03
might not be able to handle some of the tricks
00:03
it could create a rather complicated virtual machine.
00:03
At that point, it's not worth your time usually to
00:03
reverse engineer what it's
00:03
doing instruction by instruction.
00:03
Usually, you just want
00:03
to get whatever data you're targeting out of it,
00:03
or a particular configuration.
00:03
I wouldn't worry about those much.
00:03
If you ever come across a very advanced Packer,
00:03
then spend some time on it,
00:03
get to know what it's doing.
00:03
But definitely don't waste your time.
00:03
I highly suggest that maybe you
00:03
just take a solid week and go through
00:03
a more difficult Packer or a tutorial online
00:03
about how to pack something like AS unpack or AS pack.
00:03
But definitely don't spin your wheels
00:03
on something that's not worth your time.
00:03
Because as a reverse engineer,
00:03
you're generally paid a lot and you know a lot
00:03
and you have a very detail-oriented view of something.
00:03
Packers are meant to distract
00:03
you and some of them are really good,
00:03
but they are usually very expensive,
00:03
so they're not that common.
00:03
Just a recap of what we
00:03
covered and a list of good resources.
00:03
We talked about what packers are,
00:03
some of the more common ones and then we
00:03
took the most common UPX.
00:03
Then we saw how to pack something,
00:03
how to unpack something.
00:03
We saw what exactly it's doing to the
00:03
executable and how it actually
00:03
unfolds it in memory or decrypts it in memory.
00:03
This does require a bit of assembly knowledge and
00:03
in particular the PUSHAD and POPAD instructions
00:03
because those are not usually,
00:03
as I said, admitted by compilers.
00:03
It's not usually generated code.
00:03
If we see that, we usually think,
00:03
something a little funky is going on here.
00:03
Those are excellent instructions to look out for.
00:03
I suggest the Practical and also
00:03
Cookbook because as we saw their scripts,
00:03
even though they're a bit old,
00:03
can be very enlightening
00:03
to see exactly what's going on in
00:03
give us some good indicators
00:03
of whether a file is packed,
00:03
like what the entropy or the virtual sizes versus
00:03
what's on disk versus what's going to go in memory.
00:03
Practical Malware Analysis has
00:03
a decent section on Packers.
00:03
I'll suggest that you check those out.
00:03
There are plenty of Packers out
00:03
there freely available for download.
00:03
If you want to build
00:03
a simple Hello World program and then pack it with
00:03
a dozen different packers and
00:03
then see how each one is doing its thing,
00:03
that is a great way to learn.
00:03
You're going to learn 90 percent
00:03
of this with doing it yourself.
00:03
Again, my name is Sean Peters.
00:03
I hope you enjoy this video and we'll see you soon.