Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:04,766 Hello and welcome to Obfuscation lesson 2 00:00:08,566 --> 00:00:16,332 Malware authors use obfuscation to obscure meaningful information in the binary making it hard to analyze. 3 00:00:16,333 --> 00:00:21,033 It aims to keep the malware code safe from security analysts. 4 00:00:22,000 --> 00:00:28,200 using obfuscation techniques makes analysis and reverse engineering much more difficult 5 00:00:28,200 --> 00:00:37,933 if security experts can't analyze the code, it means the malware stays fully undetectable or cero day, then antivirus cannot detect this threat 6 00:00:39,733 --> 00:00:48,233 Obfuscation Techniques. Encoders: it uses simple algorithms, are easy to implement and barely take something from system resources. 7 00:00:48,233 --> 00:00:55,266 Among the best-known encoders we have: base64, Caesar, and xor. 8 00:00:55,266 --> 00:01:00,099 Cryptors: modify the binary information to make it unreadable without a secret key. 9 00:01:00,100 --> 00:01:03,100 will be seeing encryption in ransomware section 10 00:01:03,100 --> 00:01:11,366 Packers: use compression algorithms to obfuscate the executable’s content. The difference between encryption and packing is 11 00:01:11,366 --> 00:01:16,499 that the former is meant to secure the binary data, the latter just obscure it. 12 00:01:16,500 --> 00:01:23,333 Among the best-known packers we have: UPX, Themida, Enigma Protector, and more. 13 00:01:25,266 --> 00:01:31,266 so on this lesson will be packing and unpacking using upx. 14 00:01:35,633 --> 00:01:42,633 so, what we have here is two binaries, one packed and other unpacked. 15 00:01:42,633 --> 00:01:51,633 we're using Total aware three, which is a keylogger, for now we just need the executable. 16 00:01:51,633 --> 00:02:00,633 but you'll have access to source code and complete explanation on this malware later on the correspondent section. 17 00:02:00,633 --> 00:02:07,633 ok, lets open this packed malware and se how it looks in cff explorer 18 00:02:07,633 --> 00:02:18,633 ok, we can't see the file info, instead puts UPX, is clearly indicating this binary has been packed with UPX tool 19 00:02:20,533 --> 00:02:26,533 go, check other sections, it puts upx and upx 20 00:02:37,600 --> 00:02:41,600 now, this is important, lets checked the import directory 21 00:02:42,500 --> 00:02:50,500 once you are familiarized with windows portable executable structure you will notice there's something wrong here 22 00:02:51,666 --> 00:03:00,666 Why?, because is not conceivable that a binary consumes just these few windows apis 23 00:03:01,566 --> 00:03:07,566 specially in the popular user32dll and kernel32dll. 24 00:03:07,566 --> 00:03:13,832 for a binary to succeed, this dlls should be populated with a lot more apis. 25 00:03:13,833 --> 00:03:22,833 this way even if you don't check any other section or use other tool, if you have acces to import directory and it looks like this 26 00:03:22,833 --> 00:03:29,933 you can tell for sure this binary is holding information, highly probable is packed. 27 00:03:30,300 --> 00:03:35,933 lets, see the contrast right now on an unpacked binary 28 00:03:38,066 --> 00:03:45,066 then, using cff explorer lets open the same binary but unpacked 29 00:03:45,400 --> 00:03:49,400 for starters, now we can see the file info 30 00:03:49,766 --> 00:03:54,766 at the other sections there's no sign of upx packer 31 00:03:57,733 --> 00:04:02,799 and most important import directory now shows these apis 32 00:04:02,933 --> 00:04:12,933 we can see kernel32 is now full of typical apis like: get thread, get process, handlers managers and so on. 33 00:04:15,100 --> 00:04:20,966 go see user32.dll, and check this out, now we have these apis, 34 00:04:20,966 --> 00:04:26,899 and this getkeystate is clear indicator this is a keylogger 35 00:04:26,900 --> 00:04:36,700 this api makes a polling of the state of the keyboard and is very common in keyloggers to steal keystrokes. 