I have a slide for notes for the paranoid.
Well, there are more advanced packers out there.
I've seen some that have multiple layers where it will unfold one layer, and then that layer will just intern unfold another layer. And then that woman will in turn fold another layer. And maybe in somewhere there's a built in defense is like anti analysis code or anti debugging code,
not to make sure the bugger isn't being
used to take it apart.
And between here and there and between the layers, there's lots of lots of junk code.
Ah, just meaningless instructions or meaningless function calls stuff to distract you, annoy you.
and if you look at a packer for a while, you get
you typically are ableto I the jump code. You can figure it out.
and that might sound strange, but
honestly, the person who wrote the Packer isn't going to
go to AA aa huge amount of effort to deter you because,
you know, a week for them might be an hour for you to overcome.
So, uh, I remember one packer. Uh, it did a weird kind of jump Cole
value from the X t e c x and then
you know, a few instructions later, move it back into, you know, move. You see X back in t A X,
and so it was pretty easy to pick out
where it was saving this registers and where's restoring them? And, you know, I was pretty easy to see that the function calls another Packer was using
didn't even check the return values of those function calls. So it was easy to see which function calls it. It actually was paying attention to and
the other ones that were just throwing values.
packers have custom encryption. When you get into more reverse engineering, you'll see that there are crypto AP eyes on the operating system that some Packers will call their. Some Packers will implement its own
crypto, uh, you know, go for open source and A s advanced encryption standard or open source RC four or whatever else they can't copy. Paste is easiest fast. It works, and may they might tweak it a little, so you can't just use ah tool out there use code
that you found out there that they were using,
there might be custom encryption, but it's nothing you can't overcome, because with a d bugger, we can easily step through every step of every part of it. Um, as you saw the demo, we could easily just step over stuff or run straight through things.
Uh, some or most advanced packers out there?
Uh, well, actually, convert all of the original code
I was told to pack. And it will convert it into
another language pretty much,
and then execute that language in its own virtual machine.
think about that and be like What? Well, if you think about Java,
you can take a dot Java file, which is
English readable strings, and it compiles it into a ah bite code
so that the Java virtual machine can then execute it.
So John was a well understood virtual machine
it's not that big a deal to make disassemble her for it.
But packers that create their own virtual machines each time.
It's very difficult to, um,
because even then it might be a few skated or you're just simpler might not be able to handle some of the tricks it has built in.
and it could create a rather complicated virtual machine.
it's not worth your time. Usually to reverse engineer,
um, what it's doing instruction. My instruction.
Usually you just want to,
uh, get whatever data retargeting out of it, like an i p address or
So I wouldn't worry about those so much. And if you ever come across ah, very advanced packer.
Then you spend some time on it, get to know
uh, what it's doing,
is good, and I highly suggests that maybe you just take a solid week and go through a more difficult packer or a tutorial online about how to pack something like a s unpacked or a s pack. Um,
don't spend your wheels on something that's,
not worth your time,
because as a reverse engineer,
you're generally paid a lot and you know a lot and you have a very detailed, warranted view of something. Um,
so packers are meant to distract you, and some of them are really good, but they are usually very expensive, so they're not that common. So a recap of what we covered and the list of good resource is
we talked about what packers are, some of the more common ones
on. Then we took a very common one, the most common u P X and then we
So how to pack something, How to unpack something.
what exactly is doing to the executed ble
and how it actually unfolds it in memory
Decrypt sit in memory,
this does require a bit of assembly knowledge and in particular, the push a de and pop A T instructions
because those are not usually a ZAY said admitted by compilers. It's not usually generated code.
if we see that we usually think okay, something a little funky is going on here.
And those are excellent points
to, uh, excellent instructions to look out for
on. I suggest the Practical Analyst Cookbook because as we saw their scripts, you know they're old committee very enlightening to see exactly what's going on in a P e file
and give some give us some good indicator indicators of whether files packed like with the entropy or the virtual
sizes versus the raw sizes of what's on discourses. What's gonna go on? Memory
Practical malware analysis has, ah, decent section on packers.
suggest that you check those out and there are plenty of packers out there freely available for download.
And if you want to build a simple hello world program and then pack it with a dozen different packers and then
see how each one is doing its thing,
Ah, that is a great way to learn.
And you're going to learn 90% of this with doing it yourself.
So again, my name is Shankar's
hope You enjoyed this video and we'll see you soon.