36 00:04:36,766 --> 00:04:40,766 now, lets check the code out 37 00:04:40,766 --> 00:04:53,766 this is totalaware3 source code, here we'll find the apis we just saw in cff explorer, find windows, show window and getkeystate 38 00:04:53,766 --> 00:04:59,332 later will see this code in detail in keylogger section 39 00:05:11,600 --> 00:05:17,600 now, lets run Ida pro free version, Ida is by much the most popular debugger 40 00:05:17,600 --> 00:05:21,600 a debugger is a program to disassemble a piece of software code, run in as administrator 41 00:05:27,266 --> 00:05:35,132 Your Ida may look a little bit different, but are essentially the same options, you may follow this without problem. 42 00:05:35,400 --> 00:05:40,400 lets load our packed totalaware3 43 00:05:49,766 --> 00:05:53,766 is a portable executable, so ok. 44 00:05:55,666 --> 00:06:01,666 this is the first sign this binary is packed, it puts there's some problem with our imports. 45 00:06:03,133 --> 00:06:09,133 in this left column we can see ida is telling us this binary was packed using upx. 46 00:06:13,933 --> 00:06:22,933 this bar here normaly is a rainbow of colors, because Ida asign a color to each section in the binary. 47 00:06:22,933 --> 00:06:28,933 but, since this malware is packed we get here only grey and black. 48 00:06:28,933 --> 00:06:33,933 now, as we did in cff explorer lets check the imports 49 00:06:34,466 --> 00:06:40,466 and as in cff explorer we get only a few apis 50 00:06:43,100 --> 00:06:49,100 ok now lets open our unpacked malware for comparison. 51 00:06:51,100 --> 00:06:55,100 don't forget run Ida as administrator 52 00:07:01,966 --> 00:07:05,966 and open totalaware3 unpacked 53 00:07:10,066 --> 00:07:14,066 just ignore this, click yes 54 00:07:14,433 --> 00:07:20,433 maybe you noticed we didn't get the import problem message 55 00:07:20,433 --> 00:07:24,433 and on left column don't puts upx any more 56 00:07:25,833 --> 00:07:31,833 as I told you before this bar is populated with a rainbow of colors, 57 00:07:31,833 --> 00:07:37,833 this time Ida have no problem on color coding each section on the binary. 58 00:07:40,366 --> 00:07:44,366 lets now see the imports 59 00:07:44,633 --> 00:07:50,633 this looks great, now we have a lot of apis 60 00:07:56,333 --> 00:08:00,333 lets see 61 00:08:04,900 --> 00:08:12,700 and as we saw earlier, this getkeystate is most likely telling us this is a keylogger. 62 00:08:14,100 --> 00:08:24,100 ok now I just put this imports side by side, so you can tell the difference, left packed, right unpacked. 63 00:08:25,366 --> 00:08:31,366 if you scroll down what you see here is our binary assembly code 64 00:08:31,900 --> 00:08:38,900 Ida is an amazing tool, specially if you are interested in reverse engineering. 65 00:08:39,433 --> 00:08:47,433 the learning curve is kind a steep, but if you decide give it a try, there're tons of info on the internet. 66 00:08:47,600 --> 00:08:56,600 good news is that even if you don't master assembly language you still can use Ida and its many features to inspect your binaries, 67 00:08:56,600 --> 00:08:59,600 like we just did it 68 00:09:05,166 --> 00:09:10,166 ok, now lets unpack our binary using upx tool 69 00:09:18,633 --> 00:09:26,633 So I'm coping our packed binary next to the upx tool executable 70 00:09:38,233 --> 00:09:42,233 there we go 71 00:09:53,200 --> 00:10:00,766 as you can appreciate here, the syntaxes to pack and unpack is very easy 72 00:10:01,466 --> 00:10:05,466 and now this binary is unpacked 73 00:10:06,300 --> 00:10:13,300 now lets see if everything was fine with our unpacked procces. 74 00:10:13,666 --> 00:10:17,666 this looks very well, no upx traces. 75 00:10:23,333 --> 00:10:27,333 now lets open it in Ida 76 00:10:37,666 --> 00:10:41,932 there we go 77 00:10:46,566 --> 00:10:53,566 and also looks great, we have our rainbow and no upx traces 78 00:10:58,666 --> 00:11:02,666 lets see our imports 79 00:11:05,666 --> 00:11:09,666 and as you see are just fine. 80 00:11:10,566 --> 00:11:16,566 now we can tell our unpack process was successful. 81 00:11:17,300 --> 00:11:25,100 thanks for watching, on next lesson we'll start Dynamic Analysis. 8891